#include <ntddk.h>
#define Peb 0X1b0
#define Ldr 0x00c
#define Modulist 0xc
#define FileName 0x030
NTKERNELAPI
VOID
KeAttachProcess (
PEPROCESS Process
);
NTKERNELAPI
VOID
KeDetachProcess (
VOID
);
NTSTATUS PsLookupProcessByProcessId(__in HANDLE ProcessId,__deref_out PEPROCESS *Process);
VOID ShowModules()
{
ULONG PEB;
ULONG LDR,p,Flink,BaseAddress;
PEPROCESS TargetProcess;
ULONG MODULIST;
PUNICODE_STRING FullDllName;
PsLookupProcessByProcessId((HANDLE)988,&TargetProcess);
if(!TargetProcess)
{
DbgPrint("[EnumModules] Error on Get EProcess By Pid.");
return;
}
ObDereferenceObject(TargetProcess);
KeAttachProcess( TargetProcess );
PEB = *(ULONG *)((ULONG)TargetProcess + Peb);
DbgPrint("[EnumModules] EPROCESS : 0x%X , PEB : 0x%X",TargetProcess,PEB);
if ( MmIsAddressValid((ULONG *) PEB) )
{
LDR=*(ULONG *)((ULONG)PEB+Ldr);
DbgPrint("LDR 0x%X ",LDR);
Flink=*(ULONG *)((ULONG)LDR+Modulist);
if ( MmIsAddressValid( (ULONG *) Flink ) )
{ p = Flink;
do
{
BaseAddress = *(ULONG *)((ULONG) p + 0x18 );
FullDllName =(PUNICODE_STRING )(p + 0x24);
DbgPrint( " BASEADDRESS:0x%08X ", BaseAddress);
DbgPrint( " FullDllName:%S \n", FullDllName->Buffer);
p = *( (ULONG *)p );
}
while ( Flink != p );
}
}
KeDetachProcess();
}
VOID Unload(IN PDRIVER_OBJECT DriverObject)
{
DbgPrint("on load");
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath)
{
ShowModules();
DriverObject->DriverUnload = Unload;
return STATUS_SUCCESS;
}