zoukankan      html  css  js  c++  java

  • Windows内核遍历驱动模块源码分析

    要获取windows 内核中所有驱动模块信息,调用 系统服务函数 NtQuerySystemInformation,参数SystemInformationClass 传入SystemModuleInformation. 

    NtQuerySystemInformation申明如下:

    [cpp] view plain copy
    print?
    1. //  
    2. // System Information Classes.  
    3. //  
    4. typedef enum _SYSTEM_INFORMATION_CLASS {  
    5.    SystemBasicInformation,  
    6.    SystemProcessorInformation,              // obsolete...delete  
    7.    SystemPerformanceInformation,  
    8.    SystemTimeOfDayInformation,  
    9.    SystemPathInformation,  
    10.    SystemProcessInformation,                //系统进程信息  
    11.    SystemCallCountInformation,  
    12.    SystemDeviceInformation,  
    13.    SystemProcessorPerformanceInformation,  
    14.    SystemFlagsInformation,  
    15.    SystemCallTimeInformation,  
    16.    SystemModuleInformation,     //系统模块  
    17.    SystemLocksInformation,  
    18.    SystemStackTraceInformation,  
    19.    SystemPagedPoolInformation,  
    20.    SystemNonPagedPoolInformation,  
    21.    SystemHandleInformation,  
    22.    SystemObjectInformation,  
    23.    SystemPageFileInformation,  
    24.    SystemVdmInstemulInformation,  
    25.    SystemVdmBopInformation,  
    26.    SystemFileCacheInformation,  
    27.    SystemPoolTagInformation,  
    28.    SystemInterruptInformation,  
    29.    SystemDpcBehaviorInformation,  
    30.    SystemFullMemoryInformation,  
    31.    SystemLoadGdiDriverInformation,  
    32.    SystemUnloadGdiDriverInformation,  
    33.    SystemTimeAdjustmentInformation,  
    34.    SystemSummaryMemoryInformation,  
    35.    SystemMirrorMemoryInformation,  
    36.    SystemPerformanceTraceInformation,  
    37.    SystemObsolete0,  
    38.    SystemExceptionInformation,  
    39.    SystemCrashDumpStateInformation,  
    40.    SystemKernelDebuggerInformation,  
    41.    SystemContextSwitchInformation,  
    42.    SystemRegistryQuotaInformation,  
    43.    SystemExtendServiceTableInformation,  
    44.    SystemPrioritySeperation,  
    45.    SystemVerifierAddDriverInformation,  
    46.    SystemVerifierRemoveDriverInformation,  
    47.    SystemProcessorIdleInformation,  
    48.    SystemLegacyDriverInformation,  
    49.    SystemCurrentTimeZoneInformation,  
    50.    SystemLookasideInformation,  
    51.    SystemTimeSlipNotification,  
    52.    SystemSessionCreate,  
    53.    SystemSessionDetach,  
    54.    SystemSessionInformation,  
    55.    SystemRangeStartInformation,  
    56.    SystemVerifierInformation,  
    57.    SystemVerifierThunkExtend,  
    58.    SystemSessionProcessInformation,  
    59.    SystemLoadGdiDriverInSystemSpace,  
    60.    SystemNumaProcessorMap,  
    61.    SystemPrefetcherInformation,  
    62.    SystemExtendedProcessInformation,  
    63.    SystemRecommendedSharedDataAlignment,  
    64.    SystemComPlusPackage,  
    65.    SystemNumaAvailableMemory,  
    66.    SystemProcessorPowerInformation,  
    67.    SystemEmulationBasicInformation,  
    68.    SystemEmulationProcessorInformation,  
    69.    SystemExtendedHandleInformation,  
    70.    SystemLostDelayedWriteInformation,  
    71.    SystemBigPoolInformation,  
    72.    SystemSessionPoolTagInformation,  
    73.    SystemSessionMappedViewInformation,  
    74.    SystemHotpatchInformation,  
    75.    SystemObjectSecurityMode,  
    76.    SystemWatchdogTimerHandler,  
    77.    SystemWatchdogTimerInformation,  
    78.    SystemLogicalProcessorInformation,  
    79.    SystemWow64SharedInformation,  
    80.    SystemRegisterFirmwareTableInformationHandler,  
    81.    SystemFirmwareTableInformation,  
    82.    SystemModuleInformationEx,  
    83.    SystemVerifierTriageInformation,  
    84.    SystemSuperfetchInformation,  
    85.    SystemMemoryListInformation,  
    86.    SystemFileCacheInformationEx,  
    87.    MaxSystemInfoClass   // MaxSystemInfoClass should always be the last enum  
    88. } SYSTEM_INFORMATION_CLASS;  
    //
// System Information Classes.
//
typedef enum _SYSTEM_INFORMATION_CLASS {
   SystemBasicInformation,
   SystemProcessorInformation,              // obsolete...delete
   SystemPerformanceInformation,
   SystemTimeOfDayInformation,
   SystemPathInformation,
   SystemProcessInformation,                //系统进程信息
   SystemCallCountInformation,
   SystemDeviceInformation,
