BOOL GetNtosInformation(WCHAR** pKernelFullPath,ULONG* ulKernelBase, ULONG* ulKernelSize) { ULONG ulBase = 0; ULONG ulSize = 0; ULONG ulBufferLength = 0; ULONG ulUnicodeKernelFullPath = 0; WCHAR wszNtosFullPath[260]; KeSetSystemAffinityThread(1); //使当前线程运行在第一个处理器上 __asm { push eax push ebx mov eax, fs:[0x34] //+0x34得到KdVersionBlock的地址 add eax,0x18 //得到指向PsLoadedModuleList的地址 mov eax,[eax] //得到PsLoadedModuleList的地址 mov ebx,[eax] //取出PsLoadedModuleList里面的内容, 即KLDR_DATA_TABLE_ENTRY结构 mov eax,[ebx+0x18] //取出DllBase, 即ntoskrnl.exe的基地址 mov ulBase, eax mov eax,[ebx+0x20] //+20h SizeOfImage mov ulSize,eax mov eax,ebx add eax,0x24 //+24h 是ntos在3环下的UNICODE_STRING全路径 mov ulUnicodeKernelFullPath,eax pop ebx pop eax } KeRevertToUserAffinityThread();//恢复线程运行的处理器 //PsLoadedModuleList的第一个就是ntos //nt!_LDR_DATA_TABLE_ENTRY //+0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x82195338 - 0x8055e720 ] //+0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x0 - 0x0 ] //+0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x0 - 0x0 ] //+0x018 DllBase : 0x804d8000 Void //+0x01c EntryPoint : 0x806a3c08 Void //+0x020 SizeOfImage : 0x20e000 //+0x024 FullDllName : _UNICODE_STRING "\WINDOWS\system32\ntkrnlpa.exe" //+0x02c BaseDllName : _UNICODE_STRING "ntoskrnl.exe" //+0x034 Flags : 0xc004000 //+0x038 LoadCount : 1 //+0x03a TlsIndex : 0 //+0x03c HashLinks : _LIST_ENTRY [ 0x0 - 0x1f107a ] //+0x03c SectionPointer : (null) //+0x040 CheckSum : 0x1f107a //+0x044 TimeDateStamp : 0 //+0x044 LoadedImports : (null) //+0x048 EntryPointActivationContext : (null) //+0x04c PatchInformation : 0x0074006e Void RtlZeroMemory(wszNtosFullPath,260*2); //UNICODE_STRING->Length 不包括NULL字符 if (!MmIsAddressValidEx((PUNICODE_STRING)ulUnicodeKernelFullPath)) { return FALSE; } ulBufferLength = (((PUNICODE_STRING)ulUnicodeKernelFullPath)->Length + 1) * 2; if (SafeCopyMemory((PVOID)((PUNICODE_STRING)ulUnicodeKernelFullPath)->Buffer, wszNtosFullPath, ulBufferLength) != STATUS_SUCCESS) { *ulKernelBase = 0; *ulKernelSize = 0; return FALSE; } //拷贝成功的话,就进行对比 *pKernelFullPath = (WCHAR*)ExAllocatePool(NonPagedPool,260*2); if (!*pKernelFullPath) { *ulKernelBase = 0; *ulKernelSize = 0; return FALSE; } wcscat(*pKernelFullPath,L"\\SystemRoot\\system32\\"); if (wcsstr((const wchar_t*)wszNtosFullPath,L"ntoskrnl.exe") != NULL) { wcscat(*pKernelFullPath,L"ntoskrnl.exe"); } else if (wcsstr((const wchar_t*)wszNtosFullPath,L"ntkrnlpa.exe") != NULL) { wcscat(*pKernelFullPath,L"ntkrnlpa.exe"); } else if (wcsstr((const wchar_t*)wszNtosFullPath,L"ntkrnlmp.exe") != NULL) { wcscat(*pKernelFullPath,L"ntkrnlmp.exe"); } else if (wcsstr((const wchar_t*)wszNtosFullPath,L"ntkrpamp.exe") != NULL) { wcscat(*pKernelFullPath,L"ntkrpamp.exe"); } //else if (wcsstr((const wchar_t*)wszNtosFullPath,L"ntkrnlup.exe") != NULL) //{ // wcscat(*pKernelFullPath,L"ntkrnlup.exe"); //} else//失败了 { *ulKernelBase = 0; *ulKernelSize = 0; ExFreePool(*pKernelFullPath); return FALSE; } *ulKernelBase = ulBase; *ulKernelSize = ulSize; return TRUE; }
