碼上快樂

相關內容    簡體    繁體

Windows內核遍歷驅動模塊源碼分析

本文轉載自   查看原文   2016-12-10 12:19   1750    Windows

要獲取windows 內核中所有驅動模塊信息,調用 系統服務函數 NtQuerySystemInformation,參數SystemInformationClass 傳入SystemModuleInformation. 

NtQuerySystemInformation申明如下:

 

[cpp] view plain copy
print ?
  1. //  
  2. // System Information Classes.  
  3. //  
  4. typedef enum _SYSTEM_INFORMATION_CLASS {  
  5.    SystemBasicInformation,  
  6.    SystemProcessorInformation,              // obsolete...delete  
  7.    SystemPerformanceInformation,  
  8.    SystemTimeOfDayInformation,  
  9.    SystemPathInformation,  
  10.    SystemProcessInformation,                //系統進程信息  
  11.    SystemCallCountInformation,  
  12.    SystemDeviceInformation,  
  13.    SystemProcessorPerformanceInformation,  
  14.    SystemFlagsInformation,  
  15.    SystemCallTimeInformation,  
  16.    SystemModuleInformation,     //系統模塊  
  17.    SystemLocksInformation,  
  18.    SystemStackTraceInformation,  
  19.    SystemPagedPoolInformation,  
  20.    SystemNonPagedPoolInformation,  
  21.    SystemHandleInformation,  
  22.    SystemObjectInformation,  
  23.    SystemPageFileInformation,  
  24.    SystemVdmInstemulInformation,  
  25.    SystemVdmBopInformation,  
  26.    SystemFileCacheInformation,  
  27.    SystemPoolTagInformation,  
  28.    SystemInterruptInformation,  
  29.    SystemDpcBehaviorInformation,  
  30.    SystemFullMemoryInformation,  
  31.    SystemLoadGdiDriverInformation,  
  32.    SystemUnloadGdiDriverInformation,  
  33.    SystemTimeAdjustmentInformation,  
  34.    SystemSummaryMemoryInformation,  
  35.    SystemMirrorMemoryInformation,  
  36.    SystemPerformanceTraceInformation,  
  37.    SystemObsolete0,  
  38.    SystemExceptionInformation,  
  39.    SystemCrashDumpStateInformation,  
  40.    SystemKernelDebuggerInformation,  
  41.    SystemContextSwitchInformation,  
  42.    SystemRegistryQuotaInformation,  
  43.    SystemExtendServiceTableInformation,  
  44.    SystemPrioritySeperation,  
  45.    SystemVerifierAddDriverInformation,  
  46.    SystemVerifierRemoveDriverInformation,  
  47.    SystemProcessorIdleInformation,  
  48.    SystemLegacyDriverInformation,  
  49.    SystemCurrentTimeZoneInformation,  
  50.    SystemLookasideInformation,  
  51.    SystemTimeSlipNotification,  
  52.    SystemSessionCreate,  
  53.    SystemSessionDetach,  
  54.    SystemSessionInformation,  
  55.    SystemRangeStartInformation,  
  56.    SystemVerifierInformation,  
  57.    SystemVerifierThunkExtend,  
  58.    SystemSessionProcessInformation,  
  59.    SystemLoadGdiDriverInSystemSpace,  
  60.    SystemNumaProcessorMap,  
  61.    SystemPrefetcherInformation,  
  62.    SystemExtendedProcessInformation,  
  63.    SystemRecommendedSharedDataAlignment,  
  64.    SystemComPlusPackage,  
  65.    SystemNumaAvailableMemory,  
  66.    SystemProcessorPowerInformation,  
  67.    SystemEmulationBasicInformation,  
  68.    SystemEmulationProcessorInformation,  
  69.    SystemExtendedHandleInformation,  
  70.    SystemLostDelayedWriteInformation,  
  71.    SystemBigPoolInformation,  
  72.    SystemSessionPoolTagInformation,  
  73.    SystemSessionMappedViewInformation,  
  74.    SystemHotpatchInformation,  
  75.    SystemObjectSecurityMode,  
  76.    SystemWatchdogTimerHandler,  
  77.    SystemWatchdogTimerInformation,  
  78.    SystemLogicalProcessorInformation,  
  79.    SystemWow64SharedInformation,  
  80.    SystemRegisterFirmwareTableInformationHandler,  
  81.    SystemFirmwareTableInformation,  
  82.    SystemModuleInformationEx,  
  83.    SystemVerifierTriageInformation,  
  84.    SystemSuperfetchInformation,  
  85.    SystemMemoryListInformation,  
  86.    SystemFileCacheInformationEx,  
  87.    MaxSystemInfoClass   // MaxSystemInfoClass should always be the last enum  
  88. } SYSTEM_INFORMATION_CLASS;  
//
// System Information Classes.
//
typedef enum _SYSTEM_INFORMATION_CLASS {
   SystemBasicInformation,
   SystemProcessorInformation,              // obsolete...delete
   SystemPerformanceInformation,
   SystemTimeOfDayInformation,
   SystemPathInformation,
   SystemProcessInformation,                //系統進程信息
   SystemCallCountInformation,
   SystemDeviceInformation,
   SystemProcessorPerformanceInformation,
   SystemFlagsInformation,
