ڼС
梦回起点
做你害怕做的事,你会发现:不过如此
本站基于WordPress—主题by 设计窝
冀ICP备15003737号
梦回起点
Copyright © 2015-2024 All rights reserved.

遍历进程中加载的模块的一种方式

遍历进程中加载的模块方法有很多中,这里记录一种。

#define RTL_QUERY_PROCESS_MODULES       0x00000001
#define RTL_QUERY_PROCESS_BACKTRACES    0x00000002
#define RTL_QUERY_PROCESS_HEAP_SUMMARY  0x00000004
#define RTL_QUERY_PROCESS_HEAP_TAGS     0x00000008
#define RTL_QUERY_PROCESS_HEAP_ENTRIES  0x00000010
#define RTL_QUERY_PROCESS_LOCKS         0x00000020
#define RTL_QUERY_PROCESS_MODULES32     0x00000040
#define RTL_QUERY_PROCESS_NONINVASIVE   0x80000000

typedef struct _RTL_HEAP_ENTRY {
    SIZE_T Size;
    USHORT Flags;
    USHORT AllocatorBackTraceIndex;
    union {
        struct {
            SIZE_T Settable;
            ULONG Tag;
        } s1;
        struct {
            SIZE_T CommittedSize;
            PVOID FirstBlock;
        } s2;
    } u;
} RTL_HEAP_ENTRY, * PRTL_HEAP_ENTRY;
typedef struct _RTL_HEAP_TAG {
    ULONG NumberOfAllocations;
    ULONG NumberOfFrees;
    SIZE_T BytesAllocated;
    USHORT TagIndex;
    USHORT CreatorBackTraceIndex;
    WCHAR TagName[24];
} RTL_HEAP_TAG, * PRTL_HEAP_TAG;

typedef struct _RTL_HEAP_INFORMATION {
    PVOID BaseAddress;
    ULONG Flags;
    USHORT EntryOverhead;
    USHORT CreatorBackTraceIndex;
    SIZE_T BytesAllocated;
    SIZE_T BytesCommitted;
    ULONG NumberOfTags;
    ULONG NumberOfEntries;
    ULONG NumberOfPseudoTags;
    ULONG PseudoTagGranularity;
    ULONG Reserved[5];
    PRTL_HEAP_TAG Tags;
    PRTL_HEAP_ENTRY Entries;
} RTL_HEAP_INFORMATION, * PRTL_HEAP_INFORMATION;

typedef struct _RTL_PROCESS_HEAPS {
    ULONG NumberOfHeaps;
    RTL_HEAP_INFORMATION Heaps[1];
} RTL_PROCESS_HEAPS, * PRTL_PROCESS_HEAPS;

typedef struct _RTL_PROCESS_MODULE_INFORMATION {
    HANDLE Section; 
    PVOID MappedBase;
    PVOID ImageBase;
    ULONG ImageSize;
    ULONG Flags;
    USHORT LoadOrderIndex;
    USHORT InitOrderIndex;
    USHORT LoadCount;
    USHORT OffsetToFileName;
    UCHAR  FullPathName[256];
} RTL_PROCESS_MODULE_INFORMATION, * PRTL_PROCESS_MODULE_INFORMATION;
#define MAX_STACK_DEPTH 32
typedef struct _RTL_PROCESS_MODULES {
    ULONG NumberOfModules;
    RTL_PROCESS_MODULE_INFORMATION Modules[1];
} RTL_PROCESS_MODULES, * PRTL_PROCESS_MODULES;
typedef struct _RTL_PROCESS_BACKTRACE_INFORMATION {
    PCHAR SymbolicBackTrace; 
    ULONG TraceCount;
    USHORT Index;
    USHORT Depth;
    PVOID BackTrace[MAX_STACK_DEPTH];
} RTL_PROCESS_BACKTRACE_INFORMATION, * PRTL_PROCESS_BACKTRACE_INFORMATION;

typedef struct _RTL_PROCESS_LOCK_INFORMATION {
    PVOID Address;
    USHORT Type;
    USHORT CreatorBackTraceIndex;
    HANDLE OwningThread;  
    LONG LockCount;
    ULONG ContentionCount;
    ULONG EntryCount;
    LONG RecursionCount;
    ULONG NumberOfWaitingShared;
    ULONG NumberOfWaitingExclusive;
} RTL_PROCESS_LOCK_INFORMATION, * PRTL_PROCESS_LOCK_INFORMATION;

typedef struct _RTL_PROCESS_LOCKS {
    ULONG NumberOfLocks;
    RTL_PROCESS_LOCK_INFORMATION Locks[1];
} RTL_PROCESS_LOCKS, * PRTL_PROCESS_LOCKS;

