usermode

1. #include <stdio.h>
2. #include <conio.h>
3. #include <Windows.h>
4. #include <winternl.h>
5.  
6. #pragma comment(lib,"ntdll.lib")
7.  
8. typedef struct _RTL_PROCESS_MODULE_INFORMATION
9. {
10.     HANDLE Section;
11.     PVOID MappedBase;
12.     PVOID ImageBase;
13.     ULONG ImageSize;
14.     ULONG Flags;
15.     USHORT LoadOrderIndex;
16.     USHORT InitOrderIndex;
17.     USHORT LoadCount;
18.     USHORT OffsetToFileName;
19.     CHAR FullPathName[256];
20. } RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;
21.  
22. typedef struct _RTL_PROCESS_MODULES
23. {
24.     ULONG NumberOfModules;
25.     RTL_PROCESS_MODULE_INFORMATION Modules[1];
26. } RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;
27.  
28. typedef BOOL (WINAPI *LPFN_Wow64DisableWow64FsRedirection)(PVOID* OldValue);
29. typedef BOOL (WINAPI *LPFN_Wow64RevertWow64FsRedirection)(PVOID OldValue);
30.  
31. PVOID OldValue;
32.  
33. BOOL IsWow64()
34. {
35.     BOOL bIsWow64 = FALSE;
36.  
37.     typedef BOOL (WINAPI *LPFN_ISWOW64PROCESS) (HANDLE, PBOOL);
38.     LPFN_ISWOW64PROCESS fnIsWow64Process;
39.     fnIsWow64Process = (LPFN_ISWOW64PROCESS) GetProcAddress( GetModuleHandle("kernel32"),"IsWow64Process");
40.  
41.     if(NULL != fnIsWow64Process)
42.     {
43.         if (!fnIsWow64Process(GetCurrentProcess(),&bIsWow64))
44.         {
45.             //handle error
46.         }
47.     }
48.     return bIsWow64;
49. }
50.  
51. int main()
52. {
53.  
54.     COORD c;
55.     c.X=2200;
56.     c.Y=3200;
57.     SetConsoleScreenBufferSize(GetStdHandle(STD_OUTPUT_HANDLE),c);
58.  
59.     LPFN_Wow64DisableWow64FsRedirection pfnWow64DisableWowFsRedirection = (LPFN_Wow64DisableWow64FsRedirection)GetProcAddress(GetModuleHandle("kernel32"),"Wow64DisableWow64FsRedirection");
60.     LPFN_Wow64RevertWow64FsRedirection pfnWow64RevertWow64FsRedirection = (LPFN_Wow64RevertWow64FsRedirection)GetProcAddress(GetModuleHandle("kernel32"),"Wow64RevertWow64FsRedirection");
61.  
62.     //------------------------------------
63.  
64.     HANDLE hFile, hFileMap;
65.     LPVOID pMappedFile;
66.     PIMAGE_DOS_HEADER pDosh;
67.     PIMAGE_NT_HEADERS pPeh;
68.  
69.     //------------------------------------
70.  
71.     NTSTATUS status;
72.     ULONG i;
73.  
74.     PRTL_PROCESS_MODULES ModuleInfo;
75.  
76.     ModuleInfo=(PRTL_PROCESS_MODULES)VirtualAlloc(NULL,1024*1024,MEM_COMMIT|MEM_RESERVE,PAGE_READWRITE); // Allocate memory for the module list
77.  
78.     if(!ModuleInfo)
79.     {
80.         printf("\nUnable to allocate memory for module list (%d)\n",GetLastError());
81.         return -1;
82.     }
83.  
84.     if(!NT_SUCCESS(status=NtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)11,ModuleInfo,1024*1024,NULL))) // 11 = SystemModuleInformation
85.     {
86.         printf("\nError: Unable to query module list (%#x)\n",status);
87.  
88.         VirtualFree(ModuleInfo,0,MEM_RELEASE);
89.         return -1;
90.     }
91.  
92.     for(i=0;i<ModuleInfo->NumberOfModules;i++)
93.     {
94.  
95.         if(strcmpi("win32k.sys", ModuleInfo->Modules[i].FullPathName+ModuleInfo->Modules[i].OffsetToFileName) == 0)
96.         {
97.  
98.             if(IsWow64())
99.             {
100.                 if (pfnWow64DisableWowFsRedirection && pfnWow64RevertWow64FsRedirection)
101.                 {
102.                     if(TRUE == pfnWow64DisableWowFsRedirection(&OldValue))
103.                     {
104.  
105.                         hFile = CreateFile ("C:\\Windows\\System32\\win32k.sys", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING,
106.                             FILE_ATTRIBUTE_NORMAL, 0);
107.  
108.                         pfnWow64RevertWow64FsRedirection(OldValue);
109.                     }
110.                 }
111.             }
112.             else
113.             {
114.                 hFile = CreateFile ("C:\\Windows\\System32\\win32k.sys", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING,
115.                     FILE_ATTRIBUTE_NORMAL, 0);
116.             }
117.  
118.             if (hFile == INVALID_HANDLE_VALUE)
119.             {
120.                 MessageBox(0, "Cannot open file!", "Error", MB_ICONERROR);
121.                 ExitProcess(0);
122.             }
123.  
124.             hFileMap = CreateFileMapping (hFile, NULL, PAGE_READONLY, 0, 0, NULL);
125.             if (!hFileMap)
126.             {
127.                 CloseHandle(hFile);
128.                 ExitProcess(0);
129.             }
130.             pMappedFile = MapViewOfFile ( hFileMap, FILE_MAP_READ, 0, 0, 0);
131.             if (!pMappedFile)
132.             {
133.                 CloseHandle(hFileMap);
134.                 CloseHandle(hFile);
135.                 ExitProcess(0);
136.             }
137.  
138.             pDosh = (PIMAGE_DOS_HEADER)pMappedFile;br />            pPeh  = (PIMAGE_NT_HEADERS)((DWORD)pMappedFile + pDosh->e_lfanew);
139.  
140.             printf("\n*****************************************************\n");
141.             printf("\nBase address: 0x%p\n",ModuleInfo->Modules[i].ImageBase);
142.             printf("\nImage Base: 0x%p\n",pPeh->OptionalHeader.ImageBase);
143.             printf("\nImage name: %s\n",ModuleInfo->Modules[i].FullPathName+ModuleInfo->Modules[i].OffsetToFileName);
144.             printf("\nImage full path: %s\n",ModuleInfo->Modules[i].FullPathName);
145.             printf("\nImage size: %d\n",ModuleInfo->Modules[i].ImageSize);
146.             printf("\n*****************************************************\n");
147.  
148.             break;
149.  
150.         }
151.     }
152.  
153.     VirtualFree(ModuleInfo,0,MEM_RELEASE);
154.     UnmapViewOfFile(pMappedFile);
155.     CloseHandle(hFileMap);
156.     CloseHandle(hFile);
157.  
158.     getch();
159.     return 0;
160. }