#include <vector>
typedef LONG NTSTATUS;
typedef LONG KPRIORITY;
#define STATUS_SUCCESS ((NTSTATUS) 0x00000000)
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef struct _LDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
union {
LIST_ENTRY HashLinks;
struct {
PVOID SectionPointer;
ULONG CheckSum;
};
};
union {
struct {
ULONG TimeDateStamp;
};
struct {
PVOID LoadedImports;
};
};
struct _ACTIVATION_CONTEXT * EntryPointActivationContext;
PVOID PatchInformation;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
typedef struct _PROCESS_BASIC_INFORMATION {
NTSTATUS ExitStatus;
ULONG PebBaseAddress;
ULONG_PTR AffinityMask;
KPRIORITY BasePriority;
ULONG_PTR UniqueProcessId;
ULONG_PTR InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;
typedef enum _PROCESSINFOCLASS {
ProcessBasicInformation,
ProcessQuotaLimits,
ProcessIoCounters,
ProcessVmCounters,
ProcessTimes,
ProcessBasePriority,
ProcessRaisePriority,
ProcessDebugPort,
ProcessExceptionPort,
ProcessAccessToken,
ProcessLdtInformation,
ProcessLdtSize,
ProcessDefaultHardErrorMode,
ProcessIoPortHandlers, // Note: this is kernel mode only
ProcessPooledUsageAndLimits,
ProcessWorkingSetWatch,
ProcessUserModeIOPL,
ProcessEnableAlignmentFaultFixup,
ProcessPriorityClass,
ProcessWx86Information,
ProcessHandleCount,
ProcessAffinityMask,
ProcessPriorityBoost,
ProcessDeviceMap,
ProcessSessionInformation,
ProcessForegroundInformation,
ProcessWow64Information,
ProcessImageFileName,
ProcessLUIDDeviceMapsEnabled,
ProcessBreakOnTermination,
ProcessDebugObjectHandle,
ProcessDebugFlags,
ProcessHandleTracing,
ProcessIoPriority,
ProcessExecuteFlags,
ProcessResourceManagement,
ProcessCookie,
ProcessImageInformation,
MaxProcessInfoClass // MaxProcessInfoClass should always be the last enum
} PROCESSINFOCLASS;
typedef NTSTATUS (__stdcall *ZWQUERYINFORMATIONPROCESS)(
__in HANDLE ProcessHandle,
__in PROCESSINFOCLASS ProcessInformationClass,
__out_bcount(ProcessInformationLength) PVOID ProcessInformation,
__in ULONG ProcessInformationLength,
__out_opt PULONG ReturnLength
);
BOOL TraversalModule3(OUT std::vector<LDR_DATA_TABLE_ENTRY>& vec, IN DWORD dwPid)
{
vec.clear();
try
{
ZWQUERYINFORMATIONPROCESS ZwQueryInformationProcess = (ZWQUERYINFORMATIONPROCESS)GetProcAddress(LoadLibrary(_T("ntdll.dll")), "ZwQueryInformationProcess");
if (ZwQueryInformationProcess)
{
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
if (hProcess)
{
PROCESS_BASIC_INFORMATION info = { 0 };
NTSTATUS ntsta = ZwQueryInformationProcess(hProcess, ProcessBasicInformation, &info, sizeof(info), NULL); //PROCESSINFOCLASS ProcessBasicInformation, //0 取PEB地址;
if (NT_SUCCESS(ntsta))
{
DWORD dwPEB = info.PebBaseAddress;
if (dwPEB)
{
//kd > dt _peb
//nt!_PEB
//+ 0x00c Ldr : Ptr32 _PEB_LDR_DATA
//kd > dt _PEB_LDR_DATA
//nt!_PEB_LDR_DATA
//+ 0x00c InLoadOrderModuleList : _LIST_ENTRY 此处_LIST_ENTRY的节点结构是_LDR_DATA_TABLE_ENTRY
//kd > dt _LDR_DATA_TABLE_ENTRY
//nt!_LDR_DATA_TABLE_ENTRY
//+ 0x000 InLoadOrderLinks : _LIST_ENTRY
//+ 0x018 DllBase : Ptr32 Void
//+ 0x020 SizeOfImage : Uint4B
//+ 0x024 FullDllName : _UNICODE_STRING
//+ 0x02c BaseDllName : _UNICODE_STRING
DWORD dwLDR = 0; //_PEB_LDR_DATA
if (ReadProcessMemory(hProcess, (PVOID)(dwPEB + 0x0C), &dwLDR, sizeof(dwLDR), NULL))
{
DWORD dwFlink = 0; //加载顺序链表
if (ReadProcessMemory(hProcess, (PVOID)(dwLDR + 0x0C), &dwFlink, sizeof(dwFlink), NULL))
{
DWORD dw = dwFlink;
LDR_DATA_TABLE_ENTRY item = { 0 };
for (;;)
{
if (!ReadProcessMemory(hProcess, (PVOID)dwFlink, &item, sizeof(LDR_DATA_TABLE_ENTRY), NULL))
{
break;
}
vec.push_back(item);
if (!ReadProcessMemory(hProcess, (PVOID)dwFlink, &dwFlink, sizeof(dwFlink), NULL))
{
break;
}
if (dw == dwFlink)
{
break;
}
}
}
}
}
}
CloseHandle(hProcess);
}
}
}
catch (...)
{
OutputDebugStringA(__FUNCTION__);
return 0;
}
return vec.size() > 0;
}
int main()
{
STARTUPINFO si = { 0 };
si.cb = sizeof(si);
PROCESS_INFORMATION pi = { 0 };
BOOL b = CreateProcess(_T("C:/Using/winmine.exe"), 0, 0, 0, 0, 0, 0, 0, &si, &pi);
if (b)
{
Sleep(1000);
std::vector<LDR_DATA_TABLE_ENTRY> vec;
std::cout << TraversalModule3(vec, pi.dwProcessId) << endl;
for each (LDR_DATA_TABLE_ENTRY var in vec)
{
printf("%08X %08X %08X", var.DllBase, var.EntryPoint, var.SizeOfImage);
printf("\r\n");
}
TerminateProcess(OpenProcess(PROCESS_ALL_ACCESS, 0, pi.dwProcessId), 0);
}
return 0;
}
浙公网安备 33010602011771号