void *PEB = NULL,
*Ldr = NULL,
*Flink = NULL,
*p = NULL,
*BaseAddress = NULL,
*FullDllName = NULL;
printf("列举自身模块!\n");
__asm
{
mov eax,fs:[0x30]
mov PEB,eax
}
printf( "PEB = 0x%08X\n", PEB );
Ldr = *( ( void ** )( ( unsigned char * )PEB + 0x0c ) );
printf( "Ldr = 0x%08X\n", Ldr );
Flink = *( ( void ** )( ( unsigned char * )Ldr + 0x0c ) );
printf( "Flink = 0x%08X\n", Flink );
p = Flink;
do
{
BaseAddress = *( ( void ** )( ( unsigned char * )p + 0x18 ) );
FullDllName = *( ( void ** )( ( unsigned char * )p + 0x28 ) );
printf( "p = 0x%08X 0x%08X ", p, BaseAddress );
wprintf( L"%s\n", FullDllName );
p = *( ( void ** )p );
}
while ( Flink != p );
return;
}
#define PAGE_SIZE 0x1000
void Search();
bool IsValidModule(ULONG i);
bool PrintModule();
void main();
bool IsValidModule(byte* i)
{ if(IsBadReadPtr((void*)i,sizeof(IMAGE_DOS_HEADER)))
return false;
IMAGE_DOS_HEADER *BasePoint=(IMAGE_DOS_HEADER *)i;
PIMAGE_NT_HEADERS32 NtHead=(PIMAGE_NT_HEADERS32)(i+BasePoint->e_lfanew);
if(IsBadReadPtr((void*)NtHead,PAGE_SIZE))
return false;
if((NtHead->FileHeader.Characteristics&IMAGE_FILE_DLL)==0)//过滤掉。exe文件
return false;
if(NtHead->OptionalHeader.Subsystem==0x2)
return true;
if(NtHead->OptionalHeader.Subsystem==0x3)
return true;
return false;
}
void Search()
{ printf("暴力搜索列举模块!\n");
UCHAR* i=(PUCHAR)0x10000000;
int Num=0;
for(;i<(PUCHAR)0x7ffeffff;i+=PAGE_SIZE)
{
if(IsValidModule(i))
{
printf("\t\t find a module at %08x\n",i);
Num++;
}
}
printf("\t\t total find module :%03d\n",Num);
}
void main()
{
EnableDebugPrivilege(true);
EnumModlueAll(4228);
ForceLookUpModule(4228);
getchar();
GetProcessModule(4228);
EnumModuleEx(4228);
getchar();
EnumSelfModule();
getchar();
Search();
printf("按任意键退出........");
getchar();
}
|