/* NTSTATUS SafeMmUnmapViewOfSection(PEPROCESS Process,ULONG lpBase) //NtUnmapViewOfSection { NTSTATUS status = STATUS_UNSUCCESSFUL; RMmUnmapViewOfSection = ReLoadNtosCALL(L"MmUnmapViewOfSection",SystemKernelModuleBase,ImageModuleBase); if (RMmUnmapViewOfSection) { ObReferenceObject(Process); status = RMmUnmapViewOfSection(Process,lpBase); ObDereferenceObject(Process); } return status; } */ BOOL MyParseVadTreeRoutine(BYTE* VadNode,PDLLINFO PDll) { DWORD ControlAreaOffset; PCONTROL_AREA ControlArea=NULL; PFILE_OBJECT FileObject=NULL; DWORD StartingVpnOffset=0; DWORD StartingVpn; DWORD Subsection; DWORD SubsectionOffset; PEX_FAST_REF FilePointer; POBJECT_NAME_INFORMATION UnicodeDosFullPath = NULL; WIN_VER_DETAIL WinVer; BOOL bRetOK = FALSE; if (KeGetCurrentIrql() > PASSIVE_LEVEL) { return bRetOK; } __try { WinVer=GetWindowsVersion(); switch (WinVer) { case WINDOWS_VERSION_XP: StartingVpnOffset=0x00; ControlAreaOffset=0x18; break; case WINDOWS_VERSION_2K3: StartingVpnOffset=0x0c; ControlAreaOffset=0x18; break; case WINDOWS_VERSION_2K3_SP1_SP2: StartingVpnOffset=0x0c; ControlAreaOffset=0x18; break; case WINDOWS_VERSION_VISTA_2008: //Vista+2008开始 StartingVpnOffset=0x0c; SubsectionOffset=0x24; break; /*case 6002: //2008 StartingVpnOffset=0x0c; SubsectionOffset=0x24; break; */ case WINDOWS_VERSION_7_7000: case WINDOWS_VERSION_7_7600_UP: StartingVpnOffset=0x0c; SubsectionOffset=0x24; break; } if ( WinVer == WINDOWS_VERSION_XP || WinVer == WINDOWS_VERSION_2K3 || WinVer == WINDOWS_VERSION_2K3_SP1_SP2 ) //xp || 2003 { if (!MmIsAddressValidEx((VadNode+StartingVpnOffset))) { bRetOK = FALSE; __leave; } StartingVpn=*(DWORD*)(VadNode+StartingVpnOffset); if (!StartingVpn) { bRetOK = FALSE; __leave; } // StartingVpn<<12 is base (xp下exe模块的地址一般都是 0x01000000) if (NULL != StartingVpn<<12) { if (!MmIsAddressValidEx((VadNode+ControlAreaOffset))) { bRetOK = FALSE; __leave; } ControlArea=(PCONTROL_AREA)(*(DWORD*)(VadNode+ControlAreaOffset)); //好像这里用RMmIsAddressValidEx判断VCS_TRANSITION内存不准确蓝屏,无语~~ //(蓝屏其实就是没有判断VCS_TRANSITION类型,这个类型也是无法访问) if (MmIsAddressValidEx(ControlArea)) { FileObject=ControlArea->FilePointer; if (MmIsAddressValidEx(FileObject) && ValidateUnicodeString(&FileObject->FileName) && FileObject->FileName.Buffer != NULL && FileObject->FileName.Length > 0) { if (ModuleCount < 518) //会有518个dll么? { if (sizeof(PDll->DllInfo[ModuleCount].lpwzDllModule) > FileObject->FileName.Length) { memset(PDll->DllInfo[ModuleCount].lpwzDllModule,0,sizeof(PDll->DllInfo[ModuleCount].lpwzDllModule)); //KdPrint(("%d:%ws\n",FileObject->FileName.Buffer,FileObject->FileName.Length)); SafeCopyMemory( FileObject->FileName.Buffer, PDll->DllInfo[ModuleCount].lpwzDllModule, FileObject->FileName.Length ); PDll->DllInfo[ModuleCount].ulBase = (ULONG)StartingVpn<<12; ModuleCount++; PDll->ulCount = ModuleCount; bRetOK = TRUE; } } } } } } else if ( WinVer == WINDOWS_VERSION_VISTA_2008 || WinVer == WINDOWS_VERSION_7_7000 || WinVer == WINDOWS_VERSION_7_7600_UP) //win7||vista||2008 { if (!MmIsAddressValidEx((VadNode+StartingVpnOffset))) { bRetOK = FALSE; __leave; } StartingVpn=*(DWORD*)(VadNode+StartingVpnOffset); if (!StartingVpn) { bRetOK = FALSE; __leave; } // StartingVpn<<12 is base (xp下exe模块的地址一般都是 0x01000000) if (NULL != StartingVpn<<12) { if (DebugOn) KdPrint(("[%08x]VadNode:%X\n",StartingVpn<<12,VadNode)); if (!MmIsAddressValidEx((VadNode+SubsectionOffset))) { bRetOK = FALSE; __leave; } Subsection=*(DWORD*)(VadNode+SubsectionOffset); //win7下新加的结构 if (MmIsAddressValidEx(Subsection)) { ControlArea=(PCONTROL_AREA)(*(DWORD*)Subsection); //好像这里用RMmIsAddressValidEx判断VCS_TRANSITION内存不准确蓝屏,无语~~ //(蓝屏其实就是没有判断VCS_TRANSITION类型,这个类型也是无法访问) if (MmIsAddressValidEx(ControlArea)) { FilePointer=(PEX_FAST_REF)&ControlArea->FilePointer; if (MmIsAddressValidEx(FilePointer)) { FileObject=(PFILE_OBJECT)(((DWORD)FilePointer->Object)&(~FilePointer->RefCnt)); if (MmIsAddressValidEx(FileObject) && ValidateUnicodeString(&FileObject->FileName) && FileObject->FileName.Buffer != NULL && FileObject->FileName.Length > 0) { if (ModuleCount < 518) //会有518个dll么? { if (sizeof(PDll->DllInfo[ModuleCount].lpwzDllModule) > FileObject->FileName.Length) { memset(PDll->DllInfo[ModuleCount].lpwzDllModule,0,sizeof(PDll->DllInfo[ModuleCount].lpwzDllModule)); SafeCopyMemory( FileObject->FileName.Buffer, PDll->DllInfo[ModuleCount].lpwzDllModule, FileObject->FileName.Length ); PDll->DllInfo[ModuleCount].ulBase = (ULONG)StartingVpn<<12; ModuleCount++; PDll->ulCount = ModuleCount; bRetOK = TRUE; } } } } } } } } } __except(EXCEPTION_EXECUTE_HANDLER) { if (DebugOn) DbgPrint("VadTree Error \r\n"); } return bRetOK; }
