获取ntoskrnl的基址 – exchen's blog

使用NtQuerySystemInformation来检索加载的模块，从加载模块里面搜索出ntoskrnl.exe模块

NTSTATUS Status;  
PUCHAR BaseAddress = NULL;  
NTSTATUS ntStatus;  
PMODULES pModules;  
ULONG NeededSize;  
pModules = (PMODULES)&pModules;  
ntStatus = NtQuerySystemInformation(SystemModuleInformation, pModules, 4, &NeededSize);  
if(ntStatus == STATUS_INFO_LENGTH_MISMATCH)  
{  
    pModules = (PMODULES)ExAllocatePool(PagedPool, NeededSize);  
    if(!pModules)  
        return STATUS_INSUFFICIENT_RESOURCES;  
    ntStatus = NtQuerySystemInformation(SystemModuleInformation, pModules, NeededSize, NULL);  
    if(!NT_SUCCESS(ntStatus))  
    {  
        ExFreePool(pModules);  
        return ntStatus;  
    }  
}  
if(!NT_SUCCESS(ntStatus))  
{  
    return ntStatus;  
}  
BaseAddress = (PUCHAR)pModules->smi.Module[0].MappedBase;

NTSTATUS Status;

PUCHAR BaseAddress = NULL;

NTSTATUS ntStatus;

PMODULES pModules;

ULONG NeededSize;

pModules = (PMODULES)&pModules;

ntStatus = NtQuerySystemInformation(SystemModuleInformation, pModules, 4, &NeededSize);

if(ntStatus == STATUS_INFO_LENGTH_MISMATCH)

{

pModules = (PMODULES)ExAllocatePool(PagedPool, NeededSize);

if(!pModules)

return STATUS_INSUFFICIENT_RESOURCES;

ntStatus = NtQuerySystemInformation(SystemModuleInformation, pModules, NeededSize, NULL);

if(!NT_SUCCESS(ntStatus))

{

ExFreePool(pModules);

return ntStatus;

}

if(!NT_SUCCESS(ntStatus))

{

return ntStatus;

}

BaseAddress = (PUCHAR)pModules->smi.Module[0].MappedBase;

转载请注明：exchen's blog » 获取ntoskrnl的基址

与本文相关的文章