void enumLoadedDrivers(std::map<std::string, std::string>& loadedDrivers) {
DWORD bytesNeeded = 0;
int driversCount = 0;
auto ret = EnumDeviceDrivers(nullptr, 0, &bytesNeeded);
auto drvBaseAddr = static_cast<LPVOID*>(malloc(bytesNeeded));
if (drvBaseAddr == nullptr) {
TLOG << "enumLoadedDrivers failed to allocate required memory ("
<< bytesNeeded << ")";
return;
}
ret = EnumDeviceDrivers(drvBaseAddr, bytesNeeded, &bytesNeeded);
driversCount = bytesNeeded / sizeof(drvBaseAddr[0]);
if (ret && (driversCount > 0)) {
auto driverPath = static_cast<LPSTR>(malloc(MAX_PATH + 1));
auto driverName = static_cast<LPSTR>(malloc(MAX_PATH + 1));
ZeroMemory(driverPath, MAX_PATH + 1);
ZeroMemory(driverName, MAX_PATH + 1);
for (size_t i = 0; i < driversCount; i++) {
if (GetDeviceDriverBaseName(drvBaseAddr[i], driverName, MAX_PATH) != 0) {
if (GetDeviceDriverFileName(drvBaseAddr[i], driverPath, MAX_PATH) !=
0) {
// Removing file extension
auto fileExtension = strrchr(driverName, '.');
*fileExtension = '\0';
loadedDrivers[driverName] = driverPath;
} else {
loadedDrivers[driverName] = "";
}
} else {
TLOG << "GetDeviceDriverFileName failed (" << GetLastError() << ")";
}
}
free(driverPath);
free(driverName);
} else {
TLOG << "EnumDeviceDrivers failed; array size needed is" << bytesNeeded;
}
free(drvBaseAddr);
}
// returns the modules loaded into 'mode' of 'hProc'
void GetLoadedModules(HANDLE hProc, TraceMode mode, std::vector<ProcessModule>& procModules)
{
HMODULE modules[1024];
DWORD modCount = 0;
if(mode == USER)
{
EnumProcessModules(hProc, modules, sizeof(modules), &modCount);
}
else
{
EnumDeviceDrivers(reinterpret_cast<LPVOID*>(modules), sizeof(modules), &modCount);
}
modCount /= sizeof(*modules);
procModules.reserve(modCount);
if(modCount)
{
if(mode == USER)
{
GetUserModulePaths(hProc, modules, modCount, procModules);
}
else
{
GetKernelModulePaths(reinterpret_cast<LPVOID*>(modules), modCount, procModules);
}
}
}
void print_drivers_kvaddr()
{
DWORD out = 0;
DWORD nb = 0;
INT i = 0;
PVOID* base = NULL;
if (EnumDeviceDrivers(NULL, 0, &nb))
{
base = (PVOID*)malloc(nb);
if (EnumDeviceDrivers(base, nb, &out))
{
for (i = 0; i < (nb/sizeof(PVOID)); ++i)
printf("%llp\n", base[i]);
}
}
return;
}
static
DWORD_PTR
xxGetNtoskrnlAddress(VOID)
{
DWORD_PTR AddrList[500] = { 0 };
DWORD cbNeeded = 0;
EnumDeviceDrivers((LPVOID *)&AddrList, sizeof(AddrList), &cbNeeded);
return AddrList[0];
}
// Get base of ntoskrnl.exe
ULONG64 GetNTOsBase()
{
ULONG64 Bases[0x1000];
DWORD needed = 0;
ULONG64 krnlbase = 0;
if (EnumDeviceDrivers((LPVOID *)&Bases, sizeof(Bases), &needed)) {
krnlbase = Bases[0];
}
return krnlbase;
}
static PVOID GetNtOsKrnl(VOID) {
PVOID ImageBases[IMAGE_BASE_LIST_SIZE];
DWORD needed = 0;
if (EnumDeviceDrivers((LPVOID *)&ImageBases, sizeof(ImageBases), &needed) == 0) {
LOG("[-] Unable To Enumerate Device Drivers: %d\n", needed);
return NULL;
}
return ImageBases[IMAGE_BASE_KERNEL_INDEX];
}
int main(int argc, char **argv) {
DWORD *devs;
DWORD outcb;
int i;
devs = (DWORD *) malloc(1024);
vm_mark_buf_in(&devs, 4);
EnumDeviceDrivers(devs, 1024, &outcb);
vm_mark_buf_out(devs, 1024);
for(i = 0; i < outcb/sizeof(DWORD); i++)
printf("%#x\n", devs[i]);
return 0;
}
static LPVOID
GetDriverImageBase(PCHAR BaseName)
{
LPVOID* BaseAddresses;
LPVOID lpDriverAddr = NULL;
DWORD cbNeeded;
ULONG i;
// How many drivers are there ?
