/// <summary>
/// Enumerates the modules loaded by the kernel.
/// </summary>
/// <param name="enumCallback">A callback for the enumeration.</param>
public static void EnumKernelModules(EnumKernelModulesDelegate enumCallback)
{
NtStatus status;
int retLength;
if (_kernelModulesBuffer == null)
{
_kernelModulesBuffer = new MemoryAlloc(0x1000);
}
status = Win32.NtQuerySystemInformation(
SystemInformationClass.SystemModuleInformation,
_kernelModulesBuffer,
_kernelModulesBuffer.Size,
out retLength
);
if (status == NtStatus.InfoLengthMismatch)
{
_kernelModulesBuffer.ResizeNew(retLength);
status = Win32.NtQuerySystemInformation(
SystemInformationClass.SystemModuleInformation,
_kernelModulesBuffer,
_kernelModulesBuffer.Size,
out retLength
);
}
if (status >= NtStatus.Error)
{
Win32.Throw(status);
}
RtlProcessModules modules = _kernelModulesBuffer.ReadStruct <RtlProcessModules>();
for (int i = 0; i < modules.NumberOfModules; i++)
{
var module = _kernelModulesBuffer.ReadStruct <RtlProcessModuleInformation>(RtlProcessModules.ModulesOffset, i);
var moduleInfo = new Debugging.ModuleInformation(module);
if (!enumCallback(new KernelModule(
moduleInfo.BaseAddress,
moduleInfo.Size,
moduleInfo.Flags,
moduleInfo.BaseName,
FileUtils.GetFileName(moduleInfo.FileName)
)))
{
break;
}
}
}
/// <summary>
/// Enumerates the modules loaded by the kernel.
/// </summary>
/// <param name="enumCallback">A callback for the enumeration.</param>
public static void EnumKernelModules(EnumKernelModulesDelegate enumCallback)
{
int retLength;
if (_kernelModulesBuffer == null)
_kernelModulesBuffer = new MemoryAlloc(0x1000);
NtStatus status = Win32.NtQuerySystemInformation(
SystemInformationClass.SystemModuleInformation,
_kernelModulesBuffer,
_kernelModulesBuffer.Size,
out retLength
);
if (status == NtStatus.InfoLengthMismatch)
{
_kernelModulesBuffer.ResizeNew(retLength);
status = Win32.NtQuerySystemInformation(
SystemInformationClass.SystemModuleInformation,
_kernelModulesBuffer,
_kernelModulesBuffer.Size,
out retLength
);
}
status.ThrowIf();
RtlProcessModules modules = _kernelModulesBuffer.ReadStruct<RtlProcessModules>();
for (int i = 0; i < modules.NumberOfModules; i++)
{
var module = _kernelModulesBuffer.ReadStruct<RtlProcessModuleInformation>(RtlProcessModules.ModulesOffset, RtlProcessModuleInformation.SizeOf, i);
var moduleInfo = new Debugging.ModuleInformation(module);
if (!enumCallback(new KernelModule(
moduleInfo.BaseAddress,
moduleInfo.Size,
moduleInfo.Flags,
moduleInfo.BaseName,
FileUtils.GetFileName(moduleInfo.FileName)
)))
break;
}
}
