📄 menumkernelmodule.bas
字号:
Attribute VB_Name = "mEnumKernelModule"
Option Explicit
Private Declare Function NtQuerySystemInformation _
Lib "NTDLL.DLL" (ByVal dwRecordType As Long, _
ByVal pdwHandleList As Long, _
ByVal dwNumBytes As Long, _
ByRef pdwNumBytesRet As Long) As Long
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (ByVal pDst As Long, ByVal pSrc As Long, ByVal cch As Long)
Private Enum SYSTEM_INFORMATION_CLASS '// Q S
SystemBasicInformation '// 00 Y N
SystemProcessorInformation '// 01 Y N
SystemPerformanceInformation '// 02 Y N
SystemTimeOfDayInformation '// 03 Y N
SystemNotImplemented1 '// 04 Y N
SystemProcessesAndThreadsInformation '// 05 Y N
SystemCallCounts '// 06 Y N
SystemConfigurationInformation '// 07 Y N
SystemProcessorTimes '// 08 Y N
SystemGlobalFlag '// 09 Y Y
SystemNotImplemented2 '// 10 Y N
SystemModuleInformation '// 11 Y N
SystemLockInformation '// 12 Y N
SystemNotImplemented3 '// 13 Y N
SystemNotImplemented4 '// 14 Y N
SystemNotImplemented5 '// 15 Y N
SystemHandleInformation '// 16 Y N
SystemObjectInformation '// 17 Y N
SystemPagefileInformation '// 18 Y N
SystemInstructionEmulationCounts '// 19 Y N
SystemInvalidInfoClass1 '// 20
SystemCacheInformation '// 21 Y Y
SystemPoolTagInformation '// 22 Y N
SystemProcessorStatistics '// 23 Y N
SystemDpcInformation '// 24 Y Y
SystemNotImplemented6 '// 25 Y N
SystemLoadImage '// 26 N Y
SystemUnloadImage '// 27 N Y
SystemTimeAdjustment '// 28 Y Y
SystemNotImplemented7 '// 29 Y N
SystemNotImplemented8 '// 30 Y N
SystemNotImplemented9 '// 31 Y N
SystemCrashDumpInformation '// 32 Y N
SystemExceptionInformation '// 33 Y N
SystemCrashDumpStateInformation '// 34 Y Y/N
SystemKernelDebuggerInformation '// 35 Y N
SystemContextSwitchInformation '// 36 Y N
SystemRegistryQuotaInformation '// 37 Y Y
SystemLoadAndCallImage '// 38 N Y
SystemPrioritySeparation '// 39 N Y
SystemNotImplemented10 '// 40 Y N
SystemNotImplemented11 '// 41 Y N
SystemInvalidInfoClass2 '// 42
SystemInvalidInfoClass3 '// 43
SystemTimeZoneInformation '// 44 Y N
SystemLookasideInformation '// 45 Y N
SystemSetTimeSlipEvent '// 46 N Y
SystemCreateSession '// 47 N Y
SystemDeleteSession '// 48 N Y
SystemInvalidInfoClass4 '// 49
SystemRangeStartInformation '// 50 Y N
SystemVerifierInformation '// 51 Y Y
SystemAddVerifier '// 52 N Y
SystemSessionProcessesInformation '// 53 Y N
End Enum
Public Type SYSTEM_MODULE_INFORMATION '// Information Class 11
Reserved(1 To 2) As Long
Base As Long
Size As Long
Flags As Long
Index As Integer
Unknown As Integer
LoadCount As Integer
ModuleNameOffset As Integer
ImageName(1 To 256) As Byte
End Type
Private Const STATUS_INFO_LENGTH_MISMATCH = &HC0000004
Public Function EnumKernelModule(Optional ByRef retStatus As Boolean) As SYSTEM_MODULE_INFORMATION()
On Error GoTo EnumKernelModule_Err_Hdl
Dim arySize As Long: arySize = 1
Dim Status As Long
Dim bytBuf() As Byte
Dim retAry() As Long: ReDim retAry(0)
Do
ReDim bytBuf(arySize)
Status = NtQuerySystemInformation(SystemModuleInformation, VarPtr( _
bytBuf(0)), arySize, 0&)
If (Not NT_SUCCESS(Status)) Then
If (Status <> STATUS_INFO_LENGTH_MISMATCH) Then
GoTo EnumKernelModule_Err_Hdl
End If
Else
Exit Do
End If
arySize = arySize * 2
ReDim bytBuf(arySize)
Loop
'//返回到缓冲区的首先是一个ULONG类型的数据,表示有多少数组
Dim NumOfModule As Long
NumOfModule = 0
Call CopyMemory(VarPtr(NumOfModule), VarPtr(bytBuf(0)), Len(NumOfModule))
Dim m_info() As SYSTEM_MODULE_INFORMATION
ReDim m_info(NumOfModule)
Call CopyMemory(VarPtr(m_info(0)), VarPtr(bytBuf(0)) + Len(NumOfModule), Len( _
m_info(0)) * NumOfModule)
EnumKerndlModule_Exit_Hdl:
Erase bytBuf
EnumKernelModule = m_info
Erase m_info
retStatus = True
Exit Function
EnumKernelModule_Err_Hdl:
retStatus = False
End Function
Private Function NT_SUCCESS(ByVal nsStatus As Long) As Boolean
NT_SUCCESS = (nsStatus >= 0)
End Function
Public Function GetModuleInfoByAddr(ByVal InAddr As Long) As SYSTEM_MODULE_INFORMATION
Dim retv() As SYSTEM_MODULE_INFORMATION
retv() = EnumKernelModule
Dim I As Long
For I = LBound(retv) To UBound(retv)
With retv(I)
If (.Base < InAddr) Then
If (.Base + .Size > InAddr) Then
GetModuleInfoByAddr = retv(I)
GoTo Exit_Fun
End If
End If
End With
Next
Dim bytToRet() As Byte
bytToRet = StrConv("未知", vbFromUnicode)
Dim tmpretv As SYSTEM_MODULE_INFORMATION
Call CopyMemory(VarPtr(tmpretv.ImageName(1)), VarPtr(bytToRet(0)), UBound(bytToRet) - LBound(bytToRet) + 1)
GetModuleInfoByAddr = tmpretv
Exit_Fun:
Erase bytToRet
End Function
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -