Skip to content

i have ask #2

Open
Open
i have ask#2
@xkp95175333

Description

@xkp95175333
xkp95175333
opened on Sep 11, 2022

how to use in kernel
ZwQuerySystemInformation
MmCopyVirtualMemory

code me

{
PVOID moduleBase = NULL;
ULONG info = 0;
NTSTATUS status = ZwQuerySystemInformation(SystemModuleInformation, 0, info, &info);

	if (!info) {
		return moduleBase;
	}

	PRTL_PROCESS_MODULES modules = (PRTL_PROCESS_MODULES)ExAllocatePoolWithTag(NonPagedPool, info, 'cdff');

	status = ZwQuerySystemInformation(SystemModuleInformation, modules, info, &info);

	if (!NT_SUCCESS(status)) {
		return moduleBase;
	}

	PRTL_PROCESS_MODULE_INFORMATION module = modules->Modules;


	if (modules->NumberOfModules > 0) {

		if (!moduleName) {
			moduleBase = modules->Modules[0].ImageBase;
		}
		else {

			for (auto i = 0; i < modules->NumberOfModules; i++) {

				if (!strcmp((CHAR*)module[i].FullPathName, moduleName)) {
					moduleBase = module[i].ImageBase;
				}
			}
		}
	}

	if (modules) {
		ExFreePoolWithTag(modules, 'cdff');
	}

	return moduleBase;

}

thank you

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions