void DtraceWinOSKernelModuleInfo(void)
{
PAUX_MODULE_EXTENDED_INFO info = NULL;
ULONG size = 0, mods, i;
modctl_t *temp, *prev = NULL;
char *s, *tmp;
if (AuxKlibInitialize() != STATUS_SUCCESS ||
AuxKlibQueryModuleInformation(&size, sizeof(AUX_MODULE_EXTENDED_INFO), NULL) != STATUS_SUCCESS ||
size == 0 || (info = ExAllocatePoolWithTag(NonPagedPool, size, 'Tag1')) == NULL ||
(AuxKlibQueryModuleInformation(&size, sizeof(AUX_MODULE_EXTENDED_INFO), info) != STATUS_SUCCESS)) {
dprintf("dtrace.sys: failed in DtraceWinOSKernelModuleInfo\n");
if (info != NULL)
ExFreePoolWithTag(info, 'Tag1');
return;
}
mods = size / sizeof(AUX_MODULE_EXTENDED_INFO);
modules = ExAllocatePoolWithTag(NonPagedPool, sizeof(modctl_t), 'Tag1');
RtlZeroMemory(modules, sizeof(modctl_t));
temp = modules;
i = 0;
do {
temp->imgbase = (uintptr_t) info[i].BasicInfo.ImageBase;
temp->size = info[i].ImageSize;
temp->loadcnt = 0;
temp->nenabled = 0;
temp->fbt_nentries = 0;
s = info[i].FullPathName + info[i].FileNameOffset;
tmp = ExAllocatePoolWithTag(NonPagedPool, strlen(s)+1, 'Tag1');
if (tmp != NULL) {
strcpy(tmp, s);
temp->mod_modname = tmp;
}
temp->mod_next = modules;
if (prev != NULL)
prev->mod_next = temp;
prev = temp;
} while (++i < mods && (temp = ExAllocatePoolWithTag(NonPagedPool, sizeof(modctl_t), 'Tag1')) != NULL);
}
NTSTATUS kkll_m_modules_enum(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer, PKKLL_M_MODULE_CALLBACK callback, PVOID pvArg)
{
NTSTATUS status = STATUS_SUCCESS;
ULONG i, modulesSize, numberOfModules;
PAUX_MODULE_EXTENDED_INFO pModules;
BOOLEAN mustContinue = TRUE;
status = AuxKlibQueryModuleInformation(&modulesSize, sizeof(AUX_MODULE_EXTENDED_INFO), NULL);
if(NT_SUCCESS(status) && modulesSize)
{
if(pModules = (PAUX_MODULE_EXTENDED_INFO) ExAllocatePoolWithTag(PagedPool, modulesSize, POOL_TAG))
{
numberOfModules = modulesSize / sizeof(AUX_MODULE_EXTENDED_INFO);
status = AuxKlibQueryModuleInformation(&modulesSize, sizeof(AUX_MODULE_EXTENDED_INFO), pModules);
for(i = 0; NT_SUCCESS(status) && mustContinue && (i < numberOfModules); i++)
status = callback(szBufferIn, bufferIn, outBuffer, pModules + i, pvArg, &mustContinue);
ExFreePoolWithTag(pModules, POOL_TAG);
}
}
return status;
}
int difi_get_module_info(const char* module_name, void** base, long* size)
{
NTSTATUS status;
ULONG modules_size;
AUX_MODULE_EXTENDED_INFO* modules;
AUX_MODULE_EXTENDED_INFO* module;
ULONG number_of_modules;
int name_length;
char module_name_to_search[AUX_KLIB_MODULE_PATH_LEN];
if (module_name == NULL)
{
return -1;
}
if (aux_klib_initialized == 0)
{
difi_dbg_print("Must call difi_ddk_helper_initialize from your driver entry point!");
return -1;
}
*base = NULL;
*size = 0;
name_length = strlen(module_name);
strcpy(module_name_to_search, module_name);
strcat(module_name_to_search, ".sys");
name_length = strlen(module_name_to_search);
/* Get the required array size. */
status = AuxKlibQueryModuleInformation(&modules_size,
sizeof(AUX_MODULE_EXTENDED_INFO),
NULL);
if (!NT_SUCCESS(status) || modules_size == 0)
{
difi_dbg_print("AuxKlibQueryModuleInformation failed: %x\n", status);
return status;
}
number_of_modules = modules_size / sizeof(AUX_MODULE_EXTENDED_INFO);
difi_dbg_print("Number of modules: %d, module to search: %s\n", number_of_modules, module_name_to_search);
modules =
(AUX_MODULE_EXTENDED_INFO*) ExAllocatePoolWithTag(
PagedPool,
modules_size,
'3LxF');
if (modules == NULL)
{
status = STATUS_INSUFFICIENT_RESOURCES;
return status;
}
RtlZeroMemory(modules, modules_size);
status = AuxKlibQueryModuleInformation(&modules_size,
sizeof(AUX_MODULE_EXTENDED_INFO),
modules);
if (!NT_SUCCESS(status))
{
ExFreePool(modules);
return status;
}
for (module = modules; module < modules + number_of_modules; module++)
{
if (_strnicmp((const char*)module_name_to_search,
(const char*)(&module->FullPathName[0] + module->FileNameOffset),
name_length) == 0)
{
*base = module->BasicInfo.ImageBase;
*size = (long)module->ImageSize;
break;
}
if (_strnicmp((const char*)module_name,
(const char*)(&module->FullPathName[0] + module->FileNameOffset),
strlen(module_name)) == 0)
{
*base = module->BasicInfo.ImageBase;
*size = (long)module->ImageSize;
break;
}
}
ExFreePool(modules);
difi_dbg_print("Module base: %x\n", *base);
return 0;
}
_Must_inspect_result_
NTSTATUS
FxpGetImageBase(
__in PDRIVER_OBJECT DriverObject,
__out PVOID* ImageBase,
__out PULONG ImageSize
)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
ULONG modulesSize = 0;
AUX_MODULE_EXTENDED_INFO* modules = NULL;
AUX_MODULE_EXTENDED_INFO* module;
PVOID addressInImage = NULL;
ULONG numberOfModules;
ULONG i;
//
// Basic validation.