   SystemProcessorPerformanceInformation,
   SystemFlagsInformation,
   SystemCallTimeInformation,
   SystemModuleInformation,     //系统模块
   SystemLocksInformation,
   SystemStackTraceInformation,
   SystemPagedPoolInformation,
   SystemNonPagedPoolInformation,
   SystemHandleInformation,
   SystemObjectInformation,
   SystemPageFileInformation,
   SystemVdmInstemulInformation,
   SystemVdmBopInformation,
   SystemFileCacheInformation,
   SystemPoolTagInformation,
   SystemInterruptInformation,
   SystemDpcBehaviorInformation,
   SystemFullMemoryInformation,
   SystemLoadGdiDriverInformation,
   SystemUnloadGdiDriverInformation,
   SystemTimeAdjustmentInformation,
   SystemSummaryMemoryInformation,
   SystemMirrorMemoryInformation,
   SystemPerformanceTraceInformation,
   SystemObsolete0,
   SystemExceptionInformation,
   SystemCrashDumpStateInformation,
   SystemKernelDebuggerInformation,
   SystemContextSwitchInformation,
   SystemRegistryQuotaInformation,
   SystemExtendServiceTableInformation,
   SystemPrioritySeperation,
   SystemVerifierAddDriverInformation,
   SystemVerifierRemoveDriverInformation,
   SystemProcessorIdleInformation,
   SystemLegacyDriverInformation,
   SystemCurrentTimeZoneInformation,
   SystemLookasideInformation,
   SystemTimeSlipNotification,
   SystemSessionCreate,
   SystemSessionDetach,
   SystemSessionInformation,
   SystemRangeStartInformation,
   SystemVerifierInformation,
   SystemVerifierThunkExtend,
   SystemSessionProcessInformation,
   SystemLoadGdiDriverInSystemSpace,
   SystemNumaProcessorMap,
   SystemPrefetcherInformation,
   SystemExtendedProcessInformation,
   SystemRecommendedSharedDataAlignment,
   SystemComPlusPackage,
   SystemNumaAvailableMemory,
   SystemProcessorPowerInformation,
   SystemEmulationBasicInformation,
   SystemEmulationProcessorInformation,
   SystemExtendedHandleInformation,
   SystemLostDelayedWriteInformation,
   SystemBigPoolInformation,
   SystemSessionPoolTagInformation,
   SystemSessionMappedViewInformation,
   SystemHotpatchInformation,
   SystemObjectSecurityMode,
   SystemWatchdogTimerHandler,
   SystemWatchdogTimerInformation,
   SystemLogicalProcessorInformation,
   SystemWow64SharedInformation,
   SystemRegisterFirmwareTableInformationHandler,
   SystemFirmwareTableInformation,
   SystemModuleInformationEx,
   SystemVerifierTriageInformation,
   SystemSuperfetchInformation,
   SystemMemoryListInformation,
   SystemFileCacheInformationEx,
   MaxSystemInfoClass   // MaxSystemInfoClass should always be the last enum
} SYSTEM_INFORMATION_CLASS;
    [cpp] view plain copy
    print?
    1. NTSTATUS  
    2. NtQuerySystemInformation (  
    3.     IN SYSTEM_INFORMATION_CLASS SystemInformationClass,  
    4.     OUT PVOID SystemInformation,  
    5.     IN ULONG SystemInformationLength,  
    6.     OUT PULONG ReturnLength OPTIONAL  
    7.     )  
    NTSTATUS
NtQuerySystemInformation (
    IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
    OUT PVOID SystemInformation,
    IN ULONG SystemInformationLength,
    OUT PULONG ReturnLength OPTIONAL
    )
    根据泄漏出的widows 2000 部分源代码,NtQuerySystemInformation 有关 SystemModuleInformation的实现部分如下:
    [cpp] view plain copy
    print?
    1. case SystemModuleInformation:  
    2.     KeEnterCriticalRegion();  
    3.     ExAcquireResourceExclusive( &PsLoadedModuleResource, TRUE );  
    4.     ReleaseModuleResoure = TRUE;  
    5.     Status = ExpQueryModuleInformation( &PsLoadedModuleList,  
    6.                                         &MmLoadedUserImageList,  
    7.                                         (PRTL_PROCESS_MODULES)SystemInformation,  
    8.                                         SystemInformationLength,  
    9.                                         ReturnLength  
    10.                                       );  
    11.     ExReleaseResource (&PsLoadedModuleResource);  
    12.     ReleaseModuleResoure = FALSE;  
    13.     KeLeaveCriticalRegion();  
    14.     break;  
    case SystemModuleInformation:
	KeEnterCriticalRegion();
	ExAcquireResourceExclusive( &PsLoadedModuleResource, TRUE );
	ReleaseModuleResoure = TRUE;
	Status = ExpQueryModuleInformation( &PsLoadedModuleList,
										&MmLoadedUserImageList,
										(PRTL_PROCESS_MODULES)SystemInformation,
										SystemInformationLength,
										ReturnLength
									  );
	ExReleaseResource (&PsLoadedModuleResource);
	ReleaseModuleResoure = FALSE;
	KeLeaveCriticalRegion();
	break;

