forked from deprecate1/ViewWizard
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Module6.bas
101 lines (90 loc) · 3.13 KB
/
Module6.bas
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
Attribute VB_Name = "Module6"
Option Explicit
Private Type SYSTEM_MODULE_INFORMATION
dwReserved(1) As Long
dwBase As Long
dwSize As Long
dwFlags As Long
Index As Integer
Unknown As Integer
LoadCount As Integer
ModuleNameOffset As Integer
ImageName As String * 256
End Type
Private Type MODULE_INFO
dwBase As String
szModulePath As String
End Type
Private Type MODULES
dwNumberOfModules As Long
ModuleInformation As SYSTEM_MODULE_INFORMATION
End Type
Private Declare Function NtQuerySystemInformation Lib "NTDLL.DLL" ( _
ByVal SystemInformationClass As Long, _
ByVal pSystemInformation As Long, _
ByVal SystemInformationLength As Long, _
ByRef ReturnLength As Long) As Long
Private Declare Function VirtualAlloc Lib "kernel32.dll" (ByVal Address As Long, ByVal dwSize As Long, ByVal AllocationType As Long, ByVal Protect As Long) As Long
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" ( _
ByVal pDst As Long, _
ByVal pSrc As Long, _
ByVal ByteLen As Long)
Private Const SystemModuleInformation = 11
Private Const PAGE_READWRITE = &H4
Private Const MEM_RELEASE = &H8000
Private Const MEM_COMMIT = &H1000
Public KernelModules() As MODULE_INFO
Public Function EnumKernelModules() As Long
Dim Ret As Long
Dim Buffer As Long
Dim ModulesInfo As MODULES
Dim i As Long
Dim k As Long
Erase KernelModules
NtQuerySystemInformation SystemModuleInformation, 0, 0, Ret
Buffer = VirtualAlloc(0, Ret * 2, MEM_COMMIT, PAGE_READWRITE)
NtQuerySystemInformation SystemModuleInformation, Buffer, Ret * 2, Ret
CopyMemory ByVal VarPtr(ModulesInfo), ByVal Buffer, LenB(ModulesInfo)
i = ModulesInfo.dwNumberOfModules
While (i > 1)
i = i - 1
Buffer = Buffer + 71 * 4
CopyMemory ByVal VarPtr(ModulesInfo), ByVal Buffer, LenB(ModulesInfo)
k = k + 1
ReDim Preserve KernelModules(k)
KernelModules(k).dwBase = ModulesInfo.ModuleInformation.dwBase
KernelModules(k).szModulePath = CheckPath(CheckStr(StrConv(ModulesInfo.ModuleInformation.ImageName, vbUnicode)))
If Fe(KernelModules(k).szModulePath) = False Then
If Fe(GetFullPath(KernelModules(k).szModulePath)) = True Then
KernelModules(k).szModulePath = GetFullPath(KernelModules(k).szModulePath)
End If
End If
Wend
EnumKernelModules = k
End Function
Private Function GetFullPath(ByVal szPath As String) As String
Dim FullPath As String
FullPath = GetSysDir & "\drivers\" & szPath
If Fe(FullPath) = True Then
GetFullPath = FullPath
Exit Function
End If
FullPath = GetSysDir & "\" & szPath
If Fe(FullPath) = True Then
GetFullPath = FullPath
Exit Function
End If
End Function
Public Function GetKernelModulePath(ByVal ModuleBase As Long) As String
Dim i As Long
Dim nRet As Long
nRet = EnumKernelModules
If nRet > 0 Then
For i = 1 To UBound(KernelModules)
If KernelModules(i).dwBase = ModuleBase Then
GetKernelModulePath = KernelModules(i).szModulePath
Exit For
End If
Next i
End If
End Function