typedef struct _LDR_DATA_TABLE_ENTRY { // Start from Windows XP LIST_ENTRY InLoadOrderLinks; LIST_ENTRY InMemoryOrderLinks; LIST_ENTRY InInitializationOrderLinks; PVOID DllBase; PVOID EntryPoint; ULONG SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; ULONG Flags; USHORT ...
PLDR_DATA_TABLE_ENTRY pLdr; pLdr->FullDllName得到的是\WINDOWS\system32\ntoskrnl.exe, 而不是一个绝对路径,跟网上说的不一样啊?
//0x120 bytes (sizeof) struct _LDR_DATA_TABLE_ENTRY { struct _LIST_ENTRY InLoadOrderLinks; //0x0 struct _LIST_ENTRY InMemoryOrderLinks; //0x10 struct _LIST_ENTRY InInitializationOrderLinks; //0x20 VOID* DllBase; //0x30 VOID* EntryPoint; //0x38 ULONG SizeOfImage; //0x40 struct _...
} LDR_DATA_TABLE_ENTRY * PLDR_DATA_TABLE_ENTRY; ...Another excellent Forum entry that describes the entire scenario that I'm trying to understand is here: PEB, LDR_DATA_TABLE_ENTRY, SysInternals Forum, Oct 2009 ...Anyway,...at this point, I've no doubt lost you all,... ...
思路便是:通过双向链表来遍历_LDR_DATA_TABLE_ENTRY结构体,匹配模块名称,获取模块基址。 如果你不幸...,根据上面讲解的思路,接下来的故事就顺理成章了,忘记思路的同学,看这里: 思路便是:通过双向链表来遍历_LDR_DATA_TABLE_ENTRY结构体,匹配模块名称,获取模块基址。 MOV EAX ...
Structure typedefstruct_LDR_DATA_TABLE_ENTRY{LIST_ENTRYInLoadOrderLinks;/* 0x00 */LIST_ENTRYInMemoryOrderLinks;/* 0x08 */LIST_ENTRYInInitializationOrderLinks;/* 0x10 */PVOIDDllBase;/* 0x18 */PVOIDEntryPoint;/* 0x1C */ULONGSizeOfImage;/* 0x20 */UNICODE_STRINGFullDllName;/* 0x24 */...