Win11
Win7SP1_X64
VOID PrintUnicodeString(PUNICODE_STRING UnicodeString) {
PWCHAR wstr =
(PWCHAR)LocalAlloc(LPTR, UnicodeString->Length + sizeof(wchar_t));
memcpy(wstr, UnicodeString->Buffer, UnicodeString->Length);
printf("%ws\n",wstr);
LocalFree(wstr);
}
VOID PrintInLoadOrderModuleList() {
PPEB Peb = (PPEB)__readgsqword(0x60);
PLDR_DATA_TABLE_ENTRY LdrData;
PLIST_ENTRY Entry;
printf("InLoadOrderModuleList: \n");
RtlEnterCriticalSection(Peb->LoaderLock);
Entry = Peb->Ldr->InLoadOrderModuleList.Flink;
while (Entry != &Peb->Ldr->InLoadOrderModuleList) {
LdrData = CONTAINING_RECORD(Entry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
PrintUnicodeString(&LdrData->BaseDllName);
Entry = Entry->Flink;
}
RtlLeaveCriticalSection(Peb->LoaderLock);
printf("\n");
}
VOID PrintInMemoryOrderModuleList() {
PPEB Peb = (PPEB)__readgsqword(0x60);
PLDR_DATA_TABLE_ENTRY LdrData;
PLIST_ENTRY Entry;
printf("InMemoryOrderModuleList: \n");
RtlEnterCriticalSection(Peb->LoaderLock);
Entry = Peb->Ldr->InMemoryOrderModuleList.Flink;
while (Entry != &Peb->Ldr->InMemoryOrderModuleList) {
LdrData = CONTAINING_RECORD(Entry, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
PrintUnicodeString(&LdrData->BaseDllName);
Entry = Entry->Flink;
}
RtlLeaveCriticalSection(Peb->LoaderLock);
printf("\n");
}
VOID PrintInInitializationOrderModuleList() {
PPEB Peb = (PPEB)__readgsqword(0x60);
PLDR_DATA_TABLE_ENTRY LdrData;
PLIST_ENTRY Entry;
printf("InInitializationOrderModuleList: \n");
RtlEnterCriticalSection(Peb->LoaderLock);
Entry = Peb->Ldr->InInitializationOrderModuleList.Flink;
while (Entry != &Peb->Ldr->InInitializationOrderModuleList) {
LdrData = CONTAINING_RECORD(Entry, LDR_DATA_TABLE_ENTRY,
InInitializationOrderLinks);
PrintUnicodeString(&LdrData->BaseDllName);
Entry = Entry->Flink;
}
RtlLeaveCriticalSection(Peb->LoaderLock);
printf("\n");
}
int main(int argc, char *argv[]) {
PrintInLoadOrderModuleList();
PrintInMemoryOrderModuleList();
PrintInInitializationOrderModuleList();
system("pause");
}
发表回复