/// <summary> /// Enumerates the modules loaded by the kernel. /// </summary> /// <param name="enumCallback">A callback for the enumeration.</param> public static void EnumKernelModules(EnumKernelModulesDelegate enumCallback) { NtStatus status; int retLength; if (_kernelModulesBuffer == null) { _kernelModulesBuffer = new MemoryAlloc(0x1000); } status = Win32.NtQuerySystemInformation( SystemInformationClass.SystemModuleInformation, _kernelModulesBuffer, _kernelModulesBuffer.Size, out retLength ); if (status == NtStatus.InfoLengthMismatch) { _kernelModulesBuffer.ResizeNew(retLength); status = Win32.NtQuerySystemInformation( SystemInformationClass.SystemModuleInformation, _kernelModulesBuffer, _kernelModulesBuffer.Size, out retLength ); } if (status >= NtStatus.Error) { Win32.Throw(status); } RtlProcessModules modules = _kernelModulesBuffer.ReadStruct <RtlProcessModules>(); for (int i = 0; i < modules.NumberOfModules; i++) { var module = _kernelModulesBuffer.ReadStruct <RtlProcessModuleInformation>(RtlProcessModules.ModulesOffset, i); var moduleInfo = new Debugging.ModuleInformation(module); if (!enumCallback(new KernelModule( moduleInfo.BaseAddress, moduleInfo.Size, moduleInfo.Flags, moduleInfo.BaseName, FileUtils.GetFileName(moduleInfo.FileName) ))) { break; } } }
/// <summary> /// Enumerates the modules loaded by the kernel. /// </summary> /// <param name="enumCallback">A callback for the enumeration.</param> public static void EnumKernelModules(EnumKernelModulesDelegate enumCallback) { int retLength; if (_kernelModulesBuffer == null) _kernelModulesBuffer = new MemoryAlloc(0x1000); NtStatus status = Win32.NtQuerySystemInformation( SystemInformationClass.SystemModuleInformation, _kernelModulesBuffer, _kernelModulesBuffer.Size, out retLength ); if (status == NtStatus.InfoLengthMismatch) { _kernelModulesBuffer.ResizeNew(retLength); status = Win32.NtQuerySystemInformation( SystemInformationClass.SystemModuleInformation, _kernelModulesBuffer, _kernelModulesBuffer.Size, out retLength ); } status.ThrowIf(); RtlProcessModules modules = _kernelModulesBuffer.ReadStruct<RtlProcessModules>(); for (int i = 0; i < modules.NumberOfModules; i++) { var module = _kernelModulesBuffer.ReadStruct<RtlProcessModuleInformation>(RtlProcessModules.ModulesOffset, RtlProcessModuleInformation.SizeOf, i); var moduleInfo = new Debugging.ModuleInformation(module); if (!enumCallback(new KernelModule( moduleInfo.BaseAddress, moduleInfo.Size, moduleInfo.Flags, moduleInfo.BaseName, FileUtils.GetFileName(moduleInfo.FileName) ))) break; } }