void DtraceWinOSKernelModuleInfo(void) { PAUX_MODULE_EXTENDED_INFO info = NULL; ULONG size = 0, mods, i; modctl_t *temp, *prev = NULL; char *s, *tmp; if (AuxKlibInitialize() != STATUS_SUCCESS || AuxKlibQueryModuleInformation(&size, sizeof(AUX_MODULE_EXTENDED_INFO), NULL) != STATUS_SUCCESS || size == 0 || (info = ExAllocatePoolWithTag(NonPagedPool, size, 'Tag1')) == NULL || (AuxKlibQueryModuleInformation(&size, sizeof(AUX_MODULE_EXTENDED_INFO), info) != STATUS_SUCCESS)) { dprintf("dtrace.sys: failed in DtraceWinOSKernelModuleInfo\n"); if (info != NULL) ExFreePoolWithTag(info, 'Tag1'); return; } mods = size / sizeof(AUX_MODULE_EXTENDED_INFO); modules = ExAllocatePoolWithTag(NonPagedPool, sizeof(modctl_t), 'Tag1'); RtlZeroMemory(modules, sizeof(modctl_t)); temp = modules; i = 0; do { temp->imgbase = (uintptr_t) info[i].BasicInfo.ImageBase; temp->size = info[i].ImageSize; temp->loadcnt = 0; temp->nenabled = 0; temp->fbt_nentries = 0; s = info[i].FullPathName + info[i].FileNameOffset; tmp = ExAllocatePoolWithTag(NonPagedPool, strlen(s)+1, 'Tag1'); if (tmp != NULL) { strcpy(tmp, s); temp->mod_modname = tmp; } temp->mod_next = modules; if (prev != NULL) prev->mod_next = temp; prev = temp; } while (++i < mods && (temp = ExAllocatePoolWithTag(NonPagedPool, sizeof(modctl_t), 'Tag1')) != NULL); }
NTSTATUS kkll_m_modules_enum(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, PKKLL_M_MODULE_CALLBACK callback, PVOID pvArg) { NTSTATUS status = STATUS_SUCCESS; ULONG i, modulesSize, numberOfModules; PAUX_MODULE_EXTENDED_INFO pModules; BOOLEAN mustContinue = TRUE; status = AuxKlibQueryModuleInformation(&modulesSize, sizeof(AUX_MODULE_EXTENDED_INFO), NULL); if(NT_SUCCESS(status) && modulesSize) { if(pModules = (PAUX_MODULE_EXTENDED_INFO) ExAllocatePoolWithTag(PagedPool, modulesSize, POOL_TAG)) { numberOfModules = modulesSize / sizeof(AUX_MODULE_EXTENDED_INFO); status = AuxKlibQueryModuleInformation(&modulesSize, sizeof(AUX_MODULE_EXTENDED_INFO), pModules); for(i = 0; NT_SUCCESS(status) && mustContinue && (i < numberOfModules); i++) status = callback(szBufferIn, bufferIn, outBuffer, pModules + i, pvArg, &mustContinue); ExFreePoolWithTag(pModules, POOL_TAG); } } return status; }
int difi_get_module_info(const char* module_name, void** base, long* size) { NTSTATUS status; ULONG modules_size; AUX_MODULE_EXTENDED_INFO* modules; AUX_MODULE_EXTENDED_INFO* module; ULONG number_of_modules; int name_length; char module_name_to_search[AUX_KLIB_MODULE_PATH_LEN]; if (module_name == NULL) { return -1; } if (aux_klib_initialized == 0) { difi_dbg_print("Must call difi_ddk_helper_initialize from your driver entry point!"); return -1; } *base = NULL; *size = 0; name_length = strlen(module_name); strcpy(module_name_to_search, module_name); strcat(module_name_to_search, ".sys"); name_length = strlen(module_name_to_search); /* Get the required array size. */ status = AuxKlibQueryModuleInformation(&modules_size, sizeof(AUX_MODULE_EXTENDED_INFO), NULL); if (!NT_SUCCESS(status) || modules_size == 0) { difi_dbg_print("AuxKlibQueryModuleInformation failed: %x\n", status); return status; } number_of_modules = modules_size / sizeof(AUX_MODULE_EXTENDED_INFO); difi_dbg_print("Number of modules: %d, module to search: %s\n", number_of_modules, module_name_to_search); modules = (AUX_MODULE_EXTENDED_INFO*) ExAllocatePoolWithTag( PagedPool, modules_size, '3LxF'); if (modules == NULL) { status = STATUS_INSUFFICIENT_RESOURCES; return status; } RtlZeroMemory(modules, modules_size); status = AuxKlibQueryModuleInformation(&modules_size, sizeof(AUX_MODULE_EXTENDED_INFO), modules); if (!NT_SUCCESS(status)) { ExFreePool(modules); return status; } for (module = modules; module < modules + number_of_modules; module++) { if (_strnicmp((const char*)module_name_to_search, (const char*)(&module->FullPathName[0] + module->FileNameOffset), name_length) == 0) { *base = module->BasicInfo.ImageBase; *size = (long)module->ImageSize; break; } if (_strnicmp((const char*)module_name, (const char*)(&module->FullPathName[0] + module->FileNameOffset), strlen(module_name)) == 0) { *base = module->BasicInfo.ImageBase; *size = (long)module->ImageSize; break; } } ExFreePool(modules); difi_dbg_print("Module base: %x\n", *base); return 0; }
