Win7-x64 kernel-mode Programming implementation export Table list view

Viewing the export table in kernel mode requires more careful consideration than in user mode;

X64 environment is not too much change, the pointer is 64 bits, data data and pointers to the data type needs attention;

Do not crap, directly on the source code, vs2010+wdk7600 under the compiler through:

//////@file aux_list.c///@author cntom90151///@date2015 -09-24/// #include<ntddk.h>#include<WinDef.h>#include<aux_klib.h>#pragmaComment (lib, "Aux_klib.lib")#defineTAG ' Test '#definePtrfromrva (Xbase,rva) (((pbyte) xbase) +rva)//provide a unload function just toVOID driverunload (pdriver_object driver) {//but actually we do nothing, just print a word://#if DBG//DbgBreakPoint (); //#endifKdprint (("first:our driver is unloading...\r\n"));} NTSTATUS explist (PVOID imagebase) {//PVOID loadaddress= (PVOID) * (pvoid*) imagebase;NTSTATUS status=0;    Pimage_export_directory exportdirectory;    Pimage_data_directory exportdatadirectory;    Pimage_nt_headers Ntheader; Pimage_dos_header Dosheader=(Pimage_dos_header) imagebase;    ULONG Index;    Pulong Funcrvaarray;    Pushort Ordarray;    Pulong NameArray; if(image_dos_signature!=dosheader->e_magic) {Kdprint ("No Dos header!\n")); returnstatus; } Ntheader= (pimage_nt_headers) Ptrfromrva (dosheader,dosheader->e_lfanew); if(image_nt_signature!=ntheader->Signature) {Kdprint ("Not Nt file!\n")); returnstatus; } exportdatadirectory=&ntheader->Optionalheader.datadirectory[image_directory_entry_export]; Exportdirectory= (pimage_export_directory) Ptrfromrva (imagebase,exportdatadirectory->virtualaddress); //Two of these can be comparedexportdirectory=auxklibgetimageexportdirectory (imagebase); if(! Mmisaddressvalid (exportdirectory) | | exportdirectory->numberoffunctions==0|| exportdirectory->addressoffunctions==0|| exportdirectory->addressofnameordinals==0|| exportdirectory->addressofnames==0) {Kdprint ("No export....\n")); returnstatus; } Funcrvaarray= (Pulong) Ptrfromrva (imagebase,exportdirectory->addressoffunctions); Ordarray= (Pushort) Ptrfromrva (imagebase,exportdirectory->addressofnameordinals); NameArray= (Pulong) Ptrfromrva (imagebase,exportdirectory->addressofnames);  for(index=0; index<exportdirectory->numberofnames;index++) {USHORT Ordinal= (USHORT) ordarray[index]+ (USHORT) exportdirectory->Base; ULONG Funrva=funcrvaarray[ordinal-exportdirectory->Base]; if(Funrva>=exportdatadirectory->virtualaddress && funrva<exportdatadirectory->virtualaddress+ Exportdatadirectory->Size) {Kdprint ("It ' s a forwarders\n")); Continue; }        Else{kdprint ("%4x%s\n", Funrva,ptrfromrva (Imagebase,namearray[index])); }    }    returnstatus;}    NTSTATUS aux_test () {NTSTATUS status;    ULONG modsize;    ULONG Numofmod; Aux_module_extended_info*MoD;        ULONG i;    PVOID imagebase; Kdprint (("aux_klib testing ... \ n")); Status=auxklibinitialize (); if(!nt_success (status)) {Kdprint ("auxklibinitialize failed!\n")); returnstatus; } Status=auxklibquerymoduleinformation (&modsize,sizeof(Aux_module_extended_info), NULL); if(! Nt_success (status) | | modsize==0) {Kdprint ("First query failed!\n")); returnstatus; } numofmod=modsize/sizeof(Aux_module_extended_info); MoD= (aux_module_extended_info*) ExAllocatePoolWithTag (Pagedpool,modsize,tag); if(mod==NULL) {Status=status_insufficient_resources; Kdprint (("Insufficient resouces!\n")); returnstatus;    } rtlzeromemory (Mod,modsize); Status=auxklibquerymoduleinformation (&modsize,sizeof(aux_module_extended_info), MoD); if(!nt_success (status))        {ExFreePoolWithTag (Mod,tag); Kdprint (("Query failed!\n")); returnstatus; }     for(i=0; i<numofmod;i++) {Kdprint ("Load order:%d\n", i)); Kdprint (("filename:%s\n", Mod[i]. fullpathname+Mod[i].        Filenameoffset)); Kdprint (("imagebase:%p\n", Mod[i].        Basicinfo.imagebase)); Kdprint (("imagesize:0x%08x\n", Mod[i].        ImageSize)); Kdprint (("\ n")); ImageBase=Mod[i].            Basicinfo.imagebase; /*if (i==128 | | i==3) dbgbreakpoint ();*/        if(!Mmisaddressvalid (imagebase))Continue;    Explist (imagebase);    } exfreepoolwithtag (Mod,tag); returnstatus;}//DriverEntry, entry function. Equivalent to Main. NTSTATUS driverentry (pdriver_object driver, punicode_string reg_path) {//setting an unload function makes it easy for this function to exit. Driver->driverunload =Driverunload; #ifDBGDbgBreakPoint (); #endif    //This is the entrance to our kernel module, where we can write what we want to write. //I'm here to print a sentence. Because "Hello,world" is often ridiculed by the master, so//Let's print a little something else. Kdprint (("First:hello, my salary!\r\n"));    Aux_test (); returnstatus_success;}

Win7-x64 kernel-mode Programming implementation export Table list view