   SystemCallTimeInformation,
   SystemModuleInformation,     //系統模塊
   SystemLocksInformation,
   SystemStackTraceInformation,
   SystemPagedPoolInformation,
   SystemNonPagedPoolInformation,
   SystemHandleInformation,
   SystemObjectInformation,
   SystemPageFileInformation,
   SystemVdmInstemulInformation,
   SystemVdmBopInformation,
   SystemFileCacheInformation,
   SystemPoolTagInformation,
   SystemInterruptInformation,
   SystemDpcBehaviorInformation,
   SystemFullMemoryInformation,
   SystemLoadGdiDriverInformation,
   SystemUnloadGdiDriverInformation,
   SystemTimeAdjustmentInformation,
   SystemSummaryMemoryInformation,
   SystemMirrorMemoryInformation,
   SystemPerformanceTraceInformation,
   SystemObsolete0,
   SystemExceptionInformation,
   SystemCrashDumpStateInformation,
   SystemKernelDebuggerInformation,
   SystemContextSwitchInformation,
   SystemRegistryQuotaInformation,
   SystemExtendServiceTableInformation,
   SystemPrioritySeperation,
   SystemVerifierAddDriverInformation,
   SystemVerifierRemoveDriverInformation,
   SystemProcessorIdleInformation,
   SystemLegacyDriverInformation,
   SystemCurrentTimeZoneInformation,
   SystemLookasideInformation,
   SystemTimeSlipNotification,
   SystemSessionCreate,
   SystemSessionDetach,
   SystemSessionInformation,
   SystemRangeStartInformation,
   SystemVerifierInformation,
   SystemVerifierThunkExtend,
   SystemSessionProcessInformation,
   SystemLoadGdiDriverInSystemSpace,
   SystemNumaProcessorMap,
   SystemPrefetcherInformation,
   SystemExtendedProcessInformation,
   SystemRecommendedSharedDataAlignment,
   SystemComPlusPackage,
   SystemNumaAvailableMemory,
   SystemProcessorPowerInformation,
   SystemEmulationBasicInformation,
   SystemEmulationProcessorInformation,
   SystemExtendedHandleInformation,
   SystemLostDelayedWriteInformation,
   SystemBigPoolInformation,
   SystemSessionPoolTagInformation,
   SystemSessionMappedViewInformation,
   SystemHotpatchInformation,
   SystemObjectSecurityMode,
   SystemWatchdogTimerHandler,
   SystemWatchdogTimerInformation,
   SystemLogicalProcessorInformation,
   SystemWow64SharedInformation,
   SystemRegisterFirmwareTableInformationHandler,
   SystemFirmwareTableInformation,
   SystemModuleInformationEx,
   SystemVerifierTriageInformation,
   SystemSuperfetchInformation,
   SystemMemoryListInformation,
   SystemFileCacheInformationEx,
   MaxSystemInfoClass   // MaxSystemInfoClass should always be the last enum
} SYSTEM_INFORMATION_CLASS;
[cpp] view plain copy
print ?
  1. NTSTATUS  
  2. NtQuerySystemInformation (  
  3.     IN SYSTEM_INFORMATION_CLASS SystemInformationClass,  
  4.     OUT PVOID SystemInformation,  
  5.     IN ULONG SystemInformationLength,  
  6.     OUT PULONG ReturnLength OPTIONAL  
  7.     )  
NTSTATUS
NtQuerySystemInformation (
    IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
    OUT PVOID SystemInformation,
    IN ULONG SystemInformationLength,
    OUT PULONG ReturnLength OPTIONAL
    )
根據泄漏出的widows 2000 部分源代碼,NtQuerySystemInformation 有關 SystemModuleInformation的實現部分如下:
[cpp] view plain copy
print ?
  1. case SystemModuleInformation:  
  2.     KeEnterCriticalRegion();  
  3.     ExAcquireResourceExclusive( &PsLoadedModuleResource, TRUE );  
  4.     ReleaseModuleResoure = TRUE;  
  5.     Status = ExpQueryModuleInformation( &PsLoadedModuleList,  
  6.                                         &MmLoadedUserImageList,  
  7.                                         (PRTL_PROCESS_MODULES)SystemInformation,  
  8.                                         SystemInformationLength,  
  9.                                         ReturnLength  
  10.                                       );  
  11.     ExReleaseResource (&PsLoadedModuleResource);  
  12.     ReleaseModuleResoure = FALSE;  
  13.     KeLeaveCriticalRegion();  
  14.     break;  
case SystemModuleInformation:
	KeEnterCriticalRegion();
	ExAcquireResourceExclusive( &PsLoadedModuleResource, TRUE );
	ReleaseModuleResoure = TRUE;
	Status = ExpQueryModuleInformation( &PsLoadedModuleList,
										&MmLoadedUserImageList,
										(PRTL_PROCESS_MODULES)SystemInformation,
										SystemInformationLength,
										ReturnLength
									  );
	ExReleaseResource (&PsLoadedModuleResource);
	ReleaseModuleResoure = FALSE;
	KeLeaveCriticalRegion();
	break;