_Must_inspect_result_ NTSTATUS FxpGetImageBase( __in PDRIVER_OBJECT DriverObject, __out PVOID* ImageBase, __out PULONG ImageSize ) { NTSTATUS status = STATUS_UNSUCCESSFUL; ULONG modulesSize = 0; AUX_MODULE_EXTENDED_INFO* modules = NULL; AUX_MODULE_EXTENDED_INFO* module; PVOID addressInImage = NULL; ULONG numberOfModules; ULONG i; // // Basic validation. // if (NULL == DriverObject || NULL == ImageBase || NULL == ImageSize) { status = STATUS_INVALID_PARAMETER; goto exit; } // // Get the address of a well known entry in the Image. // addressInImage = (PVOID) DriverObject->DriverStart; ASSERT(addressInImage != NULL); // // Initialize the AUX Kernel Library. // status = AuxKlibInitialize(); if (!NT_SUCCESS(status)) { goto exit; } // // Get size of area needed for loaded modules. // status = AuxKlibQueryModuleInformation(&modulesSize, sizeof(AUX_MODULE_EXTENDED_INFO), NULL); if (!NT_SUCCESS(status) || (0 == modulesSize)) { goto exit; } numberOfModules = modulesSize / sizeof(AUX_MODULE_EXTENDED_INFO); // // Allocate returned-sized memory for the modules area. // modules = (AUX_MODULE_EXTENDED_INFO*) ExAllocatePoolWithTag(PagedPool, modulesSize, '30LW'); if (NULL == modules) { status = STATUS_INSUFFICIENT_RESOURCES; goto exit; } // // Request the modules array be filled with module information. // status = AuxKlibQueryModuleInformation(&modulesSize, sizeof(AUX_MODULE_EXTENDED_INFO), modules); if (!NT_SUCCESS(status)) { goto exit; } // // Traverse list, searching for the well known address in Image for which the // module's Image Base Address is in its range. // module = modules; for (i=0; i < numberOfModules; i++) { if (addressInImage >= module->BasicInfo.ImageBase && addressInImage < WDF_PTR_ADD_OFFSET(module->BasicInfo.ImageBase, module->ImageSize)) { *ImageBase = module->BasicInfo.ImageBase; *ImageSize = module->ImageSize; status = STATUS_SUCCESS; goto exit; } module++; } status = STATUS_NOT_FOUND; exit: if (modules != NULL) { ExFreePool(modules); modules = NULL; } return status; }
static NTSTATUS JpfbtsGetImageBaseAddress( __in ULONG_PTR AddressWithinImage, __out ULONG_PTR *BaseAddress ) { ULONG BufferSize = 0; PAUX_MODULE_EXTENDED_INFO Modules; NTSTATUS Status; ASSERT( KeGetCurrentIrql() < DISPATCH_LEVEL ); ASSERT( BaseAddress ); *BaseAddress = 0; // // Query required size. // Status = AuxKlibQueryModuleInformation ( &BufferSize, sizeof( AUX_MODULE_EXTENDED_INFO ), NULL ); if ( ! NT_SUCCESS( Status ) ) { return Status; } ASSERT( ( BufferSize % sizeof( AUX_MODULE_EXTENDED_INFO ) ) == 0 ); Modules = ( PAUX_MODULE_EXTENDED_INFO ) JpfbtpAllocatePagedMemory( BufferSize, TRUE ); if ( ! Modules ) { return STATUS_NO_MEMORY; } // // Query loaded modules list. // Status = AuxKlibQueryModuleInformation( &BufferSize, sizeof( AUX_MODULE_EXTENDED_INFO ), Modules ); if ( NT_SUCCESS( Status ) ) { ULONG Index; ULONG NumberOfModules = BufferSize / sizeof( AUX_MODULE_EXTENDED_INFO ); // // Now that we have the module list, see which one we are. // for ( Index = 0; Index < NumberOfModules; Index++ ) { ULONG_PTR ImageBase = ( ULONG_PTR ) Modules[ Index ].BasicInfo.ImageBase; if ( AddressWithinImage >= ImageBase && AddressWithinImage < ImageBase + Modules[ Index ].ImageSize ) { *BaseAddress = ImageBase; break; } } } JpfbtpFreePagedMemory( Modules ); ASSERT( *BaseAddress ); if ( *BaseAddress == 0 ) { KdPrint( ( "FBT: Failed to obtain module base address.\n" ) ); return STATUS_UNSUCCESSFUL; } KdPrint( ( "FBT: Module base address is %p.\n", *BaseAddress ) ); return Status; }