Koodivaramu: protsessi poolt laetud DLLide loendamine ilma PSAPIta

Vôtsin jälle oma koodivaramust lôigu, mida kunagi kasutasin, et teada saada, millised DLLid on protsess laadinud.

Algallikas

Vähemalt töötab W2K, WinXp all…Vistat pole veel proovinud

Milleks seda koodi vaja…ntx kirjutasin kunagi pcturva programmi, mul oli vaja kontrollida, et mingete troojakate dll’e ei laetaks minu protsessi. Pahalased oskavad PSAPit modifitseerida, undocumented asjadega jäävad jänni.

PSAPI ‘t teavad ju kôik.

CreateToolhelp32Snapshot + Module32First + Module32Next jne

Siin on selle alternatiivse koodi listing…


program procexpl;
{$APPTYPE CONSOLE}

// Ingmar Tammeväli
// http://ingmar.planet.ee

uses
SysUtils,windows;

type
PDebugModule = ^TDebugModule;
TDebugModule = packed record
Reserved : array [0..1] of Cardinal;
Base : Cardinal;
Size : Cardinal;
Flags : Cardinal;
Index : Word;
Unknown : Word;
LoadCount: Word;
ModuleNameOffset: Word;
ImageName : array [0..$FF] of Char;
End;

type
PDebugModuleInformation = ^TDebugModuleInformation;
TDebugModuleInformation = record
Count: Cardinal;
Modules: array [0..0] of TDebugModule;
End;

type

PDebugBuffer = ^TDebugBuffer;
TDebugBuffer = record
SectionHandle: THandle;
SectionBase : Pointer;
RemoteSectionBase : Pointer;
SectionBaseDelta : Cardinal;
EventPairHandle : THandle;
Unknown : array [0..1] of Cardinal;
RemoteThreadHandle: THandle;
InfoClassMask : Cardinal;
SizeOfInfo : Cardinal;
AllocatedSize : Cardinal;
SectionSize : Cardinal;
ModuleInformation : PDebugModuleInformation;
BackTraceInformation: Pointer;
HeapInformation : Pointer;
LockInformation : Pointer;
Reserved : array [0..7] of Pointer;
End;

type
TFNRtlCreateQueryDebugBuffer=Function(Size:Cardinal;EventPair: Boolean): PDebugBuffer; stdcall;

TFNRtlQueryProcessDebugInformation=Function(ProcessId,DebugInfoClassMask: Cardinal; var DebugBuffer: TDebugBuffer): Integer; stdcall;

TFNRtlDestroyQueryDebugBuffer=Function(DebugBuffer:PDebugBuffer): Integer; stdcall;

procedure kuvaLaetudDllid(const procID : dword);
const
PDI_MODULES = $01;
var

HNtDll: HMODULE;
RtlCreateQueryDebugBuffer : TFNRtlCreateQueryDebugBuffer;
RtlQueryProcessDebugInformation: TFNRtlQueryProcessDebugInformation;
RtlDestroyQueryDebugBuffer : TFNRtlDestroyQueryDebugBuffer;
// ***
DbgBuffer : PDebugBuffer;
Loop : Integer;

Begin
Try
Try

HNtDll:=LoadLibrary(

'ntdll.dll'

);
If HNtDll=0 Then
RaiseLastWin32Error;

RtlCreateQueryDebugBuffer := GetProcAddress(HNtDll,

'RtlCreateQueryDebugBuffer'

);
If Not Assigned(RtlCreateQueryDebugBuffer) Then
Exit;

RtlQueryProcessDebugInformation :=GetProcAddress(HNtDll,

'RtlQueryProcessDebugInformation'

);

If Not Assigned(RtlQueryProcessDebugInformation) Then
Exit;
RtlDestroyQueryDebugBuffer:=GetProcAddress(HNtDll,

'RtlDestroyQueryDebugBuffer'

);

If Not Assigned(RtlDestroyQueryDebugBuffer) Then
Exit;

// ***
DbgBuffer := RtlCreateQueryDebugBuffer(0, False);
If Assigned(DbgBuffer) Then
try

if RtlQueryProcessDebugInformation(procID,PDI_MODULES,DbgBuffer^) >= 0 then
if DbgBuffer.ModuleInformation.Count<255 Then
for loop := 0 to DbgBuffer.ModuleInformation.Count-1 do
with dbgBuffer.moduleInformation.Modules[Loop] do
writeln(

'Aadress:'

+inttohex(base,12)+

';'

+imageName);

finally
RtlDestroyQueryDebugBuffer(DbgBuffer);
end;

finally
If Boolean(HNtDll) Then
FreeLibrary(HNtDll);
end;

except
end;

end;

begin
writeln(

'Laetud DLLid ...'

);
writeln;
// mingi protsessi pid
kuvaLaetudDllid(windows.GetCurrentProcessId);
readln;
end.

Advertisements

Lisa kommentaar

Täida nõutavad väljad või kliki ikoonile, et sisse logida:

WordPress.com Logo

Sa kommenteerid kasutades oma WordPress.com kontot. Logi välja /  Muuda )

Google+ photo

Sa kommenteerid kasutades oma Google+ kontot. Logi välja /  Muuda )

Twitter picture

Sa kommenteerid kasutades oma Twitter kontot. Logi välja /  Muuda )

Facebook photo

Sa kommenteerid kasutades oma Facebook kontot. Logi välja /  Muuda )

Connecting to %s


%d bloggers like this: