|
|
|
|
@ -641,7 +641,7 @@ FORCEINLINE PVOID GetDriverExport(_In_ CONST CHAR* pszDriverName,
|
|
|
|
|
: NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
FORCEINLINE PDRIVER_OBJECT GetDriverObject(_In_ CONST PWCHAR pwszDriverName) {
|
|
|
|
|
FORCEINLINE PDRIVER_OBJECT GetDriverObject(_In_ CONST WHCAR* pwszDriverName) {
|
|
|
|
|
HANDLE handle{};
|
|
|
|
|
OBJECT_ATTRIBUTES attr{};
|
|
|
|
|
UNICODE_STRING dirName{};
|
|
|
|
|
@ -734,9 +734,9 @@ FORCEINLINE HANDLE GetPid(_In_ CONST WCHAR* pwszProcessName) {
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
FORCEINLINE PVOID GetProcessBase(_In_ HANDLE pid) {
|
|
|
|
|
FORCEINLINE PVOID GetProcessBase(_In_ HANDLE hPid) {
|
|
|
|
|
PEPROCESS lpProc;
|
|
|
|
|
if (NT_SUCCESS(DYN_NT_SYM(PsLookupProcessByProcessId)(pid, &lpProc))) {
|
|
|
|
|
if (NT_SUCCESS(DYN_NT_SYM(PsLookupProcessByProcessId)(hPid, &lpProc))) {
|
|
|
|
|
PVOID lpBaseAddr = DYN_NT_SYM(PsGetProcessSectionBaseAddress)(lpProc);
|
|
|
|
|
DYN_NT_SYM(ObfDereferenceObject)(lpProc);
|
|
|
|
|
return lpBaseAddr;
|
|
|
|
|
@ -750,21 +750,21 @@ VOID PsCallbackExample(CONST SYSTEM_PROCESS_INFORMATION& PsInfo);
|
|
|
|
|
using TdCallbackPtr = decltype(&TdCallbackExample);
|
|
|
|
|
using PsCallbackPtr = decltype(&PsCallbackExample);
|
|
|
|
|
|
|
|
|
|
FORCEINLINE VOID ForEachProcess(_In_ PsCallbackPtr callback) {
|
|
|
|
|
u32 allocSize{};
|
|
|
|
|
FORCEINLINE VOID ForEachProcess(_In_ PsCallbackPtr lpCallback) {
|
|
|
|
|
ULONG nAllocSize{};
|
|
|
|
|
DYN_NT_SYM(ZwQuerySystemInformation)
|
|
|
|
|
(SystemProcessInformation, NULL, allocSize, &allocSize);
|
|
|
|
|
(SystemProcessInformation, NULL, nAllocSize, &nAllocSize);
|
|
|
|
|
|
|
|
|
|
auto procInfo = reinterpret_cast<PSYSTEM_PROCESS_INFORMATION>(
|
|
|
|
|
DYN_NT_SYM(ExAllocatePool)(NonPagedPool, allocSize));
|
|
|
|
|
DYN_NT_SYM(ExAllocatePool)(NonPagedPool, nAllocSize));
|
|
|
|
|
|
|
|
|
|
const auto origPtr = procInfo;
|
|
|
|
|
DYN_NT_SYM(ZwQuerySystemInformation)
|
|
|
|
|
(SystemProcessInformation, procInfo, allocSize, &allocSize);
|
|
|
|
|
(SystemProcessInformation, procInfo, nAllocSize, &nAllocSize);
|
|
|
|
|
|
|
|
|
|
while (true) {
|
|
|
|
|
for (auto idx = 0u; idx < procInfo->NumberOfThreads; ++idx)
|
|
|
|
|
callback(*procInfo);
|
|
|
|
|
lpCallback(*procInfo);
|
|
|
|
|
|
|
|
|
|
if (!procInfo->NextEntryOffset)
|
|
|
|
|
break;
|
|
|
|
|
@ -803,7 +803,7 @@ FORCEINLINE VOID ForEachThread(_In_ HANDLE hPid, _In_ TdCallbackPtr lpCallback)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
FORCEINLINE PVOID GetModuleBase(_In_ HANDLE hPid,
|
|
|
|
|
_In_ CONST PWCHAR lpwszModuleName) {
|
|
|
|
|
_In_ CONST PWCHAR pwszModuleName) {
|
|
|
|
|
PEPROCESS lpProc;
|
|
|
|
|
KAPC_STATE stApcState;
|
|
|
|
|
if (NT_SUCCESS(DYN_NT_SYM(PsLookupProcessByProcessId)(hPid, &lpProc))) {
|
|
|
|
|
@ -818,7 +818,7 @@ FORCEINLINE PVOID GetModuleBase(_In_ HANDLE hPid,
|
|
|
|
|
reinterpret_cast<u64>(currentEntry) - sizeof LIST_ENTRY);
|
|
|
|
|
|
|
|
|
|
const auto entryModuleName = currentEntryData->BaseDllName.Buffer;
|
|
|
|
|
if (!DYN_NT_SYM(_wcsicmp)(entryModuleName, lpwszModuleName)) {
|
|
|
|
|
if (!DYN_NT_SYM(_wcsicmp)(entryModuleName, pwszModuleName)) {
|
|
|
|
|
DYN_NT_SYM(ObfDereferenceObject)(lpProc);
|
|
|
|
|
auto moduleBase = currentEntryData->DllBase;
|
|
|
|
|
|
|
|
|
|
|
IDontCode
2 years ago