CallStack-Spoofer icon indicating copy to clipboard operation
CallStack-Spoofer copied to clipboard

Published 20 hours ago verified publisher icon Barracudach

i have ask

Open xkp95175333 opened this issue 2 years ago • 0 comments

how to use in kernel ZwQuerySystemInformation MmCopyVirtualMemory

code me

{ PVOID moduleBase = NULL; ULONG info = 0; NTSTATUS status = ZwQuerySystemInformation(SystemModuleInformation, 0, info, &info);

	if (!info) {
		return moduleBase;
	}

	PRTL_PROCESS_MODULES modules = (PRTL_PROCESS_MODULES)ExAllocatePoolWithTag(NonPagedPool, info, 'cdff');

	status = ZwQuerySystemInformation(SystemModuleInformation, modules, info, &info);

	if (!NT_SUCCESS(status)) {
		return moduleBase;
	}

	PRTL_PROCESS_MODULE_INFORMATION module = modules->Modules;


	if (modules->NumberOfModules > 0) {

		if (!moduleName) {
			moduleBase = modules->Modules[0].ImageBase;
		}
		else {

			for (auto i = 0; i < modules->NumberOfModules; i++) {

				if (!strcmp((CHAR*)module[i].FullPathName, moduleName)) {
					moduleBase = module[i].ImageBase;
				}
			}
		}
	}

	if (modules) {
		ExFreePoolWithTag(modules, 'cdff');
	}

	return moduleBase;

}

thank you

xkp95175333 avatar Sep 11 '22 08:09 xkp95175333