1. kd> dt _driver_object
  2. ntdll!_DRIVER_OBJECT
  3.    +0x000 Type             : Int2B
  4.    +0x002 Size             : Int2B
  5.    +0x004 DeviceObject     : Ptr32 _DEVICE_OBJECT
  6.    +0x008 Flags            : Uint4B
  7.    +0x00c DriverStart      : Ptr32 Void
  8.    +0x010 DriverSize       : Uint4B
  9.    +0x014 DriverSection    : Ptr32 Void
  10.    +0x018 DriverExtension  : Ptr32 _DRIVER_EXTENSION
  11.    +0x01c DriverName       : _UNICODE_STRING
  12.    +0x024 HardwareDatabase : Ptr32 _UNICODE_STRING
  13.    +0x028 FastIoDispatch   : Ptr32 _FAST_IO_DISPATCH
  14.    +0x02c DriverInit       : Ptr32     long 
  15.    +0x030 DriverStartIo    : Ptr32     void 
  16.    +0x034 DriverUnload     : Ptr32     void 
  17.    +0x038 MajorFunction    : [28] Ptr32     long 
  19. +0x014 DriverSection    : Ptr32 Void
  20. 类似3peb

list module

  1. #include <ntifs.h>
  3. //0x78 bytes (sizeof)
  4. typedef struct _KLDR_DATA_TABLE_ENTRY32 {
  5.     LIST_ENTRY32 InLoadOrderLinks;
  6.     ULONG __Undefined1;
  7.     ULONG __Undefined2;
  8.     ULONG __Undefined3;
  9.     ULONG NonPagedDebugInfo;
  10.     ULONG DllBase;
  11.     ULONG EntryPoint;
  12.     ULONG SizeOfImage;
  13.     UNICODE_STRING32 FullDllName;
  14.     UNICODE_STRING32 BaseDllName;
  15.     ULONG Flags;
  16.     USHORT LoadCount;
  17.     USHORT __Undefined5;
  18.     ULONG  __Undefined6;
  19.     ULONG  CheckSum;
  20.     ULONG  TimeDateStamp;
  22.     //
  23.     // NOTE : Do not grow this structure at the dump files used a packed
  24.     // array of these structures.
  25.     //
  27. } KLDR_DATA_TABLE_ENTRY32, * PKLDR_DATA_TABLE_ENTRY32;
  29. VOID Unload(PDRIVER_OBJECT DriverObject) {
  32.     KdPrint(("driver unloaded\r\n"));
  34. }
  38. NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegisteryPath) {
  40.     NTSTATUS status;
  41.     DriverObject->DriverUnload = Unload;
  43.     DbgBreakPoint();
  44.     PKLDR_DATA_TABLE_ENTRY32 ldr = (PKLDR_DATA_TABLE_ENTRY32)DriverObject->DriverSection;
  45.     PKLDR_DATA_TABLE_ENTRY32 pre = (PKLDR_DATA_TABLE_ENTRY32)ldr->InLoadOrderLinks.Flink;
  46.     PKLDR_DATA_TABLE_ENTRY32 next = (PKLDR_DATA_TABLE_ENTRY32)pre->InLoadOrderLinks.Flink;
  47.     int count = 0;
  48.     while(next!=pre)
  49.     {
  50.         DbgPrintEx(77, 0, "[db]:%d driver name = %wZ\r\n", count++, &next->FullDllName);
  51.         next = (PKLDR_DATA_TABLE_ENTRY32)next->InLoadOrderLinks.Flink;
  52.     }
  54.     DbgBreakPoint();
  58.     return STATUS_SUCCESS;
  59. }

hide

  1. #include <ntifs.h>
  3. //0x78 bytes (sizeof)
  4. typedef struct _KLDR_DATA_TABLE_ENTRY {
  5.     LIST_ENTRY InLoadOrderLinks;
  6.     ULONG __Undefined1;
  7.     ULONG __Undefined2;
  8.     ULONG __Undefined3;
  9.     ULONG NonPagedDebugInfo;
  10.     ULONG DllBase;
  11.     ULONG EntryPoint;
  12.     ULONG SizeOfImage;
  13.     UNICODE_STRING FullDllName;
  14.     UNICODE_STRING BaseDllName;
  15.     ULONG Flags;
  16.     USHORT LoadCount;
  17.     USHORT __Undefined5;
  18.     ULONG  __Undefined6;
  19.     ULONG  CheckSum;
  20.     ULONG  TimeDateStamp;
  22.     //
  23.     // NOTE : Do not grow this structure at the dump files used a packed
  24.     // array of these structures.
  25.     //
  27. } KLDR_DATA_TABLE_ENTRY, * PKLDR_DATA_TABLE_ENTRY;
  30. NTKERNELAPI
  31. NTSTATUS
  32. ObReferenceObjectByName(
  33.     __in PUNICODE_STRING ObjectName,
  34.     __in ULONG Attributes,
  35.     __in_opt PACCESS_STATE AccessState,
  36.     __in_opt ACCESS_MASK DesiredAccess,
  37.     __in POBJECT_TYPE ObjectType,
  38.     __in KPROCESSOR_MODE AccessMode,
  39.     __inout_opt PVOID ParseContext,
  40.     __out PVOID* Object
  41. );
  43. VOID Unload(PDRIVER_OBJECT DriverObject) {
  46.     KdPrint(("driver unloaded\r\n"));
  48. }
  50. extern POBJECT_TYPE * IoDriverObjectType;
  53. NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegisteryPath) {
  55.     NTSTATUS status;
  56.     DriverObject->DriverUnload = Unload;
  58.     DbgBreakPoint();
  59.     PKLDR_DATA_TABLE_ENTRY ldr = (PKLDR_DATA_TABLE_ENTRY)DriverObject->DriverSection;
  60.     PKLDR_DATA_TABLE_ENTRY pre = (PKLDR_DATA_TABLE_ENTRY)ldr->InLoadOrderLinks.Flink;
  61.     PKLDR_DATA_TABLE_ENTRY next = (PKLDR_DATA_TABLE_ENTRY)pre->InLoadOrderLinks.Flink;
  62.     int count = 0;
  64.     UNICODE_STRING driverName1 = RTL_CONSTANT_STRING(L"helloDriver.sys");
  65.     UNICODE_STRING driverName = RTL_CONSTANT_STRING(L"\\driver\\helloDriver.sys");
  66.     while(next!=pre)
  67.     {
  68.         DbgPrintEx(77, 0, "[db]:%d driver name = %wZ\r\n", count++, &next->FullDllName);
  70.         if (RtlEqualUnicodeString(&next->BaseDllName,&driverName,TRUE))
  71.         {
  72.             DbgPrintEx(77, 0, "driver remove %wZ\r\n", &next->FullDllName);
  73.             PDRIVER_OBJECT pDriver = NULL;
  74.             status = ObReferenceObjectByName(&driverName1, FILE_ALL_ACCESS, 0, 0, *IoDriverObjectType, KernelMode, NULL, &pDriver);
  75.             pDriver->DriverSection = ldr->InLoadOrderLinks.Flink;
  76.             RemoveEntryList(&next->InLoadOrderLinks);
  77.             if (NT_SUCCESS(status))
  78.             {
  79.                 pDriver->DriverInit = NULL;
  80.                 pDriver->Type = 0;
  82.             }
  83.             ObDereferenceObject(pDriver);
  85.             break;
  87.         }
  91.         next = (PKLDR_DATA_TABLE_ENTRY)next->InLoadOrderLinks.Flink;
  92.     }
  94.     DbgBreakPoint();
  98.     return STATUS_SUCCESS;
  99. }