-
-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathSystemModules.bat
149 lines (116 loc) · 5.08 KB
/
SystemModules.bat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
;@echo off
;goto make
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;
; SystemModules - How to allocate/free from/to system pool.
;
; Written by Four-F ([email protected])
;
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.386
.model flat, stdcall
option casemap:none
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; I N C L U D E F I L E S
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
include \masm32\include\w2k\ntstatus.inc
include \masm32\include\w2k\ntddk.inc
include \masm32\include\w2k\native.inc
include \masm32\include\w2k\ntoskrnl.inc
includelib \masm32\lib\w2k\ntoskrnl.lib
include \masm32\Macros\Strings.mac
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; D I S C A R D A B L E C O D E
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.code INIT
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; DriverEntry
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DriverEntry proc uses esi edi ebx pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
local cb:DWORD
local p:PVOID
local dwNumModules:DWORD
local pMessage:LPSTR
local buffer[256+40]:CHAR
invoke DbgPrint, $CTA0("\nSystemModules: Entering DriverEntry\n")
and cb, 0
; How much space we need? Use p as fake memory.
invoke ZwQuerySystemInformation, SystemModuleInformation, addr p, 0, addr cb
.if cb != 0
invoke ExAllocatePool, PagedPool, cb
.if eax != NULL
mov p, eax
invoke DbgPrint, $CTA0("SystemModules: %u bytes of paged memory allocted at address %08X\n"), cb, p
; Now we have memory buffer with appropriate size. Call ZwQuerySystemInformation again.
invoke ZwQuerySystemInformation, SystemModuleInformation, p, cb, addr cb
.if eax == STATUS_SUCCESS
mov esi, p
; First DWORD is a number of SYSTEM_MODULE_INFORMATION an the array pointed by esi+4
push dword ptr [esi]
pop dwNumModules
; Allocate memory enough for module name and some additional info
mov cb, (sizeof SYSTEM_MODULE_INFORMATION.ImageName + 100)*2 ; 256 + 40 for module should be enough
invoke ExAllocatePool, PagedPool, cb
.if eax != NULL
mov pMessage, eax
invoke DbgPrint, $CTA0("SystemModules: %u bytes of paged memory allocted at address %08X\n"), \
cb, pMessage
; zero memory buffer
invoke memset, pMessage, 0, cb
add esi, sizeof DWORD
; Now esi -> first SYSTEM_MODULE_INFORMATION in the array
assume esi:ptr SYSTEM_MODULE_INFORMATION
xor ebx, ebx
; Find "ntoskrnl" module. It should be here
.while ebx < dwNumModules
lea edi, [esi].ImageName
movzx ecx, [esi].ModuleNameOffset
add edi, ecx
; Compare case insensitive
; If you have multiprocessor system use "ntkrnlmp.exe".
; If your system has PAE - "ntkrnlpa.exe"
; Multiprocessor + PAE - "ntkrpamp.exe"
invoke _strnicmp, edi, $CTA0("ntoskrnl.exe", szNtoskrnl, 4), sizeof szNtoskrnl - 1
push eax
invoke _strnicmp, edi, $CTA0("ntice.sys", szNtIce, 4), sizeof szNtIce - 1
pop ecx
and eax, ecx
.if ZERO?
; Found either ntoskrnl or ntice
invoke _snprintf, addr buffer, sizeof buffer, \
$CTA0("SystemModules: Found %s base: %08X size: %08X\n", 4), edi, [esi].Base, [esi]._Size
invoke strcat, pMessage, addr buffer
.endif
add esi, sizeof SYSTEM_MODULE_INFORMATION
inc ebx
.endw
assume esi:nothing
mov eax, pMessage
.if byte ptr [eax] != 0
invoke DbgPrint, pMessage
.else
invoke DbgPrint, $CTA0("SystemModules: Found neither ntoskrnl nor ntice.\n")
.endif
invoke ExFreePool, pMessage
invoke DbgPrint, $CTA0("SystemModules: Memory at address %08X released\n"), pMessage
.endif
.endif
invoke ExFreePool, p
invoke DbgPrint, $CTA0("SystemModules: Memory at address %08X released\n"), p
.endif
.endif
invoke DbgPrint, $CTA0("SystemModules: Leaving DriverEntry\n")
mov eax, STATUS_DEVICE_CONFIGURATION_ERROR
ret
DriverEntry endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
end DriverEntry
:make
set drv=SystemModules
\masm32\bin\ml /nologo /c /coff %drv%.bat
\masm32\bin\link /nologo /driver /base:0x10000 /align:32 /out:%drv%.sys /subsystem:native /ignore:4078 %drv%.obj
del %drv%.obj
echo.
pause