Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- char* GetSysModuleNameByAddress(ULONG Address)
- {
- PMODULE_LIST pModuleList;
- ULONG NeededSize = 0, *Ptr, i;
- _NtQuerySytemInformation(SystemModuleInformation, &NeededSize, 0, &NeededSize);
- Ptr = (ULONG*)ExAllocatePoolWithTag(PagedPool, NeededSize*4, 'GMN');
- _NtQuerySytemInformation(SystemModuleInformation, Ptr, NeededSize * sizeof(Ptr), 0);
- pModuleList = (PMODULE_LIST)Ptr;
- for(i=0; i<*Ptr; i++)
- {
- if((ULONG)pModuleList->a_Modules[i].p_Base <= Address &&
- (ULONG)pModuleList->a_Modules[i].p_Base + pModuleList->a_Modules[i].d_Size >= Address)
- {
- ExFreePoolWithTag(Ptr, 'GMN');
- return (char*)pModuleList->a_Modules[i].a_bPath + pModuleList->a_Modules[i].w_NameOffset;
- }
- }
- //???Oor?B???????
- ExFreePoolWithTag(Ptr, 'GMN');
- return NULL;
- }
- /**********************************************************************************************
- typedef NTSTATUS(*NtQuerySystemInformation)(_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
- _Inout_ PVOID SystemInformation,
- _In_ ULONG SystemInformationLength,
- _Out_opt_ PULONG ReturnLength);
- NtQuerySystemInformation _NtQuerySytemInformation;
- /*...*/
- UNICODE_STRING usFuncName;
- RtlInitUnicodeString(&usFuncName, L"NtQuerySystemInformation");
- _NtQuerySytemInformation = (NtQuerySystemInformation)MmGetSystemRoutineAddress(&usFuncName);
- ***********************************************************************************************
- typedef enum _SYSTEM_INFORMATION_CLASS {
- SystemBasicInformation,
- SystemProcessorInformation,
- SystemPerformanceInformation,
- SystemTimeOfDayInformation,
- SystemPathInformation,
- SystemProcessInformation,
- SystemCallCountInformation,
- SystemDeviceInformation,
- SystemProcessorPerformanceInformation,
- SystemFlagsInformation,
- SystemCallTimeInformation,
- SystemModuleInformation,
- SystemLocksInformation,
- SystemStackTraceInformation,
- SystemPagedPoolInformation,
- SystemNonPagedPoolInformation,
- SystemHandleInformation,
- SystemObjectInformation,
- SystemPageFileInformation,
- SystemVdmInstemulInformation,
- SystemVdmBopInformation,
- SystemFileCacheInformation,
- SystemPoolTagInformation,
- SystemInterruptInformation,
- SystemDpcBehaviorInformation,
- SystemFullMemoryInformation,
- SystemLoadGdiDriverInformation,
- SystemUnloadGdiDriverInformation,
- SystemTimeAdjustmentInformation,
- SystemSummaryMemoryInformation,
- SystemNextEventIdInformation,
- SystemEventIdsInformation,
- SystemCrashDumpInformation,
- SystemExceptionInformation,
- SystemCrashDumpStateInformation,
- SystemKernelDebuggerInformation,
- SystemContextSwitchInformation,
- SystemRegistryQuotaInformation,
- SystemExtendServiceTableInformation,
- SystemPrioritySeperation,
- SystemPlugPlayBusInformation,
- SystemDockInformation,
- SystemPowerInformation2,
- SystemProcessorSpeedInformation,
- SystemCurrentTimeZoneInformation,
- SystemLookasideInformation
- } SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;
- typedef struct _MODULE_INFO {
- DWORD d_Reserved1;
- DWORD d_Reserved2;
- PVOID p_Base;
- DWORD d_Size;
- DWORD d_Flags;
- WORD w_Index;
- WORD w_Rank;
- WORD w_LoadCount;
- WORD w_NameOffset;
- BYTE a_bPath [260];
- } MODULE_INFO, *PMODULE_INFO, **PPMODULE_INFO;
- typedef struct _MODULE_LIST
- {
- int d_Modules;
- MODULE_INFO a_Modules [];
- } MODULE_LIST, *PMODULE_LIST, **PPMODULE_LIST
- **/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement