Advertisement
chino

GetSysModuleNameByAddress(ULONG Address)

Oct 31st, 2015
176
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C++ 4.14 KB | None | 0 0
  1. char* GetSysModuleNameByAddress(ULONG Address)
  2. {
  3.         PMODULE_LIST pModuleList;
  4.         ULONG NeededSize = 0, *Ptr, i;
  5.  
  6.         _NtQuerySytemInformation(SystemModuleInformation, &NeededSize, 0, &NeededSize);
  7.         Ptr = (ULONG*)ExAllocatePoolWithTag(PagedPool, NeededSize*4, 'GMN');
  8.  
  9.         _NtQuerySytemInformation(SystemModuleInformation, Ptr, NeededSize * sizeof(Ptr), 0);
  10.         pModuleList = (PMODULE_LIST)Ptr;
  11.  
  12.         for(i=0; i<*Ptr; i++)
  13.         {
  14.                 if((ULONG)pModuleList->a_Modules[i].p_Base <= Address &&
  15.                         (ULONG)pModuleList->a_Modules[i].p_Base + pModuleList->a_Modules[i].d_Size >= Address)
  16.                 {
  17.                         ExFreePoolWithTag(Ptr, 'GMN');
  18.                         return (char*)pModuleList->a_Modules[i].a_bPath + pModuleList->a_Modules[i].w_NameOffset;
  19.                 }
  20.         }
  21.  
  22.         //???Oor?B???????
  23.         ExFreePoolWithTag(Ptr, 'GMN');
  24.         return NULL;
  25. }
  26.  
  27. /**********************************************************************************************
  28.  
  29. typedef NTSTATUS(*NtQuerySystemInformation)(_In_      SYSTEM_INFORMATION_CLASS SystemInformationClass,
  30.                                                                                         _Inout_   PVOID SystemInformation,
  31.                                                                                         _In_      ULONG SystemInformationLength,
  32.                                                                                         _Out_opt_ PULONG ReturnLength);
  33.  
  34. NtQuerySystemInformation _NtQuerySytemInformation;
  35.  
  36. /*...*/
  37.  
  38. UNICODE_STRING usFuncName;
  39. RtlInitUnicodeString(&usFuncName, L"NtQuerySystemInformation");
  40. _NtQuerySytemInformation = (NtQuerySystemInformation)MmGetSystemRoutineAddress(&usFuncName);
  41.  
  42. ***********************************************************************************************
  43.  
  44. typedef enum _SYSTEM_INFORMATION_CLASS {
  45.         SystemBasicInformation,
  46.         SystemProcessorInformation,
  47.         SystemPerformanceInformation,
  48.         SystemTimeOfDayInformation,
  49.         SystemPathInformation,
  50.         SystemProcessInformation,
  51.         SystemCallCountInformation,
  52.         SystemDeviceInformation,
  53.         SystemProcessorPerformanceInformation,
  54.         SystemFlagsInformation,
  55.         SystemCallTimeInformation,
  56.         SystemModuleInformation,
  57.         SystemLocksInformation,
  58.         SystemStackTraceInformation,
  59.         SystemPagedPoolInformation,
  60.         SystemNonPagedPoolInformation,
  61.         SystemHandleInformation,
  62.         SystemObjectInformation,
  63.         SystemPageFileInformation,
  64.         SystemVdmInstemulInformation,
  65.         SystemVdmBopInformation,
  66.         SystemFileCacheInformation,
  67.         SystemPoolTagInformation,
  68.         SystemInterruptInformation,
  69.         SystemDpcBehaviorInformation,
  70.         SystemFullMemoryInformation,
  71.         SystemLoadGdiDriverInformation,
  72.         SystemUnloadGdiDriverInformation,
  73.         SystemTimeAdjustmentInformation,
  74.         SystemSummaryMemoryInformation,
  75.         SystemNextEventIdInformation,
  76.         SystemEventIdsInformation,
  77.         SystemCrashDumpInformation,
  78.         SystemExceptionInformation,
  79.         SystemCrashDumpStateInformation,
  80.         SystemKernelDebuggerInformation,
  81.         SystemContextSwitchInformation,
  82.         SystemRegistryQuotaInformation,
  83.         SystemExtendServiceTableInformation,
  84.         SystemPrioritySeperation,
  85.         SystemPlugPlayBusInformation,
  86.         SystemDockInformation,
  87.         SystemPowerInformation2,
  88.         SystemProcessorSpeedInformation,
  89.         SystemCurrentTimeZoneInformation,
  90.         SystemLookasideInformation
  91. } SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;
  92.  
  93. typedef struct _MODULE_INFO {
  94.         DWORD d_Reserved1;
  95.         DWORD d_Reserved2;
  96.         PVOID p_Base;
  97.         DWORD d_Size;
  98.         DWORD d_Flags;
  99.         WORD w_Index;
  100.         WORD w_Rank;
  101.         WORD w_LoadCount;
  102.         WORD w_NameOffset;
  103.         BYTE a_bPath [260];
  104. } MODULE_INFO, *PMODULE_INFO, **PPMODULE_INFO;
  105.  
  106. typedef struct _MODULE_LIST
  107. {
  108.         int d_Modules;
  109.         MODULE_INFO a_Modules [];
  110. } MODULE_LIST, *PMODULE_LIST, **PPMODULE_LIST
  111. **/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement