void enumLoadedDrivers(std::map<std::string, std::string>& loadedDrivers) { DWORD bytesNeeded = 0; int driversCount = 0; auto ret = EnumDeviceDrivers(nullptr, 0, &bytesNeeded); auto drvBaseAddr = static_cast<LPVOID*>(malloc(bytesNeeded)); if (drvBaseAddr == nullptr) { TLOG << "enumLoadedDrivers failed to allocate required memory (" << bytesNeeded << ")"; return; } ret = EnumDeviceDrivers(drvBaseAddr, bytesNeeded, &bytesNeeded); driversCount = bytesNeeded / sizeof(drvBaseAddr[0]); if (ret && (driversCount > 0)) { auto driverPath = static_cast<LPSTR>(malloc(MAX_PATH + 1)); auto driverName = static_cast<LPSTR>(malloc(MAX_PATH + 1)); ZeroMemory(driverPath, MAX_PATH + 1); ZeroMemory(driverName, MAX_PATH + 1); for (size_t i = 0; i < driversCount; i++) { if (GetDeviceDriverBaseName(drvBaseAddr[i], driverName, MAX_PATH) != 0) { if (GetDeviceDriverFileName(drvBaseAddr[i], driverPath, MAX_PATH) != 0) { // Removing file extension auto fileExtension = strrchr(driverName, '.'); *fileExtension = '\0'; loadedDrivers[driverName] = driverPath; } else { loadedDrivers[driverName] = ""; } } else { TLOG << "GetDeviceDriverFileName failed (" << GetLastError() << ")"; } } free(driverPath); free(driverName); } else { TLOG << "EnumDeviceDrivers failed; array size needed is" << bytesNeeded; } free(drvBaseAddr); }
// returns the modules loaded into 'mode' of 'hProc' void GetLoadedModules(HANDLE hProc, TraceMode mode, std::vector<ProcessModule>& procModules) { HMODULE modules[1024]; DWORD modCount = 0; if(mode == USER) { EnumProcessModules(hProc, modules, sizeof(modules), &modCount); } else { EnumDeviceDrivers(reinterpret_cast<LPVOID*>(modules), sizeof(modules), &modCount); } modCount /= sizeof(*modules); procModules.reserve(modCount); if(modCount) { if(mode == USER) { GetUserModulePaths(hProc, modules, modCount, procModules); } else { GetKernelModulePaths(reinterpret_cast<LPVOID*>(modules), modCount, procModules); } } }
void print_drivers_kvaddr() { DWORD out = 0; DWORD nb = 0; INT i = 0; PVOID* base = NULL; if (EnumDeviceDrivers(NULL, 0, &nb)) { base = (PVOID*)malloc(nb); if (EnumDeviceDrivers(base, nb, &out)) { for (i = 0; i < (nb/sizeof(PVOID)); ++i) printf("%llp\n", base[i]); } } return; }
static DWORD_PTR xxGetNtoskrnlAddress(VOID) { DWORD_PTR AddrList[500] = { 0 }; DWORD cbNeeded = 0; EnumDeviceDrivers((LPVOID *)&AddrList, sizeof(AddrList), &cbNeeded); return AddrList[0]; }
// Get base of ntoskrnl.exe ULONG64 GetNTOsBase() { ULONG64 Bases[0x1000]; DWORD needed = 0; ULONG64 krnlbase = 0; if (EnumDeviceDrivers((LPVOID *)&Bases, sizeof(Bases), &needed)) { krnlbase = Bases[0]; } return krnlbase; }
static PVOID GetNtOsKrnl(VOID) { PVOID ImageBases[IMAGE_BASE_LIST_SIZE]; DWORD needed = 0; if (EnumDeviceDrivers((LPVOID *)&ImageBases, sizeof(ImageBases), &needed) == 0) { LOG("[-] Unable To Enumerate Device Drivers: %d\n", needed); return NULL; } return ImageBases[IMAGE_BASE_KERNEL_INDEX]; }
int main(int argc, char **argv) { DWORD *devs; DWORD outcb; int i; devs = (DWORD *) malloc(1024); vm_mark_buf_in(&devs, 4); EnumDeviceDrivers(devs, 1024, &outcb); vm_mark_buf_out(devs, 1024); for(i = 0; i < outcb/sizeof(DWORD); i++) printf("%#x\n", devs[i]); return 0; }
static LPVOID GetDriverImageBase(PCHAR BaseName) { LPVOID* BaseAddresses; LPVOID lpDriverAddr = NULL; DWORD cbNeeded; ULONG i; // How many drivers are there ? EnumDeviceDrivers(NULL, 0, &cbNeeded); // Alloc memory BaseAddresses = (LPVOID*)malloc(sizeof(LPVOID)*cbNeeded / sizeof(LPVOID)); // Get drivers! if(!EnumDeviceDrivers(BaseAddresses,cbNeeded,&cbNeeded)) return NULL; // Check names for(i = 0; i < cbNeeded / sizeof(LPVOID); i++) { CHAR FileName[MAX_PATH]; GetDeviceDriverBaseNameA(BaseAddresses[i], FileName, sizeof(FileName)); // Is this it? if(!_stricmp(FileName, BaseName)) { // Yep! lpDriverAddr = BaseAddresses[i]; break; } } // Free and return free(BaseAddresses); return lpDriverAddr; }
void InfoDrivers() { HMODULE hPSAPI = LoadLibraryA("psapi.dll"); if (NULL != hPSAPI) { pfnEnumDeviceDrivers EnumDeviceDrivers = (pfnEnumDeviceDrivers) GetProcAddress(hPSAPI, "EnumDeviceDrivers"); pfnGetDeviceDriverNameA GetDeviceDriverBaseNameA = (pfnGetDeviceDriverNameA) GetProcAddress(hPSAPI, "GetDeviceDriverBaseNameA"); pfnGetDeviceDriverNameA GetDeviceDriverFileNameA = (pfnGetDeviceDriverNameA) GetProcAddress(hPSAPI, "GetDeviceDriverFileNameA"); if (NULL != EnumDeviceDrivers && NULL != GetDeviceDriverBaseNameA && NULL != GetDeviceDriverFileNameA) { LPVOID * drivers = NULL; DWORD needed = 0; EnumDeviceDrivers(NULL, 0, &needed); drivers = (LPVOID*) malloc(needed); if (EnumDeviceDrivers(drivers, needed, &needed)) { DWORD i; char windir[NtfsMaxPath] = {0}; if (!GetWindowsDirectoryA(windir, NtfsMaxPath)) { xstrcat(windir, NtfsMaxPath, "C:\\Windows"); } ConsoleIOPrint("Drivers : \n"); for (i = 0; i < needed / sizeof(LPVOID); ++i) { char name[NtfsMaxPath] = {0}; if (GetDeviceDriverFileNameA(drivers[i], name, NtfsMaxPath) || GetDeviceDriverBaseNameA(drivers[i], name, NtfsMaxPath)) { VersionInfo info; char full[NtfsMaxPath] = {0}; char * path = name; if (0 == memcmp(path, "\\??\\", 4)) { path += 4; } if (0 == memcmp(path, "\\SystemRoot\\", xstrlen("\\SystemRoot\\"))) { xstrcat(full, NtfsMaxPath, windir); xstrcat(full, NtfsMaxPath, path + xstrlen("\\SystemRoot\\") - 1); } else if (0 == memcmp(path, "\\WINDOWS\\", xstrlen("\\WINDOWS\\")) || 0 == memcmp(path, "\\Windows\\", xstrlen("\\Windows\\"))) { xstrcat(full, NtfsMaxPath, windir); xstrcat(full, NtfsMaxPath, path + xstrlen("\\WINDOWS\\") - 1); } else { if (NULL == xstrchr(path, '\\')) { xstrcat(full, NtfsMaxPath, windir); xstrcat(full, NtfsMaxPath, "\\system32\\drivers\\"); xstrcat(full, NtfsMaxPath, path); } else { xstrcat(full, NtfsMaxPath, path); } } GetVersionInfo(full, &info); ConsoleIOPrintFormatted("%s, %s, %s, %s\n", full, info.FileDescription, info.CompanyName, info.ProductVersion); } } } } FreeLibrary(hPSAPI); } }