一份全系统x86x64通用的镜像回调枚举（LoadImageNotify）

为什么80%的码农都做不了架构师？>>>   

 只枚举了前八个回调，要枚举更多就要自己定位PspLoadImageNotifyRoutineCount。其实x64上该变量总在PspLoadImageNotifyRoutine+0x40的位置，x86在+0x20的位置 ）

NTSTATUS MyEnumLoadImageNotifyRoutine(VOID)
{
	int i;
	PVOID MagicPtr, NotifyAddr;

	if (!dynData.PspLoadImageNotifyRoutine)
	{
		DbgPrint("Couldn't found PspLoadImageNotifyRoutine\n");
		return STATUS_NOT_FOUND;
	}

	//Skip the first callback
#ifdef AMD64
	for (i = 0; i < 8; i++)
	{
		MagicPtr = (PVOID)((PUCHAR)dynData.PspLoadImageNotifyRoutine + i * 8);
		NotifyAddr = *(PULONG64)(MagicPtr);
		if (MmIsAddressValid(NotifyAddr) && NotifyAddr != 0)
		{
			NotifyAddr = *(PULONG64)(((ULONG64)NotifyAddr & 0xfffffffffffffff0ui64) + sizeof(EX_RUNDOWN_REF));

			DbgPrint("LoadImageNotify at %llx", NotifyAddr);
		}
	}
#else
	for (i = 0; i < 8; i++)
	{
		//PEX_CALLBACK_ROUTINE_BLOCK Point = (PEX_CALLBACK_ROUTINE_BLOCK)((Ref->Value >> 3) << 3);
		MagicPtr = (PVOID)((PUCHAR)dynData.PspLoadImageNotifyRoutine + i * 8);

		NotifyAddr = *(PULONG)(MagicPtr);
		if (MmIsAddressValid(NotifyAddr) && NotifyAddr != 0)
		{
			//NotifyAddr = (ULONG)(Point->Function)
			NotifyAddr = *(PULONG)(((ULONG)NotifyAddr & 0xfffffff8) + sizeof(EX_RUNDOWN_REF));

			DbgPrint("LoadImageNotify at %x", NotifyAddr);
		}
	}
#endif
	return STATUS_SUCCESS;
}

 

转载于:https://my.oschina.net/hzqst/blog/732013