zoukankan      html  css  js  c++  java

  • Windows内核遍历驱动模块源码分析

    要获取windows 内核中所有驱动模块信息,调用 系统服务函数 NtQuerySystemInformation,参数SystemInformationClass 传入SystemModuleInformation. 

    NtQuerySystemInformation申明如下:

    [cpp] view plain copy
    print?
    1. //  
    2. // System Information Classes.  
    3. //  
    4. typedef enum _SYSTEM_INFORMATION_CLASS {  
    5.    SystemBasicInformation,  
    6.    SystemProcessorInformation,              // obsolete...delete  
    7.    SystemPerformanceInformation,  
    8.    SystemTimeOfDayInformation,  
    9.    SystemPathInformation,  
    10.    SystemProcessInformation,                //系统进程信息  
    11.    SystemCallCountInformation,  
    12.    SystemDeviceInformation,  
    13.    SystemProcessorPerformanceInformation,  
    14.    SystemFlagsInformation,  
    15.    SystemCallTimeInformation,  
    16.    SystemModuleInformation,     //系统模块  
    17.    SystemLocksInformation,  
    18.    SystemStackTraceInformation,  
    19.    SystemPagedPoolInformation,  
    20.    SystemNonPagedPoolInformation,  
    21.    SystemHandleInformation,  
    22.    SystemObjectInformation,  
    23.    SystemPageFileInformation,  
    24.    SystemVdmInstemulInformation,  
    25.    SystemVdmBopInformation,  
    26.    SystemFileCacheInformation,  
    27.    SystemPoolTagInformation,  
    28.    SystemInterruptInformation,  
    29.    SystemDpcBehaviorInformation,  
    30.    SystemFullMemoryInformation,  
    31.    SystemLoadGdiDriverInformation,  
    32.    SystemUnloadGdiDriverInformation,  
    33.    SystemTimeAdjustmentInformation,  
    34.    SystemSummaryMemoryInformation,  
    35.    SystemMirrorMemoryInformation,  
    36.    SystemPerformanceTraceInformation,  
    37.    SystemObsolete0,  
    38.    SystemExceptionInformation,  
    39.    SystemCrashDumpStateInformation,  
    40.    SystemKernelDebuggerInformation,  
    41.    SystemContextSwitchInformation,  
    42.    SystemRegistryQuotaInformation,  
    43.    SystemExtendServiceTableInformation,  
    44.    SystemPrioritySeperation,  
    45.    SystemVerifierAddDriverInformation,  
    46.    SystemVerifierRemoveDriverInformation,  
    47.    SystemProcessorIdleInformation,  
    48.    SystemLegacyDriverInformation,  
    49.    SystemCurrentTimeZoneInformation,  
    50.    SystemLookasideInformation,  
    51.    SystemTimeSlipNotification,  
    52.    SystemSessionCreate,  
    53.    SystemSessionDetach,  
    54.    SystemSessionInformation,  
    55.    SystemRangeStartInformation,  
    56.    SystemVerifierInformation,  
    57.    SystemVerifierThunkExtend,  
    58.    SystemSessionProcessInformation,  
    59.    SystemLoadGdiDriverInSystemSpace,  
    60.    SystemNumaProcessorMap,  
    61.    SystemPrefetcherInformation,  
    62.    SystemExtendedProcessInformation,  
    63.    SystemRecommendedSharedDataAlignment,  
    64.    SystemComPlusPackage,  
    65.    SystemNumaAvailableMemory,  
    66.    SystemProcessorPowerInformation,  
    67.    SystemEmulationBasicInformation,  
    68.    SystemEmulationProcessorInformation,  
    69.    SystemExtendedHandleInformation,  
    70.    SystemLostDelayedWriteInformation,  
    71.    SystemBigPoolInformation,  
    72.    SystemSessionPoolTagInformation,  
    73.    SystemSessionMappedViewInformation,  
    74.    SystemHotpatchInformation,  
    75.    SystemObjectSecurityMode,  
    76.    SystemWatchdogTimerHandler,  
    77.    SystemWatchdogTimerInformation,  
    78.    SystemLogicalProcessorInformation,  
    79.    SystemWow64SharedInformation,  
    80.    SystemRegisterFirmwareTableInformationHandler,  
    81.    SystemFirmwareTableInformation,  
    82.    SystemModuleInformationEx,  
    83.    SystemVerifierTriageInformation,  
    84.    SystemSuperfetchInformation,  
    85.    SystemMemoryListInformation,  
    86.    SystemFileCacheInformationEx,  
    87.    MaxSystemInfoClass   // MaxSystemInfoClass should always be the last enum  
    88. } SYSTEM_INFORMATION_CLASS;  
    //
// System Information Classes.
//
typedef enum _SYSTEM_INFORMATION_CLASS {
   SystemBasicInformation,
   SystemProcessorInformation,              // obsolete...delete
   SystemPerformanceInformation,
   SystemTimeOfDayInformation,
   SystemPathInformation,
   SystemProcessInformation,                //系统进程信息
   SystemCallCountInformation,
   SystemDeviceInformation,
