遍历已加载的驱动sys_魔域驱动

ULONG  GetSysImageBase(PCHAR pszsysname)
{
	ULONG uImageBase = 0;
	ULONG uSize = 0x10000;
	PVOID pModuleInfo = ExAllocatePool(NonPagedPool, uSize);
	if (pModuleInfo==NULL)
	{
		return uImageBase;
	}
	NTSTATUS status = ZwQuerySystemInformation(SystemModuleInformation, pModuleInfo, uSize, NULL);
	if (!NT_SUCCESS(status))
		{
		ExFreePool(pModuleInfo);
		return uImageBase;
		}
	ULONG uNumberOfModules = *(PULONG)pModuleInfo;
	if (uNumberOfModules==0)
	{
		return uImageBase;
	}
	PRTL_PROCESS_MODULE_INFORMATION pStart = (PRTL_PROCESS_MODULE_INFORMATION)((ULONG)pModuleInfo + sizeof(ULONG));

	for (ULONG i = 0; i < uNumberOfModules;i++)
	{
		PUCHAR pszFullName = pStart->FullPathName;
		ULONG uOFFsetName = pStart->OffsetToFileName;
		PUCHAR pszname = pszFullName + uOFFsetName;
		if (_stricmp((const char*)pszname,pszsysname)==0)
		{
			uImageBase = (ULONG)pStart->ImageBase;
			break;
	
			return uImageBase;
		}
		pStart++;
	}
	if (pModuleInfo!=NULL)
	{
		ExFreePool(pModuleInfo);
	}
	return uImageBase;
}

 

#include"ntifs.h"
#include"intsafe.h"
#include"ntimage.h"
typedef struct _RTL_PROCESS_MODULE_INFORMATION
{
	HANDLE Section;
	PVOID MappedBase;
	PVOID ImageBase;
	ULONG ImageSize;
	ULONG Flags;
	USHORT LoadOrderIndex;
	USHORT InitOrderIndex;
	USHORT LoadCount;
	USHORT OffsetToFileName;
	UCHAR FullPathName[256];
} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;

typedef struct _SYSTEM_MODULE_INFORMATION  // 系统模块信息
{
	ULONG  Reserved[2];
	ULONG  Base;
	ULONG  Size;
	ULONG  Flags;
	USHORT Index;
	USHORT Unknown;
	USHORT LoadCount;
	USHORT ModuleNameOffset;
	CHAR   ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef struct _tagSysModuleList //模块链结构
{
	ULONG ulCount;
	SYSTEM_MODULE_INFORMATION smi[1];
} MODULES, *PMODULES;
ULONG  GetSysImageBase(PCHAR pszsysname);
NTSTATUS __stdcall ZwQuerySystemInformation(ULONG_PTR SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
#define SystemModuleInformation 11