VC++.模块遍历4

#include <vector>
typedef LONG NTSTATUS;
typedef LONG KPRIORITY;
#define STATUS_SUCCESS                  ((NTSTATUS) 0x00000000)
#define NT_SUCCESS(Status)              ((NTSTATUS)(Status) >= 0)
#define STATUS_INFO_LENGTH_MISMATCH     ((NTSTATUS)0xC0000004L)
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {
	HANDLE Section;
	PVOID MappedBase;
	PVOID Base;
	ULONG Size;
	ULONG Flags;
	USHORT LoadOrderIndex;
	USHORT InitOrderIndex;
	USHORT LoadCount;
	USHORT PathLength;
	CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef enum _SYSTEM_INFORMATION_CLASS {
	SystemBasicInformation,
	SystemProcessorInformation,             // obsolete...delete
	SystemPerformanceInformation,
	SystemTimeOfDayInformation,
	SystemPathInformation,
	SystemProcessInformation,
	SystemCallCountInformation,
	SystemDeviceInformation,
	SystemProcessorPerformanceInformation,
	SystemFlagsInformation,
	SystemCallTimeInformation,
	SystemModuleInformation,
	SystemLocksInformation,
	SystemStackTraceInformation,
	SystemPagedPoolInformation,
	SystemNonPagedPoolInformation,
	SystemHandleInformation,
	SystemObjectInformation,
	SystemPageFileInformation,
	SystemVdmInstemulInformation,
	SystemVdmBopInformation,
	SystemFileCacheInformation,
	SystemPoolTagInformation,
	SystemInterruptInformation,
	SystemDpcBehaviorInformation,
	SystemFullMemoryInformation,
	SystemLoadGdiDriverInformation,
	SystemUnloadGdiDriverInformation,
	SystemTimeAdjustmentInformation,
	SystemSummaryMemoryInformation,
	SystemMirrorMemoryInformation,
	SystemPerformanceTraceInformation,
	SystemObsolete0,
	SystemExceptionInformation,
	SystemCrashDumpStateInformation,
	SystemKernelDebuggerInformation,
	SystemContextSwitchInformation,
	SystemRegistryQuotaInformation,
	SystemExtendServiceTableInformation,
	SystemPrioritySeperation,
	SystemVerifierAddDriverInformation,
	SystemVerifierRemoveDriverInformation,
	SystemProcessorIdleInformation,
	SystemLegacyDriverInformation,
	SystemCurrentTimeZoneInformation,
	SystemLookasideInformation,
	SystemTimeSlipNotification,
	SystemSessionCreate,
	SystemSessionDetach,
	SystemSessionInformation,
	SystemRangeStartInformation,
	SystemVerifierInformation,
	SystemVerifierThunkExtend,
	SystemSessionProcessInformation,
	SystemLoadGdiDriverInSystemSpace,
	SystemNumaProcessorMap,
	SystemPrefetcherInformation,
	SystemExtendedProcessInformation,
	SystemRecommendedSharedDataAlignment,
	SystemComPlusPackage,
	SystemNumaAvailableMemory,
	SystemProcessorPowerInformation,
	SystemEmulationBasicInformation,
	SystemEmulationProcessorInformation,
	SystemExtendedHandleInformation,
	SystemLostDelayedWriteInformation,
	SystemBigPoolInformation,
	SystemSessionPoolTagInformation,
	SystemSessionMappedViewInformation,
	SystemHotpatchInformation,
	SystemObjectSecurityMode,
	SystemWatchdogTimerHandler,
	SystemWatchdogTimerInformation,
	SystemLogicalProcessorInformation,
	SystemWow64SharedInformation,
	SystemRegisterFirmwareTableInformationHandler,
	SystemFirmwareTableInformation,
	SystemModuleInformationEx,
	SystemVerifierTriageInformation,
	SystemSuperfetchInformation,
	SystemMemoryListInformation,
	SystemFileCacheInformationEx,
	MaxSystemInfoClass  // MaxSystemInfoClass should always be the last enum
} SYSTEM_INFORMATION_CLASS;
typedef NTSTATUS (__stdcall *ZWQUERYSYSTEMINFORMATION)(
	__in SYSTEM_INFORMATION_CLASS SystemInformationClass,
	__out_bcount_opt(SystemInformationLength) PVOID SystemInformation,
	__in ULONG SystemInformationLength,
	__out_opt PULONG ReturnLength
);
BOOL TraversalModule4(OUT vector<SYSTEM_MODULE_INFORMATION_ENTRY>& vec)
{
	vec.clear();
	try
	{
		ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)GetProcAddress(LoadLibrary(_T("ntdll.dll")), "ZwQuerySystemInformation");
		if (ZwQuerySystemInformation)
		{
			BYTE* pbt = NULL;
			DWORD dw = 0x1000;
			NTSTATUS ntStatus = 0;
			for (; dw < INT_MAX;)
			{
				pbt = new BYTE[dw];
				if (pbt)
				{
					ntStatus = ZwQuerySystemInformation(SystemModuleInformation, pbt, dw, NULL); //SYSTEM_INFORMATION_CLASS SystemModuleInformation, // 11 查询系统模块信息；
					if (!NT_SUCCESS(ntStatus))
					{
						delete pbt;
						pbt = NULL;
						dw *= 2;
					}
					else
					{
						break;
					}
				}
			}
			if (NT_SUCCESS(ntStatus))
			{
				DWORD dwModuleCount = *(DWORD*)pbt;
				PSYSTEM_MODULE_INFORMATION_ENTRY pInfo = (PSYSTEM_MODULE_INFORMATION_ENTRY)(pbt + sizeof(DWORD));
				SYSTEM_MODULE_INFORMATION_ENTRY item;
				for (DWORD i = 0; i < dwModuleCount; i++)
				{
					memmove(&item, pInfo + i, sizeof(SYSTEM_MODULE_INFORMATION_ENTRY));
					vec.push_back(item);
				}

				delete pbt;
				pbt = NULL;
			}
		}
	}
	catch (...)
	{
		OutputDebugStringA(__FUNCTION__);
		return 0;
	}
	return vec.size() > 0;
}

int main()
{
	std::vector<SYSTEM_MODULE_INFORMATION_ENTRY> vec;
	std::cout << TraversalModule4(vec) << endl;
	for each (SYSTEM_MODULE_INFORMATION_ENTRY var in vec)
	{
		printf("%08X %08X", var.Base, var.Size);
		printf(" %s", var.ImageName);
		printf("\r\n");
	}

	return 0;
}