#include
BOOL IsAddressValid(PVOID pAddr)
{
DWORD Temp = 0;
if(::ReadProcessMemory(::GetCurrentProcess(), pAddr, &Temp, sizeof(DWORD),NULL))
return TRUE;
else
return FALSE;
}
void ScanModule()
{
for(DWORD pAddr = 0x10000; pAddr < 0x80000000; pAddr+= 0x10000)
{
if(!IsAddressValid((PVOID)pAddr))
continue;
if(*(USHORT*)pAddr == IMAGE_DOS_SIGNATURE)
{
IMAGE_NT_HEADERS32* pNtHeader = (IMAGE_NT_HEADERS32*)((DWORD)pAddr + ((IMAGE_DOS_HEADER*)pAddr)->e_lfanew);
if(pNtHeader->Signature == IMAGE_NT_SIGNATURE)
{
IMAGE_OPTIONAL_HEADER* pOptHeader = (IMAGE_OPTIONAL_HEADER*)&pNtHeader->OptionalHeader;
if(pAddr == pOptHeader->ImageBase)
{
printf("Find New Module at address: 0x%08lX\r\n",pAddr);
printf("Module File Size = 0x%08lX\r\n\r\n",pOptHeader->SizeOfImage);
// printf("Module Export Function = %s",pOptHeader->DataDirectory
}
}
}
}
}
int main(void)
{
ScanModule();
system("pause");
return 0;
}
博文
没有评论:
发表评论