ZwQueryVirtualMemory查询进程模块

#include <windows.h>
#include <stdio.h>
#include <winternl.h>

typedef enum _MEMORY_INFORMATION_CLASS
{
MemoryBasicInformation,
MemoryWorkingSetList,
MemorySectionName
}MEMORY_INFORMATION_CLASS;

typedef NTSTATUS(_stdcall *fnZwQueryVirtualMemory)(HANDLE ProcessHandle, PVOID BaseAddress, MEMORY_INFORMATION_CLASS MemoryInformationClass, PVOID MemoryInformation, SIZE_T MemoryInformationLength, PSIZE_T ReturnLength);

VOID EnumProcessForModule(HANDLE ProcessHandle)
{
static fnZwQueryVirtualMemory pZwQueryVirtualMemory = (fnZwQueryVirtualMemory)GetProcAddress(GetModuleHandle(TEXT("ntdll.dll")), "ZwQueryVirtualMemory");
NTSTATUS NtStatus = 0;
ULONG_PTR Index = 0;
MEMORY_BASIC_INFORMATION InfoMation;
wchar_t Buffer[MAX_PATH+sizeof(UNICODE_STRING)] = { 0 };
PUNICODE_STRING SectionName = NULL;
#define PAGE_SIZE 0x1000
#ifdef _WIN64
ULONG_PTR MmHighestUserAddress = 0x00007fffffff0000;
Index = 0x00007FF000000000;
#else
ULONG_PTR MmHighestUserAddress = 0x7fff0000;
Index = PAGE_SIZE;
#endif
#define MM_HIGHEST_USER_ADDRESS MmHighestUserAddress

for (Index; Index < MM_HIGHEST_USER_ADDRESS; Index += PAGE_SIZE)
{
NtStatus = pZwQueryVirtualMemory(ProcessHandle, (PULONG_PTR)Index, MemoryBasicInformation, &InfoMation, sizeof(InfoMation), NULL);
if (!NT_SUCCESS(NtStatus) || InfoMation.Type != MEM_IMAGE || (ULONG_PTR)InfoMation.AllocationBase != Index)
{
continue;
}

ZeroMemory(Buffer, sizeof(Buffer));
NtStatus = pZwQueryVirtualMemory(ProcessHandle, (PULONG_PTR)Index, MemorySectionName, Buffer, sizeof(Buffer), NULL);
if (NT_SUCCESS(NtStatus))
{
SectionName = (PUNICODE_STRING)Buffer;
#ifdef _WIN64
wprintf(TEXT("BaseAddress:0x%.8llx ModuleName:%s\n"), (ULONG_PTR)InfoMation.AllocationBase, SectionName->Buffer);
#else
wprintf(TEXT("BaseAddress:0x%0x ModuleName:%s\n"), (ULONG_PTR)InfoMation.AllocationBase, SectionName->Buffer);
#endif

}
}

}

int  main(void)
{
EnumProcessForModule(GetCurrentProcess());

getchar();
getchar();
return 0;
}

/*
BaseAddress:0xae0000 ModuleName:\Device\HarddiskVolume7\vs2013\R3\ConsoleApplication3\Debug\ConsoleApplication3.exe
BaseAddress:0xffb0000 ModuleName:\Device\HarddiskVolume5\Windows\SysWOW64\msvcr120d.dll
BaseAddress:0x5e120000 ModuleName:\Device\HarddiskVolume5\Windows\System32\wow64cpu.dll
BaseAddress:0x5e130000 ModuleName:\Device\HarddiskVolume5\Windows\System32\wow64.dll
BaseAddress:0x5e190000 ModuleName:\Device\HarddiskVolume5\Windows\System32\wow64win.dll
BaseAddress:0x75180000 ModuleName:\Device\HarddiskVolume5\Windows\SysWOW64\kernel32.dll
BaseAddress:0x76c10000 ModuleName:\Device\HarddiskVolume5\Windows\SysWOW64\KernelBase.dll
BaseAddress:0x778b0000 ModuleName:\Device\HarddiskVolume5\Windows\SysWOW64\ntdll.dll

*/

/*

BaseAddress:0x7ff69f670000 ModuleName:\Device\HarddiskVolume7\vs2013\R3\ConsoleApplication3\x64\Debug\ConsoleApplication3.exe
BaseAddress:0x7ffe0d800000 ModuleName:\Device\HarddiskVolume5\Windows\System32\msvcr120d.dll
BaseAddress:0x7ffe317f0000 ModuleName:\Device\HarddiskVolume5\Windows\System32\KernelBase.dll
BaseAddress:0x7ffe328b0000 ModuleName:\Device\HarddiskVolume5\Windows\System32\kernel32.dll
BaseAddress:0x7ffe351b0000 ModuleName:\Device\HarddiskVolume5\Windows\System32\ntdll.dll

*/