E:/PROJECTS/cvsed/mixed/VIRTUA~1/kdclient/hook64.cpp
Go to the documentation of this file.00001 00007 #include "stdafx.h" 00008 #include "hook64.h" 00009 00010 #include <windows.h> 00011 #include <winternl.h> 00012 00013 #include <tlhelp32.h> 00014 00015 #pragma comment(lib, "ntdll") 00016 00017 /* 00019 extern "C" 00020 { 00021 NTSYSAPI 00022 PVOID 00023 NTAPI 00024 RtlCreateQueryDebugBuffer( 00025 IN ULONG Size, 00026 IN BOOLEAN EventPair 00027 ); 00028 00029 NTSYSAPI 00030 NTSTATUS 00031 NTAPI 00032 RtlDestroyQueryDebugBuffer(IN PVOID DebugBuffer); 00033 00034 NTSYSAPI 00035 NTSTATUS 00036 NTAPI 00037 RtlQueryProcessDebugInformation( 00038 IN ULONG ProcessId, 00039 IN ULONG DebugInfoClassMask, 00040 IN OUT PVOID DebugBuffer 00041 ); 00042 } 00043 00044 template <typename PVOID_NATIVE> class ModuleFinder 00045 { 00046 public: 00047 //Structure definitions from here: http://native-nt-toolkit.googlecode.com/svn/trunk/ndk/rtltypes.h 00048 typedef struct _RTL_PROCESS_MODULE_INFORMATION 00049 { 00050 ULONG Section; 00051 PVOID_NATIVE MappedBase; 00052 PVOID_NATIVE ImageBase; 00053 ULONG ImageSize; 00054 ULONG Flags; 00055 USHORT LoadOrderIndex; 00056 USHORT InitOrderIndex; 00057 USHORT LoadCount; 00058 USHORT OffsetToFileName; 00059 CHAR FullPathName[256]; 00060 } RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION; 00061 00062 typedef struct _RTL_PROCESS_MODULES 00063 { 00064 ULONG NumberOfModules; 00065 RTL_PROCESS_MODULE_INFORMATION Modules[1]; 00066 } RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES; 00067 00068 typedef struct _RTL_PROCESS_MODULE_INFORMATION_EX 00069 { 00070 ULONG NextOffset; 00071 RTL_PROCESS_MODULE_INFORMATION BaseInfo; 00072 ULONG ImageCheckSum; 00073 ULONG TimeDateStamp; 00074 PVOID_NATIVE DefaultBase; 00075 } RTL_PROCESS_MODULE_INFORMATION_EX, *PRTL_PROCESS_MODULE_INFORMATION_EX; 00076 00077 typedef struct _RTL_DEBUG_INFORMATION 00078 { 00079 PVOID_NATIVE SectionHandleClient; 00080 PVOID_NATIVE ViewBaseClient; 00081 PVOID_NATIVE ViewBaseTarget; 00082 PVOID_NATIVE ViewBaseDelta; 00083 PVOID_NATIVE EventPairClient; 00084 PVOID_NATIVE EventPairTarget; 00085 PVOID_NATIVE TargetProcessId; 00086 PVOID_NATIVE TargetThreadHandle; 00087 PVOID_NATIVE Flags; 00088 PVOID_NATIVE OffsetFree; 00089 PVOID_NATIVE CommitSize; 00090 PVOID_NATIVE ViewSize; 00091 union 00092 { 00093 PRTL_PROCESS_MODULES Modules; 00094 PVOID_NATIVE ModulesEx; 00095 }; 00096 PVOID_NATIVE BackTraces; 00097 PVOID_NATIVE Heaps; 00098 PVOID_NATIVE Locks; 00099 HANDLE SpecificHeap; 00100 HANDLE TargetProcessHandle; 00101 PVOID_NATIVE VerifierOptions; 00102 HANDLE ProcessHeap; 00103 HANDLE CriticalSectionHandle; 00104 HANDLE CriticalSectionOwnerThread; 00105 PVOID_NATIVE Reserved[4]; 00106 } RTL_DEBUG_INFORMATION, *PRTL_DEBUG_INFORMATION; 00107 00108 00109 static ULONGLONG GetRemoteModuleHandle64Aware(unsigned PID, LPCSTR lpModuleName, bool ShortName) 00110 { 00111 PRTL_DEBUG_INFORMATION pDbg = (PRTL_DEBUG_INFORMATION)RtlCreateQueryDebugBuffer(0, FALSE); 00112 NTSTATUS st = RtlQueryProcessDebugInformation(PID, 1, pDbg); 00113 if (st != 0) 00114 return 0; 00115 for (unsigned i = 0 ; i < pDbg->Modules->NumberOfModules; i++) 00116 { 00117 bool match; 00118 if (ShortName) 00119 match = !_stricmp(pDbg->Modules->Modules[i].FullPathName + pDbg->Modules->Modules[i].OffsetToFileName, lpModuleName); 00120 else 00121 match = !_stricmp(pDbg->Modules->Modules[i].FullPathName, lpModuleName); 00122 00123 if (match) 00124 { 00125 ULONGLONG base = (ULONGLONG)pDbg->Modules->Modules[i].ImageBase; 00126 RtlDestroyQueryDebugBuffer(pDbg); 00127 return base; 00128 } 00129 } 00130 RtlDestroyQueryDebugBuffer(pDbg); 00131 return 0LL; 00132 } 00133 }; 00134 */ 00135 00136 ULONGLONG GetRemoteModuleHandle64Aware(unsigned PID, LPCTSTR lpModuleName, bool ShortName) 00137 { 00138 HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, PID); 00139 MODULEENTRY32 mod = {0,}; 00140 mod.dwSize = sizeof(mod); 00141 Module32First(hSnap, &mod); 00142 do 00143 { 00144 if (ShortName) 00145 { 00146 if (!_tcsicmp(mod.szModule, lpModuleName)) 00147 { 00148 CloseHandle(hSnap); 00149 return (ULONGLONG)mod.modBaseAddr; 00150 } 00151 } 00152 else 00153 { 00154 if (!_tcsicmp(mod.szExePath, lpModuleName)) 00155 { 00156 CloseHandle(hSnap); 00157 return (ULONGLONG)mod.modBaseAddr; 00158 } 00159 } 00160 } while (Module32Next(hSnap, &mod)); 00161 CloseHandle(hSnap); 00162 return 0; 00163 //return ModuleFinder<PVOID>::GetRemoteModuleHandle64Aware(PID, lpModuleName, ShortName); 00164 }