Driver Ergodic

无标签
发布日期:   2022-04-05

win10x64 内核驱动对象遍历和EPROCESS结构体遍历

0x1 驱动对象遍历

2

#include <ntddk.h>

typedef struct _LDR_DATA_TABLE_ENTRY
{
	LIST_ENTRY InLoadOrderLinks;
	LIST_ENTRY InMemoryOrderLinks;
	LIST_ENTRY InInitializationOrderLinks;
	PVOID DllBase;
	PVOID EntryPoint;
	ULONG SizeOfImage;
	UNICODE_STRING FullDllName;
	UNICODE_STRING BaseDllName;
}LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;

VOID DriverUnload(PDRIVER_OBJECT Driver)
{
	DbgPrint("驱动已经卸载");
}

NTSTATUS DriverEntry(PDRIVER_OBJECT Driver, PUNICODE_STRING pReg)
{
	NTSTATUS status;
	DbgPrint("DriverEntry start.\n");
	Driver->DriverUnload = DriverUnload;
	PLDR_DATA_TABLE_ENTRY pLdr = (PLDR_DATA_TABLE_ENTRY)Driver->DriverSection;
	PLIST_ENTRY pListEntry = pLdr->InLoadOrderLinks.Flink;
	PLIST_ENTRY pCurrentListEntry = pListEntry->Flink;
	PLDR_DATA_TABLE_ENTRY pCurrentModule = NULL;
	while (pCurrentListEntry != pListEntry)
	{
		pCurrentModule = CONTAINING_RECORD(pCurrentListEntry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
		if (!MmIsAddressValid(pCurrentListEntry)) {
			DbgPrint("pCurrentModule 不可读\n");
			goto while_end;
		}

		DbgPrint("[LYSM] DllBase:%p \n", pCurrentModule->DllBase);
		DbgPrint("[LYSM] EntryPoint:%p \n", pCurrentModule->EntryPoint);
		DbgPrint("[LYSM] SizeOfImage:%p \n", pCurrentModule->SizeOfImage);
		DbgPrint("[LYSM] FullDllName:%wZ \n", pCurrentModule->FullDllName);
		DbgPrint("[LYSM] BaseDllName:%wZ \n", pCurrentModule->BaseDllName);
	
	while_end:
		pCurrentListEntry = pCurrentListEntry->Flink;
	}
}

0x2 _EPROCESS结构体遍历

1

#include <ntddk.h>
#define EPROCESS_ACTIVELIST_OFFSET 0x448
#define EPROCESS_FLINK_OFFSET 0x448
#define EPROCESS_BLINK_OFFSET 0x450
#define EPROCESS_PID_OFFSET 0x440

VOID DriverUnload(DRIVER_OBJECT Driver) {
	DbgPrint("驱动已经卸载");
}

NTSTATUS DriverEntry(PDRIVER_OBJECT Driver, PUNICODE_STRING pReg) {

	NTSTATUS status;
	DbgPrint("DriverEntry start.\n");
	Driver->DriverUnload = (PDRIVER_UNLOAD)DriverUnload;

	ULONG64 pEPROCESS, FirstEProcess;
	LIST_ENTRY* ActiveProcessLinks;
	ULONG64 pid, dwCount = 0;

	pEPROCESS=FirstEProcess=(ULONG64)PsGetCurrentProcess();
	while (pEPROCESS!=0)
	{
		dwCount++;
		pid = *((ULONG64*)(pEPROCESS + EPROCESS_PID_OFFSET));
		DbgPrint("[Pid=%8d] EProcess=0x%08X\n", pid, pEPROCESS);

		ActiveProcessLinks = (LIST_ENTRY*)(pEPROCESS + EPROCESS_FLINK_OFFSET);
		pEPROCESS = (ULONG64)ActiveProcessLinks->Flink - EPROCESS_FLINK_OFFSET;

		if (pEPROCESS == FirstEProcess)
			break;
	}
	DbgPrint("ProcessCount = %d\n", dwCount);


	

}

0x3 总结

两个遍历方法都差不多,都是获得LIST_ENTRY链表 然后打印结构体信息,一直循环遍历到原来的位置

文章作者: Blue
文章链接: http://moodyblue.cn/category/Driver-Ergodic/
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 Blue !
无标签
评论
  目录