驱动之路_遍历MMVAD二叉树进行枚举进程模块

#include "stdafx.h"


void MyFirstQuDongUnload(IN PDRIVER_OBJECT DriverObject);

#ifdef __cplusplus
extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING  RegistryPath);
#endif

#define  VadRootOffset 0x11c
#define  CONTROL_AREAOffset 0x18
#define  PFILE_OBJECTOffset 0x24
#define  FileNameOffset_ 0x30
void ParseVadRoot(PMMVAD _PMMVAD)
{
        if (NULL == _PMMVAD)
        {
            return;
        }
        //这个时候可以取出值了
PCONTROL_AREA _PCONTROL_AREA = (PCONTROL_AREA)  *((ULONG*) ((ULONG)_PMMVAD + CONTROL_AREAOffset));
            if (MmIsAddressValid(_PCONTROL_AREA))
            {
                PFILE_OBJECT p_FILE_OBJECT  = (PFILE_OBJECT) *((ULONG*)  ((ULONG)_PCONTROL_AREA + PFILE_OBJECTOffset));
                if (MmIsAddressValid(p_FILE_OBJECT))
                {
                    PUNICODE_STRING pFileName = (PUNICODE_STRING)((ULONG)p_FILE_OBJECT + FileNameOffset_);
                    if (MmIsAddressValid(pFileName))
                    {
                        //移动12位
                        DWORD base1 = _PMMVAD->StartingVpn << 12;
                        DWORD size = (_PMMVAD->EndingVpn << 12) - base1;
                        DbgPrint("%base =%0x..size=%0x,%wZ",base1,size,pFileName);
                    }
            }
}
            if (MmIsAddressValid(_PMMVAD))
            {
                ParseVadRoot(_PMMVAD->LeftChild);
                ParseVadRoot(_PMMVAD->RightChild);
            }
}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING  RegistryPath)
{
    DriverObject->DriverUnload = MyFirstQuDongUnload;
 

    PEPROCESS pEProces;
    NTSTATUS status = PsLookupProcessByProcessId((PVOID)4, &pEProces);
    PMMVAD _PMMVAD = (PMMVAD)  *((ULONG*)  ((ULONG)pEProces + VadRootOffset));//得到这颗树的节点

    ParseVadRoot(_PMMVAD);

    
    DbgPrint("第一个驱动程序%0x",_PMMVAD);
    return STATUS_SUCCESS;
}

void MyFirstQuDongUnload(IN PDRIVER_OBJECT DriverObject)
{
    DbgPrint("第一个驱动程序成功卸载");
}

 

posted @ 2013-10-25 01:16  宝贝,我永远都在  阅读(592)  评论(0)    收藏  举报