logo标签列表

在Ring0/内核中列出驱动程序?

c++windowsvisual-c++kerneldriver
3

我有一个问题,想知道是否可以钩入Ring0 / Kernel以显示运行在内核中的已加载驱动程序列表?我需要编写驱动程序吗?

类似于如何轻松列出所有正在运行的进程。

哦,这是在C++ / Windows平台上进行的。

使用system()过程尝试lsmod命令。 - bkausbk
如果我没记错的话,有一个相关命令drivers,但是我不确定这是否就是该命令,因为已经很长时间没有打开 Windows 了。 - oblitum
我们在谈论哪个操作系统?为什么不直接询问操作系统呢? - MSalters
我猜是Windows系统 - 因为这个问题被标记为Visual C++。 - Tobias Langner
哦,我所说的命令是 driverquery:http://www.howtogeek.com/howto/windows-vista/generate-a-list-of-installed-drivers-from-the-command-line/ - oblitum
@bkausbk 请不要这样做。永远不要使用 system() 来进行任何操作 - 这是一个安全噩梦,绝不能使用。 - Jesper Juhl
4个回答
5

如我所评论的那样,使用driverquery命令。

driverquery
Display a list of all installed device drivers and their properties.

Syntax

driverquery  [/s Computer] [/u Domain\User /p Password]
         [/fo {TABLE|LIST|CSV}] [/nh] [/v] [/si]
example

Show all installed device drivers in Table output:
driverquery

Show all installed device drivers in a CSV format:
DriverQuery /fo csv

Without a header:
DriverQuery /nh

Drivers that are not signed:
DriverQuery /si | findstr FALSE

Find drivers that are currently Running:
Driverquery.exe /v |findstr Running

Show installed device drivers on a remote machine
driverquery /s ipaddress

Show installed device drivers on server64 and authenticate as a different user:
driverquery /s server64 /u ss64Ddom\user123 /p p@sswor3d /fo list

Export a verbose listing of drivers to a file
driverquery /v /fo csv > T:\driverlist.csv

When running DriverQuery within PowerShell, the CSV output format can be used to turn the output into objects. The PowerShell function below turns DriverQuery into a graphical tool that will list drivers from both local and remote systems (assuming you have the appropriate permissions.)

function Show-DriverDialog {
    param(
        $ComputerName = $env:computername
    )

    driverquery.exe /S $ComputerName /FO CSV  | 
      ConvertFrom-Csv | 
      Out-GridView -Title "Driver on \\$ComputerName"

来源:http://windows.commands.com/driverquery

特别注意事项:

Find drivers that are currently Running:
Driverquery.exe /v | findstr Running
1
如果您真的想自己编写代码,那么微软网站上有一个"设备驱动程序信息"页面。从那里,您应该能够将这些部分组合在一起(它与列出当前运行的进程非常相似)。
0

你可以使用命令 sc

sc query type driver

这将为您提供当前正在运行的驱动程序的文本列表。 您可以尝试使用类似于运行/停止的标志。 从那里,只需使用短的批处理/ bash / python 命令即可获取服务名称。

2021年更新:我不得不这样使用才能使其正常工作:sc query type= driver - miran80
0

你也可以编写一个驱动程序来列出 Windows 内核中所有正在运行的驱动程序,但这需要一些不正当的黑客手段来调用未记录的内核函数。首先,您必须声明 3 个内核函数:

#include <ntddk.h>

NTKERNELAPI
NTSTATUS
ObReferenceObjectByName(
    PUNICODE_STRING ObjectPath,
    ULONG Attributes,
    PACCESS_STATE AccessState,
    ACCESS_MASK DesiredAccess,
    POBJECT_TYPE ObjectType,
    KPROCESSOR_MODE AccessMode,
    PVOID ParseContext,
    PVOID* ObjectPtr
);

NTSYSAPI
NTSTATUS
NTAPI
ZwQueryDirectoryObject(
    HANDLE DirectoryHandle,
    PVOID Buffer,
    ULONG Length,
    BOOLEAN ReturnSingleEntry,
    BOOLEAN RestartScan,
    PULONG Context,
    PULONG ReturnLength
);

NTSYSAPI
NTSTATUS
NTAPI
ZwOpenDirectoryObject(
    PHANDLE DirectoryHandle,
    ACCESS_MASK DesiredAccess,
    POBJECT_ATTRIBUTES ObjectAttributes
);

然后,您可以枚举加载的驱动程序中在\\Driver\\命名空间中的所有内核对象:

NTSTATUS EnumerateDriversInDriverNamespace()
{
    NTSTATUS status;
    HANDLE directoryHandle;
    UNICODE_STRING directoryName;
    OBJECT_ATTRIBUTES objectAttributes;
    ULONG context = 0;
    ULONG returnLength;
    POBJECT_DIRECTORY_INFORMATION objinf;

    RtlInitUnicodeString(&directoryName, L"\\Driver");
    InitializeObjectAttributes(&objectAttributes, &directoryName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);

    status = ZwOpenDirectoryObject(&directoryHandle, DIRECTORY_QUERY, &objectAttributes);
    if (!NT_SUCCESS(status)) {
        DbgPrintEx(0, 0, "Failed to open \\Driver namespace: 0x%x\n", status);
        return status;
    }

    while (TRUE) {
        status = ZwQueryDirectoryObject(directoryHandle, NULL, 0, TRUE, FALSE, &context, &returnLength);
        if (status != STATUS_BUFFER_TOO_SMALL)
            break;

        objinf = ExAllocatePool(PagedPool, returnLength);
        if (!objinf) {
            ZwClose(directoryHandle);
            DbgPrintEx(0, 0, "Failed to allocate in paged pool\n");
            return STATUS_INSUFFICIENT_RESOURCES;
        }

        status = ZwQueryDirectoryObject(directoryHandle, objinf, returnLength, TRUE, FALSE, &context, &returnLength);
        if (!NT_SUCCESS(status)) {
            if (status == STATUS_NO_MORE_ENTRIES) {
                DbgPrintEx(0, 0, "No more entries :(\n");
                status = STATUS_SUCCESS;
            }
            else {
                DbgPrintEx(0, 0, "Failed to query directory object: 0x%x\n", status);
            }
            break;
        }
        
        PUNICODE_STRING dName = (PUNICODE_STRING)&objinf->Name;
        // dName here is the name of the driver
        ExFreePool(objinf);
    }

    ZwClose(directoryHandle);

    return status;
}
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接