   SystemProcessorPerformanceInformation,
   SystemFlagsInformation,
   SystemCallTimeInformation,
   SystemModuleInformation,     //系统模块
   SystemLocksInformation,
   SystemStackTraceInformation,
   SystemPagedPoolInformation,
   SystemNonPagedPoolInformation,
   SystemHandleInformation,
   SystemObjectInformation,
   SystemPageFileInformation,
   SystemVdmInstemulInformation,
   SystemVdmBopInformation,
   SystemFileCacheInformation,
   SystemPoolTagInformation,
   SystemInterruptInformation,
   SystemDpcBehaviorInformation,
   SystemFullMemoryInformation,
   SystemLoadGdiDriverInformation,
   SystemUnloadGdiDriverInformation,
   SystemTimeAdjustmentInformation,
   SystemSummaryMemoryInformation,
   SystemMirrorMemoryInformation,
   SystemPerformanceTraceInformation,
   SystemObsolete0,
   SystemExceptionInformation,
   SystemCrashDumpStateInformation,
   SystemKernelDebuggerInformation,
   SystemContextSwitchInformation,
   SystemRegistryQuotaInformation,
   SystemExtendServiceTableInformation,
   SystemPrioritySeperation,
   SystemVerifierAddDriverInformation,
   SystemVerifierRemoveDriverInformation,
   SystemProcessorIdleInformation,
   SystemLegacyDriverInformation,
   SystemCurrentTimeZoneInformation,
   SystemLookasideInformation,
   SystemTimeSlipNotification,
   SystemSessionCreate,
   SystemSessionDetach,
   SystemSessionInformation,
   SystemRangeStartInformation,
   SystemVerifierInformation,
   SystemVerifierThunkExtend,
   SystemSessionProcessInformation,
   SystemLoadGdiDriverInSystemSpace,
   SystemNumaProcessorMap,
   SystemPrefetcherInformation,
   SystemExtendedProcessInformation,
   SystemRecommendedSharedDataAlignment,
   SystemComPlusPackage,
   SystemNumaAvailableMemory,
   SystemProcessorPowerInformation,
   SystemEmulationBasicInformation,
   SystemEmulationProcessorInformation,
   SystemExtendedHandleInformation,
   SystemLostDelayedWriteInformation,
   SystemBigPoolInformation,
   SystemSessionPoolTagInformation,
   SystemSessionMappedViewInformation,
   SystemHotpatchInformation,
   SystemObjectSecurityMode,
   SystemWatchdogTimerHandler,
   SystemWatchdogTimerInformation,
   SystemLogicalProcessorInformation,
   SystemWow64SharedInformation,
   SystemRegisterFirmwareTableInformationHandler,
   SystemFirmwareTableInformation,
   SystemModuleInformationEx,
   SystemVerifierTriageInformation,
   SystemSuperfetchInformation,
   SystemMemoryListInformation,
   SystemFileCacheInformationEx,
   MaxSystemInfoClass   // MaxSystemInfoClass should always be the last enum
} SYSTEM_INFORMATION_CLASS;
    [cpp] view plain copy
    print?
    1. NTSTATUS  
    2. NtQuerySystemInformation (  
    3.     IN SYSTEM_INFORMATION_CLASS SystemInformationClass,  
    4.     OUT PVOID SystemInformation,  
    5.     IN ULONG SystemInformationLength,  
    6.     OUT PULONG ReturnLength OPTIONAL  
    7.     )  
    NTSTATUS
NtQuerySystemInformation (
    IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
    OUT PVOID SystemInformation,
    IN ULONG SystemInformationLength,
    OUT PULONG ReturnLength OPTIONAL
    )
    根据泄漏出的widows 2000 部分源代码,NtQuerySystemInformation 有关 SystemModuleInformation的实现部分如下:
    [cpp] view plain copy
    print?
    1. case SystemModuleInformation:  
    2.     KeEnterCriticalRegion();  
    3.     ExAcquireResourceExclusive( &PsLoadedModuleResource, TRUE );  
    4.     ReleaseModuleResoure = TRUE;  
    5.     Status = ExpQueryModuleInformation( &PsLoadedModuleList,  
    6.                                         &MmLoadedUserImageList,  
    7.                                         (PRTL_PROCESS_MODULES)SystemInformation,  
    8.                                         SystemInformationLength,  
    9.                                         ReturnLength  
    10.                                       );  
    11.     ExReleaseResource (&PsLoadedModuleResource);  
    12.     ReleaseModuleResoure = FALSE;  
    13.     KeLeaveCriticalRegion();  
    14.     break;  
    case SystemModuleInformation:
	KeEnterCriticalRegion();
	ExAcquireResourceExclusive( &PsLoadedModuleResource, TRUE );
	ReleaseModuleResoure = TRUE;
	Status = ExpQueryModuleInformation( &PsLoadedModuleList,
										&MmLoadedUserImageList,
										(PRTL_PROCESS_MODULES)SystemInformation,
										SystemInformationLength,
										ReturnLength
									  );
	ExReleaseResource (&PsLoadedModuleResource);
	ReleaseModuleResoure = FALSE;
	KeLeaveCriticalRegion();
	break;

    在Windows内核实现中,存在两个存储系统加载模块的两个链表,分别是PsLoadedModuleList和 MmLoadedUserImageList,两个全局变量 申明如下:

    [cpp] view plain copy
    print?
    1. LIST_ENTRY PsLoadedModuleList;//驱动模块列表  
    2. LIST_ENTRY MmLoadedUserImageList;//应用程序映像列表  
    LIST_ENTRY PsLoadedModuleList;//驱动模块列表
LIST_ENTRY MmLoadedUserImageList;//应用程序映像列表


    Windows就是通过这两个链表将代表系统模块的_LDR_DATA_ENTRY结构链接在一起。

    _LDR_DATA_ENTRY结构体中有3个 _LIST_ENTRY,系统根据不同排列顺序串连系统中所加载的所有模块,情况就相当明显了,只要遍历任何一个双向链表,即可获得加载的模块信息。


    在Windows 内核中,表示每个模块的数据结构是_LDR_DATA_TABLE_ENTRY,其结构申明为:

    [cpp] view plain copy
    print?
    1. kd> dt _LDR_DATA_TABLE_ENTRY  
    2. nt!_LDR_DATA_TABLE_ENTRY  
    3.    +0x000 InLoadOrderLinks : _LIST_ENTRY  
    4.    +0x008 InMemoryOrderLinks : _LIST_ENTRY  
    5.    +0x010 InInitializationOrderLinks : _LIST_ENTRY  
    6.    +0x018 DllBase          : Ptr32 Void  
    7.    +0x01c EntryPoint       : Ptr32 Void  
    8.    +0x020 SizeOfImage      : Uint4B  
    9.    +0x024 FullDllName      : _UNICODE_STRING  
    10.    +0x02c BaseDllName      : _UNICODE_STRING  
    11.    +0x034 Flags            : Uint4B  
    12.    +0x038 LoadCount        : Uint2B  
    13.    +0x03a TlsIndex         : Uint2B  
    14.    +0x03c HashLinks        : _LIST_ENTRY  
    15.    +0x03c SectionPointer   : Ptr32 Void  
    16.    +0x040 CheckSum         : Uint4B  
    17.    +0x044 TimeDateStamp    : Uint4B  
    18.    +0x044 LoadedImports    : Ptr32 Void  
    19.    +0x048 EntryPointActivationContext : Ptr32 Void  
    20.    +0x04c PatchInformation : Ptr32 Void  
    kd> dt _LDR_DATA_TABLE_ENTRY
nt!_LDR_DATA_TABLE_ENTRY
   +0x000 InLoadOrderLinks : _LIST_ENTRY
   +0x008 InMemoryOrderLinks : _LIST_ENTRY
   +0x010 InInitializationOrderLinks : _LIST_ENTRY
   +0x018 DllBase          : Ptr32 Void
   +0x01c EntryPoint       : Ptr32 Void
   +0x020 SizeOfImage      : Uint4B
   +0x024 FullDllName      : _UNICODE_STRING
   +0x02c BaseDllName      : _UNICODE_STRING
   +0x034 Flags            : Uint4B
   +0x038 LoadCount        : Uint2B
   +0x03a TlsIndex         : Uint2B
   +0x03c HashLinks        : _LIST_ENTRY
   +0x03c SectionPointer   : Ptr32 Void
   +0x040 CheckSum         : Uint4B
   +0x044 TimeDateStamp    : Uint4B
   +0x044 LoadedImports    : Ptr32 Void
   +0x048 EntryPointActivationContext : Ptr32 Void
   +0x04c PatchInformation : Ptr32 Void

    jpg改rar
  • 相关阅读:
    MySQL监控全部执行过的sql语句
    Linux之网络编程:时间服务器
    人生哲理 |南怀瑾最经典的50句话
    TCP/IP协议(一)网络基础知识 网络七层协议
    Linux下进程通信之管道
    一个完整的项目管理流程
    Linux编程之select
    (笔记)电路设计(十四)之放大器的应用
    ds18b20采集温度并上报服务器
    java中基于swing库自定义分页组件
  • 原文地址:https://www.cnblogs.com/kuangke/p/6155360.html
Copyright © 2011-2022 走看看