/* DWORD GetDllModuleFromPeb(PEPROCESS Process,PDLLINFO PDll) { DWORD PebOffset=0; DWORD PebLdrOffset = 0; DWORD Peb; PPEB_LDR_DATA PebLdr; PLDR_DATA_TABLE_ENTRY LdrTableEntry; PLIST_ENTRY pListHead,pListNext; int i = 0; WIN_VER_DETAIL WinVer; BOOL bRetOK = FALSE; if (!MmIsAddressValidEx(Process)) { return bRetOK; } __try { WinVer=GetWindowsVersion(); switch (WinVer) { case WINDOWS_VERSION_XP: //xp PebOffset=0x1b0; PebLdrOffset = 0x0c; break; case WINDOWS_VERSION_2K3_SP1_SP2: //2003 PebOffset=0x1a0; PebLdrOffset = 0x0c; break; case WINDOWS_VERSION_7_7000: //win7 7000 PebOffset=0x1a0; PebLdrOffset = 0x0c; break; case WINDOWS_VERSION_7_7600_UP: //win7 7600 PebOffset=0x1a8; PebLdrOffset = 0x0c; break; } if (PebOffset==0 || PebLdrOffset==0) { bRetOK = FALSE; __leave; } Peb = *(DWORD*)((DWORD)Process+PebOffset); ProbeForRead((PVOID)Peb,4,1);//PEB是用户空间的,可能会不能访问 if (Peb == 0 || !MmIsAddressValidEx(Peb)) { if (DebugOn) DbgPrint("Peb is null\n"); bRetOK = FALSE; __leave; } PebLdr=(PPEB_LDR_DATA)*(DWORD*)(Peb+PebLdrOffset); ProbeForRead((PVOID)PebLdr,4,1); if (!MmIsAddressValidEx(PebLdr)) { if (DebugOn) DbgPrint("PebLdr offset is null\n"); bRetOK = FALSE; __leave; } pListHead=&PebLdr->InLoadOrderModuleList; pListNext=pListHead->Flink; while (pListHead!=pListNext) { LdrTableEntry=(PLDR_DATA_TABLE_ENTRY)pListNext; if (!MmIsAddressValidEx(LdrTableEntry)) { break; } if (ValidateUnicodeString(&LdrTableEntry->FullDllName) && LdrTableEntry->FullDllName.Buffer != NULL && LdrTableEntry->FullDllName.Length > 0 ) { if (i < 518) //会有518个dll么? { if (sizeof(PDll->DllInfo[i].lpwzDllModule) > LdrTableEntry->FullDllName.Length) { if (DebugOn) DbgPrint("DllBase:%x dll path %ws:%d\n",LdrTableEntry->DllBase,LdrTableEntry->FullDllName.Buffer,LdrTableEntry->FullDllName.Length); PDll->DllInfo[i].ulBase = LdrTableEntry->DllBase; memset(PDll->DllInfo[i].lpwzDllModule,0,sizeof(PDll->DllInfo[i].lpwzDllModule)); SafeCopyMemory( LdrTableEntry->FullDllName.Buffer, PDll->DllInfo[i].lpwzDllModule, LdrTableEntry->FullDllName.Length ); i++; PDll->ulCount = i; } } } pListNext=pListNext->Flink; } bRetOK = TRUE; } __except(EXCEPTION_EXECUTE_HANDLER) { if (DebugOn) DbgPrint("GetDllNameFromPeb Error \r\n"); } return bRetOK; } */ VOID EunmProcessModuleByVirtualMemory(ULONG EProcess,PDLLINFO PDll) { ULONG dwStartAddr = 0x00000000; HANDLE hProcess; MEMORY_BASIC_INFORMATION mbi; PUNICODE_STRING SectionName = NULL; OBJECT_ATTRIBUTES ObjectAttributes; CLIENT_ID ClientId={0}; NTSTATUS status; int i=0; int count = 0; ULONG ulDllSize; BOOL bInit = FALSE; WinVer = GetWindowsVersion(); switch(WinVer) { case WINDOWS_VERSION_XP: if (!MmIsAddressValidEx(RZwQueryVirtualMemory)){ RZwQueryVirtualMemory = GetZwQueryVirtualMemoryAddress(); } break; case WINDOWS_VERSION_7_7600_UP: case WINDOWS_VERSION_7_7000: ReLoadNtosCALL(&RZwQueryVirtualMemory,L"ZwQueryVirtualMemory",SystemKernelModuleBase,ImageModuleBase); //win7导出了,可以直接用 break; case