typedef enum _MEMORY_INFORMATION_CLASS
{
MemoryBasicInformation,
MemoryWorkingSetList,
MemorySectionName
}MEMORY_INFORMATION_CLASS;typedef struct
{
UNICODE_STRING SectionFileName;
WCHAR NameBuffer[MAX_PATH * 5];
} MEMORY_SECTION_NAME, *PMEMORY_SECTION_NAME;typedef struct _MEMORY_BASIC_INFORMATION {
PVOID BaseAddress;
PVOID AllocationBase;
DWORD AllocationProtect;
SIZE_T RegionSize;
DWORD State;
DWORD Protect;
DWORD Type;
} MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION;typedef
NTSTATUS
(__stdcall * PNtQueryVirtualMemory)(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
IN MEMORY_INFORMATION_CLASS MemoryInformationClass,
OUT PVOID MemoryInformation,
IN ULONG MemoryInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
typedef struct
{
KEVENT kEvent;
HANDLE ProcessId;
BOOLEAN isFind;
}WORK_DATA, *PWORK_DATA;#define MEM_IMAGE 0x1000000
NTSTATUS EnumDllByZwQueryVirtualMem(PVOID pData)
{
PWORK_DATA p = (PWORK_DATA)pData;
NTSTATUS status=0;
MEMORY_BASIC_INFORMATION mem_info = {0};
MEMORY_SECTION_NAME mem_secName = {0};HANDLE hProcess = NULL;
OBJECT_ATTRIBUTES obj;
CLIENT_ID cid;
PEPROCESS pEproc;int retLen;
ULONG index=0;
PRKAPC_STATE pApcStatus;
UNICODE_STRING ustrNTDLL;RtlInitUnicodeString(&ustrNTDLL, L"\\??\\C:\\WINDOWS\\system32\\ntdll.dll");
PNtQueryVirtualMemory NtQueryVirtualMemory = NULL;
PSYSTEM_DESCRIPTOR_TABLE KeServiceDescriptorTable = (PSYSTEM_DESCRIPTOR_TABLE)dns_get_systemrountine_address(L"KeServiceDescriptorTable");
ULONG uIndex = SYSCALL_INDEX(dns_get_dllfunction_address("NtQueryVirtualMemory", &ustrNTDLL));NtQueryVirtualMemory = (PNtQueryVirtualMemory)KeServiceDescriptorTable->ntoskrnl.ServiceTableBase[uIndex];
cid.UniqueProcess = (HANDLE)p->ProcessId;
cid.UniqueThread = NULL;
InitializeObjectAttributes(&obj, NULL, 0, NULL, NULL);status = PsLookupProcessByProcessId( (HANDLE)p->ProcessId, &pEproc);
if ( !NT_SUCCESS(status) )
{
KdPrint(("cannot get process eprocess, ERROR CODE = %08X\n", status));
status = STATUS_UNSUCCESSFUL;
return status;
}// pApcStatus = (PRKAPC_STATE)ExAllocatePoolWithTag(NonPagedPool, sizeof(KAPC_STATE), ‘pApc‘);
// if (pApcStatus)
// {
// KeStackAttachProcess(pEproc, pApcStatus);
// KdPrint(("已切换到目标进程上下文\n"));
// }
KAPC_STATE k_apc;
KeStackAttachProcess(pEproc, &k_apc);//获取进程句柄
status = ZwOpenProcess(&hProcess, PAGE_READWRITE, &obj, &cid);
if ( !NT_SUCCESS(status) )
{
KdPrint(("cannot get process handle, ERROR CODE = %08X\n", status));
status = STATUS_UNSUCCESSFUL;
return status;
}
KdPrint(("hProcess= %X\n", hProcess));do
{
//查询内存 ;这里为何返回状态为访问违法呢???
status=NtQueryVirtualMemory( hProcess,
(PULONG)index,
MemoryBasicInformation,
&mem_info,
sizeof(mem_info),
NULL );
if ( !NT_SUCCESS(status) )
{
DbgPrint("cannot query memory, ERROR CODE = %08X\n", status);
status = STATUS_SUCCESS;
p->isFind = FALSE;
break;
}if ( status >= 0 )
{
//KdPrint(("ZwQueryVirtualMemory 成功!\n"));//判断"内存节.类型"是否是 "映像/模块"类型
if (mem_info.Type == MEM_IMAGE)
{
//判断模块所占内存范围
if ( (DWORD)mem_info.AllocationBase == index )
{
//查询内存节名
status=NtQueryVirtualMemory( hProcess,
(PULONG)index,
MemorySectionName,
&mem_secName,
sizeof(mem_secName),
NULL );
if ( status >= 0 )
{
UNICODE_STRING ustrMyDll;
RtlInitUnicodeString(&ustrMyDll, L"Locker.dll");
KdPrint(("Address:%08X \t ModuleName:%ws\n", index, mem_secName.SectionFileName.Buffer));
if ( TRUE == SpyFindSubString(&mem_secName.SectionFileName, &ustrMyDll) )
{
p->isFind = TRUE;
break;
}
}
}
}
}index += 0x10000;
} while (index < 0x80000000);
_done:
KeUnstackDetachProcess(&k_apc);
if (hProcess)
ZwClose(hProcess);
status = STATUS_SUCCESS;
return status;
}
NtQueryVirtualMemory 枚举进程模块,布布扣,bubuko.com