EnumDeviceDrivers(NULL, 0, &cbNeeded);
// Alloc memory
BaseAddresses = (LPVOID*)malloc(sizeof(LPVOID)*cbNeeded / sizeof(LPVOID));
// Get drivers!
if(!EnumDeviceDrivers(BaseAddresses,cbNeeded,&cbNeeded))
return NULL;
// Check names
for(i = 0; i < cbNeeded / sizeof(LPVOID); i++)
{
CHAR FileName[MAX_PATH];
GetDeviceDriverBaseNameA(BaseAddresses[i], FileName, sizeof(FileName));
// Is this it?
if(!_stricmp(FileName, BaseName))
{
// Yep!
lpDriverAddr = BaseAddresses[i];
break;
}
}
// Free and return
free(BaseAddresses);
return lpDriverAddr;
}
void InfoDrivers()
{
HMODULE hPSAPI = LoadLibraryA("psapi.dll");
if (NULL != hPSAPI)
{
pfnEnumDeviceDrivers EnumDeviceDrivers = (pfnEnumDeviceDrivers) GetProcAddress(hPSAPI, "EnumDeviceDrivers");
pfnGetDeviceDriverNameA GetDeviceDriverBaseNameA = (pfnGetDeviceDriverNameA) GetProcAddress(hPSAPI, "GetDeviceDriverBaseNameA");
pfnGetDeviceDriverNameA GetDeviceDriverFileNameA = (pfnGetDeviceDriverNameA) GetProcAddress(hPSAPI, "GetDeviceDriverFileNameA");
if (NULL != EnumDeviceDrivers && NULL != GetDeviceDriverBaseNameA && NULL != GetDeviceDriverFileNameA)
{
LPVOID * drivers = NULL;
DWORD needed = 0;
EnumDeviceDrivers(NULL, 0, &needed);
drivers = (LPVOID*) malloc(needed);
if (EnumDeviceDrivers(drivers, needed, &needed))
{
DWORD i;
char windir[NtfsMaxPath] = {0};
if (!GetWindowsDirectoryA(windir, NtfsMaxPath))
{
xstrcat(windir, NtfsMaxPath, "C:\\Windows");
}
ConsoleIOPrint("Drivers : \n");
for (i = 0; i < needed / sizeof(LPVOID); ++i)
{
char name[NtfsMaxPath] = {0};
if (GetDeviceDriverFileNameA(drivers[i], name, NtfsMaxPath) || GetDeviceDriverBaseNameA(drivers[i], name, NtfsMaxPath))
{
VersionInfo info;
char full[NtfsMaxPath] = {0};
char * path = name;
if (0 == memcmp(path, "\\??\\", 4))
{
path += 4;
}
if (0 == memcmp(path, "\\SystemRoot\\", xstrlen("\\SystemRoot\\")))
{
xstrcat(full, NtfsMaxPath, windir);
xstrcat(full, NtfsMaxPath, path + xstrlen("\\SystemRoot\\") - 1);
}
else if (0 == memcmp(path, "\\WINDOWS\\", xstrlen("\\WINDOWS\\")) ||
0 == memcmp(path, "\\Windows\\", xstrlen("\\Windows\\")))
{
xstrcat(full, NtfsMaxPath, windir);
xstrcat(full, NtfsMaxPath, path + xstrlen("\\WINDOWS\\") - 1);
}
else
{
if (NULL == xstrchr(path, '\\'))
{
xstrcat(full, NtfsMaxPath, windir);
xstrcat(full, NtfsMaxPath, "\\system32\\drivers\\");
xstrcat(full, NtfsMaxPath, path);
}
else
{
xstrcat(full, NtfsMaxPath, path);
}
}
GetVersionInfo(full, &info);
ConsoleIOPrintFormatted("%s, %s, %s, %s\n", full, info.FileDescription, info.CompanyName, info.ProductVersion);
}
}
}
}
FreeLibrary(hPSAPI);
}
}