WINDOWS_VERSION_2K3_SP1_SP2: if (!MmIsAddressValidEx(RZwQueryVirtualMemory)){ RZwQueryVirtualMemory = GetZwQueryVirtualMemoryAddress(); } break; } ReLoadNtosCALL(&RObOpenObjectByPointer,L"ObOpenObjectByPointer",SystemKernelModuleBase,ImageModuleBase); ReLoadNtosCALL(&RExAllocatePool,L"ExAllocatePool",SystemKernelModuleBase,ImageModuleBase); ReLoadNtosCALL(&RExFreePool,L"ExFreePool",SystemKernelModuleBase,ImageModuleBase); ReLoadNtosCALL(&RZwClose,L"ZwClose",SystemKernelModuleBase,ImageModuleBase); if (RZwQueryVirtualMemory && RObOpenObjectByPointer && RExAllocatePool && RExFreePool && RZwClose) { bInit = TRUE; } if (!bInit) return FALSE; //进程已经退出鸟 if (!IsExitProcess(EProcess)){ return FALSE; } status = RObOpenObjectByPointer( EProcess, // Object OBJ_KERNEL_HANDLE, // HandleAttributes NULL, // PassedAccessState OPTIONAL NULL, // DesiredAccess *PsProcessType, // ObjectType KernelMode, // AccessMode &hProcess); if (!NT_SUCCESS(status)) { if (DebugOn) KdPrint(("ObOpenObjectByPointer failed:%d",RtlNtStatusToDosError(status))); return NULL; } SectionName = (PUNICODE_STRING)RExAllocatePool(NonPagedPool,260*sizeof(WCHAR)); if (!SectionName) { RZwClose(hProcess); return; } memset(SectionName,0,260*sizeof(WCHAR)); __try { for (dwStartAddr=0; dwStartAddr<0x80000000; dwStartAddr=dwStartAddr+0x10000) { status = RZwQueryVirtualMemory( hProcess, (PVOID)dwStartAddr, MemoryBasicInformation, &mbi, sizeof(MEMORY_BASIC_INFORMATION), 0 ); if (NT_SUCCESS(status)) { if(mbi.Type == MEM_IMAGE) { status = RZwQueryVirtualMemory( hProcess, (PVOID)dwStartAddr, MemorySectionName, SectionName, 260*sizeof(WCHAR), 0 ); if (NT_SUCCESS(status)) { if (i) count = i - 1; //如果当前的DLL模块路径 不等于前一个,则说明是开始了下一个DLL的枚举了。比如: //c:\windows\system32\ntdll.dll //c:\windows\system32\ntdll.dll //c:\windows\system32\ntdll.dll //c:\windows\system32\ntdll.dll //c:\windows\system32\ntdll.dll //c:\windows\system32\kernel32.dll if (_wcsnicmp(PDll->DllInfo[count].lpwzDllModule,SectionName->Buffer,SectionName->Length/2) != 0 && sizeof(PDll->DllInfo[i].lpwzDllModule) > SectionName->Length) { if (DebugOn) KdPrint(("DLL-->%08x:%08x:%ws\r\n",mbi.BaseAddress,dwStartAddr,SectionName->Buffer)); PDll->DllInfo[i].ulBase = dwStartAddr; SafeCopyMemory( SectionName->Buffer, PDll->DllInfo[i].lpwzDllModule, SectionName->Length ); i++; PDll->ulCount = i; if (i > 518) { break; } /* //获取dll大小 //备注一下这个方法 for (ulDllSize = dwStartAddr+mbi.RegionSize;ulDllSize < 0x80000000;ulDllSize += mbi.RegionSize) { status = ZwQueryVirtualMemory( hProcess, (PVOID)ulDllSize, MemoryBasicInformation, &mbi, sizeof(MEMORY_BASIC_INFORMATION), 0 ); if (NT_SUCCESS(status)) { if(mbi.Type != MEM_IMAGE) { KdPrint(("DLL-->%08x:%08x:%ws\r\n",dwStartAddr,ulDllSize-dwStartAddr,SectionName->Buffer)); break; } } } */ } } } } } }__except(EXCEPTION_EXECUTE_HANDLER){ goto _FunctionRet; } _FunctionRet: RExFreePool(SectionName); if (DebugOn) KdPrint(("ZwQueryVirtualMemory DLL count:%d-%d\r\n",i,PDll->ulCount)); RZwClose(hProcess); }
//L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\"; NTSTATUS ReadRegistry(PSTARTUP_INFO Startup,WCHAR *DriverServiceNamePath,WCHAR *ReadKey) { NTSTATUS Status = STATUS_UNSUCCESSFUL; OBJECT_ATTRIBUTES NetworkClassKeyObject; OBJECT_ATTRIBUTES SubKeyObject; HANDLE NetworkClassKeyHandle; HANDLE SubKeyHandle; ULONG i, SubkeyIndex, ResultLength, InterfacesKeyStringLength; PWCHAR InterfacesKeyString; UNICODE_STRING NetworkClassKey, InterfacesKey, UnicodeReadKey, DriverServiceName; PKEY_BASIC_INFORMATION KeyInformation; PKEY_VALUE_PARTIAL_INFORMATION KeyValueInformation; WCHAR *KeyName = NULL; BOOL bInit = FALSE; ReLoadNtosCALL(&RRtlInitUnicodeString,L"RtlInitUnicodeString",SystemKernelModuleBase,ImageModuleBase); ReLoadNtosCALL(&RZwOpenKey,L"ZwOpenKey",SystemKernelModuleBase,ImageModuleBase); ReLoadNtosCALL(&RExAllocatePool,L"ExAllocatePool",SystemKernelModuleBase,ImageModuleBase); ReLoadNtosCALL(&RExFreePool,L"ExFreePool",SystemKernelModuleBase,ImageModuleBase); ReLoadNtosCALL(&RZwEnumerateKey,L"ZwEnumerateKey",SystemKernelModuleBase,ImageModuleBase); ReLoadNtosCALL(&RZwQueryValueKey,L"ZwQueryValueKey",SystemKernelModuleBase,ImageModuleBase); ReLoadNtosCALL(&RZwClose,L"ZwClose",SystemKernelModuleBase,ImageModuleBase); if (RRtlInitUnicodeString && RZwOpenKey && RExAllocatePool && RExFreePool && RZwEnumerateKey && RZwQueryValueKey && RZwClose) { bInit = TRUE; } if (!bInit) { return Status; } if (DebugOn) KdPrint(("Starting")); RRtlInitUnicodeString(&UnicodeReadKey,ReadKey); RRtlInitUnicodeString(&NetworkClassKey,DriverServiceNamePath); InitializeObjectAttributes( &NetworkClassKeyObject, &NetworkClassKey, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL ); Status = RZwOpenKey( &NetworkClassKeyHandle, KEY_ALL_ACCESS, &NetworkClassKeyObject ); if (!NT_SUCCESS(Status)) { if (DebugOn) DbgPrint("Failed to open Network Class key\n"); return Status; } if (DebugOn) KdPrint(("ZwOpenKey success")); SubkeyIndex = 0; i = Startup->ulCount; while ((Status = RZwEnumerateKey(NetworkClassKeyHandle, SubkeyIndex, KeyBasicInformation, NULL, 0, &ResultLength)) != STATUS_NO_MORE_ENTRIES) { if ((Status != STATUS_SUCCESS) && (Status != STATUS_BUFFER_OVERFLOW) && (Status != STATUS_BUFFER_TOO_SMALL)) { if (DebugOn) DbgPrint("ZwEnumerateKey 1 failed in SetupRegistry (%lx)\n", Status); Status = STATUS_UNSUCCESSFUL; break; } if ((KeyInformation = (PKEY_BASIC_INFORMATION)RExAllocatePool(NonPagedPool, ResultLength)) == NULL) { if (DebugOn) DbgPrint("ExAllocatePool KeyData failed in SetupRegistry\n"); Status = STATUS_UNSUCCESSFUL; break; } memset(KeyInformation,0,ResultLength); Status = RZwEnumerateKey( NetworkClassKeyHandle, SubkeyIndex, KeyBasicInformation, KeyInformation, ResultLength, &ResultLength ); if (!NT_SUCCESS(Status)) { if (DebugOn) DbgPrint("ZwEnumerateKey 2 failed in SetupRegistry\n"); Status = STATUS_UNSUCCESSFUL; RExFreePool(KeyInformation); break; } if ((KeyName = (WCHAR *)RExAllocatePool(NonPagedPool, 260*sizeof(WCHAR))) == NULL){ continue; } memset(KeyName,0,260*sizeof(WCHAR)); SafeCopyMemory(KeyInformation->Name,KeyName,KeyInformation->NameLength); //KdPrint(("Key:%ws\n",KeyName)); //读取UnicodeReadKey RRtlInitUnicodeString(&DriverServiceName,KeyName); InitializeObjectAttributes( &SubKeyObject, &DriverServiceName, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NetworkClassKeyHandle, NULL ); Status = RZwOpenKey( &SubKeyHandle, KEY_ALL_ACCESS, &SubKeyObject ); if (NT_SUCCESS(Status)) { if ((Status = RZwQueryValueKey(SubKeyHandle, &UnicodeReadKey, KeyValuePartialInformation, NULL, 0, &ResultLength)) != STATUS_OBJECT_NAME_NOT_FOUND) { if ((Status != STATUS_SUCCESS) && (Status != STATUS_BUFFER_OVERFLOW) && (Status != STATUS_BUFFER_TOO_SMALL)) { RZwClose(SubKeyHandle); RExFreePool(KeyInformation); break; } KeyValueInformation = (PKEY_VALUE_PARTIAL_INFORMATION)RExAllocatePool(NonPagedPool, ResultLength); if (KeyValueInformation) { memset(KeyValueInformation,0,ResultLength); Status = RZwQueryValueKey( SubKeyHandle, &UnicodeReadKey, KeyValuePartialInformation, KeyValueInformation, ResultLength, &ResultLength ); if (NT_SUCCESS(Status)) { //KdPrint(("%ws -> %ws\n",KeyName,KeyValueInformation->Data)); if (MmIsAddressValidEx(KeyValueInformation->Data) && KeyValueInformation->DataLength > 0) { SafeCopyMemory(DriverServiceName.Buffer,Startup->Startup[i].lpwzName,DriverServiceName.Length); SafeCopyMemory(DriverServiceNamePath,Startup->Startup[i].lpwzKeyPath,wcslen(DriverServiceNamePath)*2); SafeCopyMemory(KeyValueInformation->Data,Startup->Startup[i].lpwzKeyValue,KeyValueInformation->DataLength); i++; Startup->ulCount = i; if (DebugOn) KdPrint(("%ws -> %ws\n",KeyName,KeyValueInformation->Data)); } } RExFreePool(KeyValueInformation); } } RZwClose(SubKeyHandle); } RExFreePool(KeyName); RExFreePool(KeyInformation); KeyName = NULL; KeyInformation = NULL; SubkeyIndex++; } if (NetworkClassKeyHandle) RZwClose(NetworkClassKeyHandle); return Status; }