//
if (NULL == DriverObject || NULL == ImageBase || NULL == ImageSize) {
status = STATUS_INVALID_PARAMETER;
goto exit;
}
//
// Get the address of a well known entry in the Image.
//
addressInImage = (PVOID) DriverObject->DriverStart;
ASSERT(addressInImage != NULL);
//
// Initialize the AUX Kernel Library.
//
status = AuxKlibInitialize();
if (!NT_SUCCESS(status)) {
goto exit;
}
//
// Get size of area needed for loaded modules.
//
status = AuxKlibQueryModuleInformation(&modulesSize,
sizeof(AUX_MODULE_EXTENDED_INFO),
NULL);
if (!NT_SUCCESS(status) || (0 == modulesSize)) {
goto exit;
}
numberOfModules = modulesSize / sizeof(AUX_MODULE_EXTENDED_INFO);
//
// Allocate returned-sized memory for the modules area.
//
modules = (AUX_MODULE_EXTENDED_INFO*) ExAllocatePoolWithTag(PagedPool,
modulesSize,
'30LW');
if (NULL == modules) {
status = STATUS_INSUFFICIENT_RESOURCES;
goto exit;
}
//
// Request the modules array be filled with module information.
//
status = AuxKlibQueryModuleInformation(&modulesSize,
sizeof(AUX_MODULE_EXTENDED_INFO),
modules);
if (!NT_SUCCESS(status)) {
goto exit;
}
//
// Traverse list, searching for the well known address in Image for which the
// module's Image Base Address is in its range.
//
module = modules;
for (i=0; i < numberOfModules; i++) {
if (addressInImage >= module->BasicInfo.ImageBase &&
addressInImage < WDF_PTR_ADD_OFFSET(module->BasicInfo.ImageBase,
module->ImageSize)) {
*ImageBase = module->BasicInfo.ImageBase;
*ImageSize = module->ImageSize;
status = STATUS_SUCCESS;
goto exit;
}
module++;
}
status = STATUS_NOT_FOUND;
exit:
if (modules != NULL) {
ExFreePool(modules);
modules = NULL;
}
return status;
}
static NTSTATUS JpfbtsGetImageBaseAddress(
__in ULONG_PTR AddressWithinImage,
__out ULONG_PTR *BaseAddress
)
{
ULONG BufferSize = 0;
PAUX_MODULE_EXTENDED_INFO Modules;
NTSTATUS Status;
ASSERT( KeGetCurrentIrql() < DISPATCH_LEVEL );
ASSERT( BaseAddress );
*BaseAddress = 0;
//
// Query required size.
//
Status = AuxKlibQueryModuleInformation (
&BufferSize,
sizeof( AUX_MODULE_EXTENDED_INFO ),
NULL );
if ( ! NT_SUCCESS( Status ) )
{
return Status;
}
ASSERT( ( BufferSize % sizeof( AUX_MODULE_EXTENDED_INFO ) ) == 0 );
Modules = ( PAUX_MODULE_EXTENDED_INFO )
JpfbtpAllocatePagedMemory( BufferSize, TRUE );
if ( ! Modules )
{
return STATUS_NO_MEMORY;
}
//
// Query loaded modules list.
//
Status = AuxKlibQueryModuleInformation(
&BufferSize,
sizeof( AUX_MODULE_EXTENDED_INFO ),
Modules );
if ( NT_SUCCESS( Status ) )
{
ULONG Index;
ULONG NumberOfModules = BufferSize / sizeof( AUX_MODULE_EXTENDED_INFO );
//
// Now that we have the module list, see which one we are.
//
for ( Index = 0; Index < NumberOfModules; Index++ )
{
ULONG_PTR ImageBase =
( ULONG_PTR ) Modules[ Index ].BasicInfo.ImageBase;
if ( AddressWithinImage >= ImageBase &&
AddressWithinImage < ImageBase + Modules[ Index ].ImageSize )
{
*BaseAddress = ImageBase;
break;
}
}
}
JpfbtpFreePagedMemory( Modules );
ASSERT( *BaseAddress );
if ( *BaseAddress == 0 )
{
KdPrint( ( "FBT: Failed to obtain module base address.\n" ) );
return STATUS_UNSUCCESSFUL;
}
KdPrint( ( "FBT: Module base address is %p.\n", *BaseAddress ) );
return Status;
}
