#include "stdafx.h"
void MyFirstQuDongUnload(IN PDRIVER_OBJECT DriverObject);
#ifdef __cplusplus
extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);
#endif
#define VadRootOffset 0x11c
#define CONTROL_AREAOffset 0x18
#define PFILE_OBJECTOffset 0x24
#define FileNameOffset_ 0x30
void ParseVadRoot(PMMVAD _PMMVAD)
{
if (NULL == _PMMVAD)
{
return;
}
//这个时候可以取出值了
PCONTROL_AREA _PCONTROL_AREA = (PCONTROL_AREA) *((ULONG*) ((ULONG)_PMMVAD + CONTROL_AREAOffset));
if (MmIsAddressValid(_PCONTROL_AREA))
{
PFILE_OBJECT p_FILE_OBJECT = (PFILE_OBJECT) *((ULONG*) ((ULONG)_PCONTROL_AREA + PFILE_OBJECTOffset));
if (MmIsAddressValid(p_FILE_OBJECT))
{
PUNICODE_STRING pFileName = (PUNICODE_STRING)((ULONG)p_FILE_OBJECT + FileNameOffset_);
if (MmIsAddressValid(pFileName))
{
//移动12位
DWORD base1 = _PMMVAD->StartingVpn << 12;
DWORD size = (_PMMVAD->EndingVpn << 12) - base1;
DbgPrint("%base =%0x..size=%0x,%wZ",base1,size,pFileName);
}
}
}
if (MmIsAddressValid(_PMMVAD))
{
ParseVadRoot(_PMMVAD->LeftChild);
ParseVadRoot(_PMMVAD->RightChild);
}
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
DriverObject->DriverUnload = MyFirstQuDongUnload;
PEPROCESS pEProces;
NTSTATUS status = PsLookupProcessByProcessId((PVOID)4, &pEProces);
PMMVAD _PMMVAD = (PMMVAD) *((ULONG*) ((ULONG)pEProces + VadRootOffset));//得到这颗树的节点
ParseVadRoot(_PMMVAD);
DbgPrint("第一个驱动程序%0x",_PMMVAD);
return STATUS_SUCCESS;
}
void MyFirstQuDongUnload(IN PDRIVER_OBJECT DriverObject)
{
DbgPrint("第一个驱动程序成功卸载");
}
浙公网安备 33010602011771号