在Windows內核實現中,存在兩個存儲系統加載模塊的兩個鏈表,分別是PsLoadedModuleList和 MmLoadedUserImageList,兩個全局變量 申明如下:

 

[cpp] view plain copy
print ?
  1. LIST_ENTRY PsLoadedModuleList;//驅動模塊列表  
  2. LIST_ENTRY MmLoadedUserImageList;//應用程序映像列表  
LIST_ENTRY PsLoadedModuleList;//驅動模塊列表
LIST_ENTRY MmLoadedUserImageList;//應用程序映像列表


Windows就是通過這兩個鏈表將代表系統模塊的_LDR_DATA_ENTRY結構鏈接在一起。

_LDR_DATA_ENTRY結構體中有3個 _LIST_ENTRY,系統根據不同排列順序串連系統中所加載的所有模塊,情況就相當明顯了,只要遍歷任何一個雙向鏈表,即可獲得加載的模塊信息。


在Windows 內核中,表示每個模塊的數據結構是_LDR_DATA_TABLE_ENTRY,其結構申明為:

[cpp] view plain copy
print ?
  1. kd> dt _LDR_DATA_TABLE_ENTRY  
  2. nt!_LDR_DATA_TABLE_ENTRY  
  3.    +0x000 InLoadOrderLinks : _LIST_ENTRY  
  4.    +0x008 InMemoryOrderLinks : _LIST_ENTRY  
  5.    +0x010 InInitializationOrderLinks : _LIST_ENTRY  
  6.    +0x018 DllBase          : Ptr32 Void  
  7.    +0x01c EntryPoint       : Ptr32 Void  
  8.    +0x020 SizeOfImage      : Uint4B  
  9.    +0x024 FullDllName      : _UNICODE_STRING  
  10.    +0x02c BaseDllName      : _UNICODE_STRING  
  11.    +0x034 Flags            : Uint4B  
  12.    +0x038 LoadCount        : Uint2B  
  13.    +0x03a TlsIndex         : Uint2B  
  14.    +0x03c HashLinks        : _LIST_ENTRY  
  15.    +0x03c SectionPointer   : Ptr32 Void  
  16.    +0x040 CheckSum         : Uint4B  
  17.    +0x044 TimeDateStamp    : Uint4B  
  18.    +0x044 LoadedImports    : Ptr32 Void  
  19.    +0x048 EntryPointActivationContext : Ptr32 Void  
  20.    +0x04c PatchInformation : Ptr32 Void  
kd> dt _LDR_DATA_TABLE_ENTRY
nt!_LDR_DATA_TABLE_ENTRY
   +0x000 InLoadOrderLinks : _LIST_ENTRY
   +0x008 InMemoryOrderLinks : _LIST_ENTRY
   +0x010 InInitializationOrderLinks : _LIST_ENTRY
   +0x018 DllBase          : Ptr32 Void
   +0x01c EntryPoint       : Ptr32 Void
   +0x020 SizeOfImage      : Uint4B
   +0x024 FullDllName      : _UNICODE_STRING
   +0x02c BaseDllName      : _UNICODE_STRING
   +0x034 Flags            : Uint4B
   +0x038 LoadCount        : Uint2B
   +0x03a TlsIndex         : Uint2B
   +0x03c HashLinks        : _LIST_ENTRY
   +0x03c SectionPointer   : Ptr32 Void
   +0x040 CheckSum         : Uint4B
   +0x044 TimeDateStamp    : Uint4B
   +0x044 LoadedImports    : Ptr32 Void
   +0x048 EntryPointActivationContext : Ptr32 Void
   +0x04c PatchInformation : Ptr32 Void

jpg改rar

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 Ubuntu12.10 內核源碼外編譯 linux模塊--編譯驅動模塊的基本方法 Linux 內核源碼外編譯 linux模塊--編譯驅動模塊的基本方法 實現內核驅動程序模塊 【linux】驅動-2-內核模塊 linux啟動內核源碼分析 Linux 內核源碼分析 -- read Linux內核源碼分析方法 TCP內核源碼分析筆記 Android USB驅動源碼分析(-) 鴻蒙內核源碼分析(源碼結構篇) | 關於內核這些問題你知道多少?
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM