NtQuerySystemInformation取得内核模块ntkrnlpa.exe或ntoskrnl.exe的基址

那个谁

#define SystemModuleInformation　11
typedef struct
{
ULONG NumberOfModules;
SYSTEM_MODULE_INFORMATION smi;
} MODULES, *PMODULES;
NTSYSAPI
NTSTATUS
NTAPI
NtQuerySystemInformation(
IN ULONG SysInfoClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG RetLen
);
//用NtQuerySystemInformation取得内核模块ntkrnlpa.exe或ntoskrnl.exe的基址
PUCHAR BaseAddress = NULL;
NTSTATUS ntStatus;
PMODULES pModules;
ULONG NeededSize;
pModules = (PMODULES)&pModules;
ntStatus = NtQuerySystemInformation(SystemModuleInformation, pModules, 4, &NeededSize);
if(ntStatus == STATUS_INFO_LENGTH_MISMATCH)
{
   pModules = (PMODULES)ExAllocatePool(PagedPool, NeededSize);
   if(!pModules)
    return STATUS_INSUFFICIENT_RESOURCES;
   ntStatus = NtQuerySystemInformation(SystemModuleInformation, pModules, NeededSize, NULL);
   if(!NT_SUCCESS(ntStatus))
   {
    ExFreePool(pModules);
    return ntStatus;
   }
}
if(!NT_SUCCESS(ntStatus))
{
   return ntStatus;
}
BaseAddress = (ULONG)pModules->smi.Base;
//BaseAddress = GetModlueBaseAdress("ntkrnlpa.exe");

/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//这里是别人写好的API 摘自：http://forum.eviloctal.com/thread-34640-1-1.html
//得到系统内核模块基址
DWORD FoundSystemModule(BOOL bKernel,char *sysFileName)
{
DWORD dwNeededSize,rc;
PMODULES pModules=(PMODULES)&pModules;
PCHAR pKernelName;
DWORD kernelBase;
DWORD i;
rc=ZwQuerySystemInformation(SystemModuleInformation,pModules,4,&dwNeededSize);
if (rc==STATUS_INFO_LENGTH_MISMATCH)
{
pModules=(MODULES *)ExAllocatePool(PagedPool,dwNeededSize);
rc=ZwQuerySystemInformation(SystemModuleInformation,pModules,dwNeededSize,NULL);
if (!NT_SUCCESS(rc))
{
DbgPrint("ZwQuerySystemInformation failed");
return 0;
}
}
else
{
DbgPrint("ZwQuerySystemInformation failed");
return 0;
}
if(bKernel)
{
pKernelName=pModules->smi[0].ModuleNameOffset+pModules->smi[0].ImageName;
strcpy(sysFileName,pKernelName);
kernelBase=(DWORD)pModules->smi[0].Base;
return kernelBase;
}
for (i=0;(pModules->dwNumberOfModules)>i;i++)
{
pKernelName=pModules->smi.ModuleNameOffset+pModules->smi.ImageName;
if(_stricmp(pKernelName,sysFileName)==0)
{
kernelBase=(DWORD)pModules->smi.Base;
return kernelBase;
}
}
return 0;
}
//调用
        char systemFile[80];
DWORD kernelBase;
        kernelBase=FoundSystemModule(TRUE,systemFile);
if(kernelBase==0)
{
DbgPrint("get kernel base failed\n");
return FALSE;
}
if(_stricmp(systemFile,"ntkrnlpa.exe")==0)
{
RtlInitUnicodeString(&kernelFileName, L"\\Device\\HarddiskVolume1\\Windows\\System32\\ntkrnlpa.exe");
}
else if(_stricmp(systemFile,"ntoskrnl.exe")==0)
{
RtlInitUnicodeString(&kernelFileName, L"\\Device\\HarddiskVolume1\\Windows\\System32\\ntoskrnl.exe");
}
else
{
return FALSE;
}