一份全系统x86x64通用的镜像回调枚举(LoadImageNotify)
只枚举了前八个回调,要枚举更多就要自己定位PspLoadImageNotifyRoutineCount。其实x64上该变量总在PspLoadImageNotifyRoutine+0x40的位置,x86在+0x20的位置 )
NTSTATUS MyEnumLoadImageNotifyRoutine(VOID)
{
int i;
PVOID MagicPtr, NotifyAddr;
if (!dynData.PspLoadImageNotifyRoutine)
{
DbgPrint("Couldn't found PspLoadImageNotifyRoutine\n");
return STATUS_NOT_FOUND;
}
//Skip the first callback
#ifdef AMD64
for (i = 0; i < 8; i++)
{
MagicPtr = (PVOID)((PUCHAR)dynData.PspLoadImageNotifyRoutine + i * 8);
NotifyAddr = *(PULONG64)(MagicPtr);
if (MmIsAddressValid(NotifyAddr) && NotifyAddr != 0)
{
NotifyAddr = *(PULONG64)(((ULONG64)NotifyAddr & 0xfffffffffffffff0ui64) + sizeof(EX_RUNDOWN_REF));
DbgPrint("LoadImageNotify at %llx", NotifyAddr);
}
}
#else
for (i = 0; i < 8; i++)
{
//PEX_CALLBACK_ROUTINE_BLOCK Point = (PEX_CALLBACK_ROUTINE_BLOCK)((Ref->Value >> 3) << 3);
MagicPtr = (PVOID)((PUCHAR)dynData.PspLoadImageNotifyRoutine + i * 8);
NotifyAddr = *(PULONG)(MagicPtr);
if (MmIsAddressValid(NotifyAddr) && NotifyAddr != 0)
{
//NotifyAddr = (ULONG)(Point->Function)
NotifyAddr = *(PULONG)(((ULONG)NotifyAddr & 0xfffffff8) + sizeof(EX_RUNDOWN_REF));
DbgPrint("LoadImageNotify at %x", NotifyAddr);
}
}
#endif
return STATUS_SUCCESS;
}
页:
[1]