ZwQuerySystemInformation 枚举驱动模块

在R0下利用ZwQuerySystemInformation 查 SystemModuleInformation 来枚举驱动模块

代码如下:

////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//        rootkit.h
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
#define ULONG unsigned long
#define PULONG unsigned long *
#define PVOID void *
#define USHORT unsigned short

#define SystemModuleInformationClass  11

typedef struct
{
    PVOID section;
    PVOID MappedBase;
    PVOID ImageBase;
    ULONG ImageSize;
    ULONG Flags;
    USHORT LoadOrderIndex;
    USHORT InitOrderIndex;
    USHORT LoadCount;
    USHORT PathLength;
    char ImageName[MAXIMUM_FILENAME_LENGTH];

}SYSTEM_MODULE,*PSYSTEM_MODULE;

typedef struct
{
    ULONG ModuleCount;
    SYSTEM_MODULE Module[0];    
}SYSTEM_MODULE_INFORMATION,*PSYSTEM_MODULE_INFORMATION;



NTKERNELAPI NTSTATUS ZwQuerySystemInformation(
        ULONG SystemInformationClass,
        PVOID SystemInformation,
        ULONG SystemInformationLength,
        PULONG ReturnLength OPTIONAL
);

 

#include "ntddk.h"
#include "rootkit.h"



void OnUnload(PDRIVER_OBJECT pDriverObj)
{
    DbgPrint("Driver is Unload!\n");
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pRootkitObj,PUNICODE_STRING pRegistPath)
{
    NTSTATUS ntStatus;
    ULONG count;
    ULONG BufferSize=0;

    PSYSTEM_MODULE_INFORMATION pSystemModuleInformation=NULL;
    PSYSTEM_MODULE pSystemModule=NULL;

    pRootkitObj->DriverUnload=OnUnload;

    ZwQuerySystemInformation(SystemModuleInformationClass,NULL,0,&BufferSize);
    pSystemModuleInformation=(PSYSTEM_MODULE_INFORMATION) ExAllocatePool(PagedPool,BufferSize);
    if(pSystemModuleInformation==NULL)
    {
        DbgPrint("ExAllocatePool failed!\n");
        return STATUS_UNSUCCESSFUL;
    }
    ntStatus=ZwQuerySystemInformation(SystemModuleInformationClass,pSystemModuleInformation,BufferSize,NULL);
    if(!NT_SUCCESS(ntStatus))
    {
        DbgPrint("ZwQuerySystemInformation failed!\n");
        ExFreePool(pSystemModuleInformation);
        return ntStatus;
    }
    
    pSystemModule=pSystemModuleInformation->Module;

    for(count=0;count<pSystemModuleInformation->ModuleCount;count++)
    {
        DbgPrint("LoadIndex=%d        \tImageBase=0x%08X        \tImageSize=0x%08X        \tImageName=%s\n",
            pSystemModule[count].LoadOrderIndex,
            pSystemModule[count].ImageBase,
            pSystemModule[count].ImageSize,
            pSystemModule[count].ImageName);

    }

    
    return STATUS_SUCCESS;
}