typedef struct _RTL_PROCESS_BACKTRACES {
    ULONG CommittedMemory;
    ULONG ReservedMemory;
    ULONG NumberOfBackTraceLookups;
    ULONG NumberOfBackTraces;
    RTL_PROCESS_BACKTRACE_INFORMATION BackTraces[1];
} RTL_PROCESS_BACKTRACES, * PRTL_PROCESS_BACKTRACES;
typedef struct _RTL_DEBUG_INFORMATION {
    HANDLE SectionHandleClient;
    PVOID ViewBaseClient;
    PVOID ViewBaseTarget;
    ULONG_PTR ViewBaseDelta;
    HANDLE EventPairClient;
    HANDLE EventPairTarget;
    HANDLE TargetProcessId;
    HANDLE TargetThreadHandle;
    ULONG Flags;
    SIZE_T OffsetFree;
    SIZE_T CommitSize;
    SIZE_T ViewSize;
    PRTL_PROCESS_MODULES Modules;
    PRTL_PROCESS_BACKTRACES BackTraces;
    PRTL_PROCESS_HEAPS Heaps;
    PRTL_PROCESS_LOCKS Locks;
    PVOID SpecificHeap;
    HANDLE TargetProcessHandle;
    PVOID Reserved[6];
} RTL_DEBUG_INFORMATION, * PRTL_DEBUG_INFORMATION;
typedef struct _DEBUG_MODULE_INFORMATION {
    ULONG  Reserved[2];
    ULONG  Base;
    ULONG  Size;
    ULONG  Flags;
    USHORT Index;
    USHORT Unknown;
    USHORT LoadCount;
    USHORT ModuleNameOffset;
    CHAR   ImageName[256];
} DEBUG_MODULE_INFORMATION, * PDEBUG_MODULE_INFORMATION;
typedef DWORD(__stdcall* PFNNTQUERYSYSTEMINFORMATION) (DWORD, PVOID, DWORD, PDWORD);
typedef PRTL_DEBUG_INFORMATION(__stdcall* RTLCREATEQUERYDEBUGBUFFER) (DWORD, DWORD);
typedef DWORD(__stdcall* RTLQUERYPROCESSDEBUGINFORMATION) (HANDLE, DWORD, PRTL_DEBUG_INFORMATION);
typedef void(__stdcall* RTLDESTROYDEBUGBUFFER) (PVOID);

void EnumModuleEx(DWORD dwPID) {
    DWORD status;
    HMODULE hMod = GetModuleHandle(L"ntdll.dll");
    RTLCREATEQUERYDEBUGBUFFER RtlCreateQueryDebugBuffer = (RTLCREATEQUERYDEBUGBUFFER)GetProcAddress(hMod, "RtlCreateQueryDebugBuffer");
    RTLQUERYPROCESSDEBUGINFORMATION RtlQueryProcessDebugInformation = (RTLQUERYPROCESSDEBUGINFORMATION)GetProcAddress(hMod, "RtlQueryProcessDebugInformation");
    RTLDESTROYDEBUGBUFFER RtlDestroyQueryDebugBuffer = (RTLDESTROYDEBUGBUFFER)GetProcAddress(hMod, "RtlDestroyQueryDebugBuffer");
    if ((hMod == NULL) || (RtlDestroyQueryDebugBuffer == NULL) || (RtlQueryProcessDebugInformation == NULL) || (RtlCreateQueryDebugBuffer == NULL)) {
        return;
    }   
    PRTL_DEBUG_INFORMATION Buffer = RtlCreateQueryDebugBuffer(0, FALSE);
     ULONG QueryFlags = RTL_QUERY_PROCESS_MODULES |
                       RTL_QUERY_PROCESS_NONINVASIVE;

   //32位模块
    QueryFlags |= RTL_QUERY_PROCESS_MODULES32;

    status = RtlQueryProcessDebugInformation((HANDLE)dwPID, QueryFlags, Buffer);
    if (0 != status) {
        return;
    } 
    ULONG count = (Buffer->Modules->NumberOfModules);
    ULONG hModule = NULL;
    PRTL_PROCESS_MODULE_INFORMATION ModuleInfo = (PRTL_PROCESS_MODULE_INFORMATION)(&Buffer->Modules->Modules);
    for (ULONG i = 0; i < count; i++) {
        printf("%s\n", ModuleInfo->FullPathName);
        ModuleInfo++;
    }  RtlDestroyQueryDebugBuffer(Buffer);
}
2020-08-08
Like this
                         
C++, Windows, 代码分享
暂无评论

发表回复