Why can’t you use ZwQuerySystemInformation?
There is an undocumented way, which can still be fooled by rootkits.
typedef struct _MODULE_ENTRY {
LIST_ENTRY link; // Flink, Blink
BYTE unknown1[16];
DWORD imagebase;
DWORD entrypoint;
DWORD imagesize;
UNICODE_STRING path;
UNICODE_STRING name;
//…
} MODULE_ENTRY, *PMODULE_ENTRY;
NTSTATUS KernelWorker::GetDriverInfo(PCWSTR ModuleName, DWORD *LoadAddress, DWORD *ImageSize)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
MODULE_ENTRY* current;
UNICODE_STRING *name;
PMODULE_ENTRY PsLoadedModuleList = Rtl::Instance()->PsLoadedModuleList;
if(!PsLoadedModuleList)
return STATUS_UNSUCCESSFUL;
current = (MODULE_ENTRY*) PsLoadedModuleList->link.Flink;
do
{
if(current)
{
name = ¤t->name;
if(name->Buffer)
{
static int i=0;
KdPrint((“%3u: %.8X %.8X %.8X %.8X %.8X %.8X %S %S\n”,
i++,
current,
current->link.Flink,
current->link.Blink,
current->entrypoint,
current->imagebase,
current->imagesize,
current->name.Buffer,
current->path.Buffer
));
if(!_wcsicmp(name->Buffer, ModuleName))
{
if(LoadAddress)
*LoadAddress = current->imagebase;
if(ImageSize)
*ImageSize = current->imagesize;
status = STATUS_SUCCESS;
break;
}
}
current = (MODULE_ENTRY*) current->link.Flink;
}
} while(current != PsLoadedModuleList && current != NULL);
return status;
}
“I?aki Castillo” wrote in message news:xxxxx@ntdev…
I am enumerating the driver names list, that is, the objects placed on \Driver directory, using ZwQueryDirectoryObject.
That way I get the ‘driver names’ listing.
Having these driver names, how can I get the filename/path of each driver module ?
For example, if I have the driver name “Serial” how can I get from this name the location of the driver module, for example “SystemRoot\System32\Drivers\serial.sys”.
I know there are functions to get the listing of system modules(ZwQuerySystemInformation), but I cannot use these functions.
Any ideas are welcome.