通过peb枚举DLL
write by:hljleomy blog:http://hi.baidu.com/hljleo
#include <ntddk.h>
typedef unsigned long DWORD;
__declspec(dllimport) DWORD PsGetProcessPeb(PEPROCESS Process);
NTKERNELAPI
VOID
KeAttachProcess (
PEPROCESS Process
);
NTKERNELAPI
VOID
KeDetachProcess (
VOID
);
#define Ldr 0x00c
#define Modulist 0xc
#define FileName0x030
NTSTATUS PsLookupProcessByProcessId(__in HANDLE ProcessId,__deref_out PEPROCESS *Process);
VOID ShowModules()
{
ULONG PEB;
ULONG LDR,p,Flink,BaseAddress;
PEPROCESS TargetProcess;
ULONG MODULIST;
PUNICODE_STRINGFullDllName;
PsLookupProcessByProcessId((HANDLE)992,&TargetProcess);
if(!TargetProcess)
{
DbgPrint(" Error on Get EProcess By Pid.");
return;
}
ObDereferenceObject(TargetProcess);
KeAttachProcess( TargetProcess );
PEB=PsGetProcessPeb(TargetProcess);
// PEB = *(ULONG *)((ULONG)TargetProcess + Peb);
DbgPrint(" EPROCESS : 0x%X , PEB : 0x%X",TargetProcess,PEB);
if ( MmIsAddressValid((ULONG *) PEB) )
{
LDR=*(ULONG *)((ULONG)PEB+Ldr);
DbgPrint("LDR 0x%X ",LDR);
Flink=*(ULONG *)((ULONG)LDR+Modulist);
if ( MmIsAddressValid( (ULONG *) Flink ) )
{ p = Flink;
do
{
BaseAddress = *(ULONG *)((ULONG) p + 0x18 );
FullDllName =(PUNICODE_STRING )(p + 0x24);
DbgPrint( " BASEADDRESS:0x%08X ", BaseAddress);
DbgPrint( " FullDllName:%S \n", FullDllName->Buffer);
p = *( (ULONG *)p );
}
while ( Flink != p );
}
}
KeDetachProcess();
}
VOID Unload(IN PDRIVER_OBJECT DriverObject)
{
DbgPrint("on load");
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath)
{
ShowModules();
DriverObject->DriverUnload = Unload;
return STATUS_SUCCESS;
}
页:
[1]