    在Windows内核实现中,存在两个存储系统加载模块的两个链表,分别是PsLoadedModuleList和 MmLoadedUserImageList,两个全局变量 申明如下:

    [cpp] view plain copy
    print?
    1. LIST_ENTRY PsLoadedModuleList;//驱动模块列表  
    2. LIST_ENTRY MmLoadedUserImageList;//应用程序映像列表  
    LIST_ENTRY PsLoadedModuleList;//驱动模块列表
LIST_ENTRY MmLoadedUserImageList;//应用程序映像列表


    Windows就是通过这两个链表将代表系统模块的_LDR_DATA_ENTRY结构链接在一起。

    _LDR_DATA_ENTRY结构体中有3个 _LIST_ENTRY,系统根据不同排列顺序串连系统中所加载的所有模块,情况就相当明显了,只要遍历任何一个双向链表,即可获得加载的模块信息。


    在Windows 内核中,表示每个模块的数据结构是_LDR_DATA_TABLE_ENTRY,其结构申明为:

    [cpp] view plain copy
    print?
    1. kd> dt _LDR_DATA_TABLE_ENTRY  
    2. nt!_LDR_DATA_TABLE_ENTRY  
    3.    +0x000 InLoadOrderLinks : _LIST_ENTRY  
    4.    +0x008 InMemoryOrderLinks : _LIST_ENTRY  
    5.    +0x010 InInitializationOrderLinks : _LIST_ENTRY  
    6.    +0x018 DllBase          : Ptr32 Void  
    7.    +0x01c EntryPoint       : Ptr32 Void  
    8.    +0x020 SizeOfImage      : Uint4B  
    9.    +0x024 FullDllName      : _UNICODE_STRING  
    10.    +0x02c BaseDllName      : _UNICODE_STRING  
    11.    +0x034 Flags            : Uint4B  
    12.    +0x038 LoadCount        : Uint2B  
    13.    +0x03a TlsIndex         : Uint2B  
    14.    +0x03c HashLinks        : _LIST_ENTRY  
    15.    +0x03c SectionPointer   : Ptr32 Void  
    16.    +0x040 CheckSum         : Uint4B  
    17.    +0x044 TimeDateStamp    : Uint4B  
    18.    +0x044 LoadedImports    : Ptr32 Void  
    19.    +0x048 EntryPointActivationContext : Ptr32 Void  
    20.    +0x04c PatchInformation : Ptr32 Void  
    kd> dt _LDR_DATA_TABLE_ENTRY
nt!_LDR_DATA_TABLE_ENTRY
   +0x000 InLoadOrderLinks : _LIST_ENTRY
   +0x008 InMemoryOrderLinks : _LIST_ENTRY
   +0x010 InInitializationOrderLinks : _LIST_ENTRY
   +0x018 DllBase          : Ptr32 Void
   +0x01c EntryPoint       : Ptr32 Void
   +0x020 SizeOfImage      : Uint4B
   +0x024 FullDllName      : _UNICODE_STRING
   +0x02c BaseDllName      : _UNICODE_STRING
   +0x034 Flags            : Uint4B
   +0x038 LoadCount        : Uint2B
   +0x03a TlsIndex         : Uint2B
   +0x03c HashLinks        : _LIST_ENTRY
   +0x03c SectionPointer   : Ptr32 Void
   +0x040 CheckSum         : Uint4B
   +0x044 TimeDateStamp    : Uint4B
   +0x044 LoadedImports    : Ptr32 Void
   +0x048 EntryPointActivationContext : Ptr32 Void
   +0x04c PatchInformation : Ptr32 Void

    jpg改rar
  • 相关阅读:
    在桌面上显示IE图标(非快捷键)
    在桌面上显示IE图标(非快捷键)
    Detours的使用准备
    Detours的使用准备
    腾讯机试题 AcWing 603 打怪兽
    牛客练习赛13D 幸运数字4
    牛客练习赛13B 幸运数字2
    牛客练习赛13E 乌龟跑步
    NOIP2016提高组复赛C 愤怒的小鸟
    Leetcode SingleNumber I & II & III 136/137/260
  • 原文地址:https://www.cnblogs.com/kuangke/p/6155360.html
Copyright © 2011-2022 走看看