added support for full DLL paths for MEM_MODULES

author: Toni Uhlig <matzeton@googlemail.com> 2019-09-19 20:53:04 +0200
committer: Toni Uhlig <matzeton@googlemail.com> 2019-09-19 20:53:04 +0200
commit: 3cb96bec8621825adf17181b764294ea85803b14 (patch)
tree: 8cd6a0f7368ec75ab0246e630a7ffcf508453838
parent: bfdcec38f3261260dd71cad5011fa9bfc5726071 (diff)
3 files changed, 25 insertions, 4 deletions
diff --git a/CMD/CMD.cpp b/CMD/CMD.cpp
index 980b165..2483c73 100644
--- a/CMD/CMD.cpp
+++ b/CMD/CMD.cpp
@@ -104,9 +104,12 @@ int wmain(int argc, wchar_t **argv)
 
 	MODULE_DATA *dll = NULL;
 	for (MODULE_DATA& md : modules) {
+		std::wcout << "DLLName: " << md.BaseDllName << ", "
+			<< "DLLPath: " << md.FullDllPath << std::endl;
 		if (strncmp(md.BaseDllName, "msvcrt.dll", sizeof md.BaseDllName) == 0) {
-			std::wcout << L"FOUND ENGINE DLL at " << std::hex << md.DllBase << "!!!" << std::endl;
+			std::wcout << L"FOUND MSVCRT DLL at " << std::hex << md.DllBase << "!!!" << std::endl;
 			dll = &md;
+			break;
 		}
 	}
 
diff --git a/KMemDriver/Memory.c b/KMemDriver/Memory.c
index d829413..7a571ea 100644
--- a/KMemDriver/Memory.c
+++ b/KMemDriver/Memory.c
@@ -112,6 +112,16 @@ NTSTATUS GetModules(
 				);
 				RtlFreeAnsiString(&name);
 			}
+			tmpUnicodeStr.Buffer = (PWCH)ldrEntry32->FullDllName.Buffer;
+			tmpUnicodeStr.Length = ldrEntry32->FullDllName.Length;
+			tmpUnicodeStr.MaximumLength = ldrEntry32->FullDllName.MaximumLength;
+			if (NT_SUCCESS(RtlUnicodeStringToAnsiString(&name, &tmpUnicodeStr, TRUE))) {
+				RtlCopyMemory(pmod->FullDllPath, name.Buffer,
+					(name.Length > sizeof pmod->FullDllPath ?
+						sizeof pmod->FullDllPath : name.Length)
+				);
+				RtlFreeAnsiString(&name);
+			}
 			pmod->DllBase = (PVOID)ldrEntry32->DllBase;
 			pmod->SizeOfImage = ldrEntry32->SizeOfImage;
 			//KDBG("DLL32 #%02lu: base -> 0x%p, size -> 0x%06X, name -> '%s'\n", used,
@@ -160,6 +170,13 @@ NTSTATUS GetModules(
 				);
 				RtlFreeAnsiString(&name);
 			}
+			if (NT_SUCCESS(RtlUnicodeStringToAnsiString(&name, &ldrEntry->FullDllName, TRUE))) {
+				RtlCopyMemory(pmod->FullDllPath, name.Buffer,
+					(name.Length > sizeof pmod->FullDllPath ?
+						sizeof pmod->FullDllPath : name.Length)
+				);
+				RtlFreeAnsiString(&name);
+			}
 			pmod->DllBase = ldrEntry->DllBase;
 			pmod->SizeOfImage = ldrEntry->SizeOfImage;
 			//KDBG("DLL #%02lu: base -> 0x%p, size -> 0x%06X, name -> '%s'\n", used,
diff --git a/include/KMemDriver.h b/include/KMemDriver.h
index d7fa589..90a06f2 100644
--- a/include/KMemDriver.h
+++ b/include/KMemDriver.h
@@ -25,9 +25,9 @@ typedef _Return_type_success_(return >= 0) LONG NTSTATUS;
 #define MEM_PAGES				0x803
 #define MEM_RPM					0x804
 #define MEM_WPM					0x805
-#define MEM_VALLOC               0x806
-#define MEM_VFREE                0x807
-#define MEM_VUNLINK              0x808
+#define MEM_VALLOC				0x806
+#define MEM_VFREE				0x807
+#define MEM_VUNLINK				0x808
 #define MEM_EXIT				0x809
 
 typedef struct _KERNEL_HEADER
@@ -66,6 +66,7 @@ typedef struct _MODULE_DATA
 	PVOID DllBase;
 	ULONG SizeOfImage;
 	CHAR BaseDllName[64];
+	CHAR FullDllPath[256];
 } MODULE_DATA, *PMODULE_DATA;
 
 typedef struct _KERNEL_MODULES
author	Toni Uhlig <matzeton@googlemail.com>	2019-09-19 20:53:04 +0200
committer	Toni Uhlig <matzeton@googlemail.com>	2019-09-19 20:53:04 +0200
commit	3cb96bec8621825adf17181b764294ea85803b14 (patch)
tree	8cd6a0f7368ec75ab0246e630a7ffcf508453838
parent	bfdcec38f3261260dd71cad5011fa9bfc5726071 (diff)