财富快车中的几个比较有用的逆向代码_roboexp软件中的模块底层代码-优快云博客

本文介绍了一种在Windows操作系统中查找内核模块列表的方法，并详细解释了如何通过遍历PsLoadedModuleList来获取特定模块（如内核模块）的基础地址。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

是这几个：
FindPsLoadedModuleList
GetKernelModuleName
GetModuleBase

IRP HOOK的那几个我也逆出来了不过我看比较简单就不发了。

Copy code

PLIST_ENTRY PsLoadedModuleList;
extern DWORD NtBuildNumber;
WCHAR g_wszKrnlModuleName[128] = {0};
BOOL FindPsLoadedModuleList(PDRIVER_OBJECT DriverObject, PLIST_ENTRY *pList)
{
PLIST_ENTRY pListEntry = NULL;

if (NtBuildNumber == 2195 ) // win 2000
{
pListEntry = DriverObject->DriverSection;
if (pListEntry == NULL )
{
DbgPrint("ModuleList is NULL!/n");
return FALSE;
}
}
else
{
__asm
{
mov eax, 0FFDFF034h
mov eax, [eax]
mov eax, [eax+70h]
mov pListEntry, eax
}
if (pListEntry == NULL )
{
DbgPrint("ModuleList is NULL!/n");
return FALSE;
}
}

*pList = pListEntry;
return TRUE;
}

BOOL GetKernelModuleName(void)
{
PLIST_ENTRY KernelBase = NULL;
PLIST_ENTRY pListEntry = NULL;
WCHAR szName[128] = {0};
WCHAR *pPos = NULL;

__asm
{
mov eax, PsLoadedModuleList
mov ebx, [eax]
mov KernelBase, ebx
mov pListEntry, ebx
}
while(1)
{
if (((PLDR_DATA_TABLE_ENTRY)pListEntry)->SizeOfImage)
{
if (MmIsAddressValid(((PLDR_DATA_TABLE_ENTRY)pListEntry)->FullDllName.Buffer))
{
if (((PLDR_DATA_TABLE_ENTRY)pListEntry)->FullDllName.Buffer != NULL)
{
wcsncpy(szName,((PLDR_DATA_TABLE_ENTRY)pListEntry)->FullDllName.Buffer,((PLDR_DATA_TABLE_ENTRY)pListEntry)->FullDllName.Length / 2);
_wcslwr(szName);
if ( wcsstr(szName, L"krnl") ) // krnl
break;
}
}
}

__asm
{
mov eax, pListEntry
mov ebx, [eax]
mov pListEntry, ebx
}
if (pListEntry == KernelBase)
{
DbgPrint("Not Found Kernel Module Nmae/n");
return FALSE;
}
}

pPos = wcsrchr(szName,'//');
if ( !pPos )
{
DbgPrint("Not Found Kernel Module Nmae/n");
return FALSE;
}
wcsncpy(g_wszKrnlModuleName,pPos + 1,((PLDR_DATA_TABLE_ENTRY)pListEntry)->FullDllName.Length / 2 - (pPos - szName) / 2);
DbgPrint("%S/n", g_wszKrnlModuleName);
return TRUE;
}

ULONG GetModuleBase(WCHAR * szModuleName)
{
PLIST_ENTRY KernelBase = NULL;
PLIST_ENTRY pListEntry = NULL;
WCHAR szName[128] = {0};

DbgPrint("PsLoadedModuleList: %08x/n", PsLoadedModuleList);

__asm
{
mov eax, PsLoadedModuleList
mov ebx, [eax]
mov KernelBase, ebx
mov pListEntry, ebx
}
do
{
if (((PLDR_DATA_TABLE_ENTRY)pListEntry)->SizeOfImage)
{
if (MmIsAddressValid(((PLDR_DATA_TABLE_ENTRY)pListEntry)->FullDllName.Buffer))
{
DbgPrint("ModuleName: %S, Base: %08x, Length: %08x/n",
((PLDR_DATA_TABLE_ENTRY)pListEntry)->FullDllName.Buffer,
((PLDR_DATA_TABLE_ENTRY)pListEntry)->DllBase,
((PLDR_DATA_TABLE_ENTRY)pListEntry)->SizeOfImage);

if (((PLDR_DATA_TABLE_ENTRY)pListEntry)->FullDllName.Buffer != NULL)
{
wcsncpy(szName,((PLDR_DATA_TABLE_ENTRY)pListEntry)->FullDllName.Buffer,((PLDR_DATA_TABLE_ENTRY)pListEntry)->FullDllName.Length / 2);
_wcslwr(szName);
if ( wcsstr(szName, szModuleName) )
return (ULONG)((PLDR_DATA_TABLE_ENTRY)pListEntry)->DllBase;
}
}
}

__asm
{
mov eax, pListEntry
mov ebx, [eax]
mov pListEntry, ebx
}
}while(pListEntry == KernelBase);

return 0;
}