Jump to content

SystemModuleInformation


trancexx
 Share

Recommended Posts

Kernel is the heart of your OS. Actually it's more like spinal cord.

Main question is how come people know so little about it?

That's because you don't need to know anything about it. As a matter of fact, some circles of programmers are very resolute about that. They say: "The less you know, the better for all of us".

I usually say to them (the few I met) to go fuc*k themselves with their "mine, mine, mine" attitude. Luckily they don't mind too much. Probably because they don't know I'm gonna bring them down someday, under my knees :(

Script here will give you SYSTEM name, your kernel module. It will also list your whole operating system (you will see what I mean).

Just to say this is not something particularly new or smart, maybe (?) only in AutoIt.

Script:

SystemModuleInformation.au3

♡♡♡

.

eMyvnE

Link to comment
Share on other sites

Amazing as usual, trancexx. I loved especially the comments. They make it a lot easier to understand, at least for a newbie like me. :(

Probably because they don't know I'm gonna bring them down someday, under my knees.

- Go ahead. I'm counting on you. :)

Regards

Shafayat

[Not using this account any more. Using "iShafayet" instead]

Link to comment
Share on other sites

Right, nothing new. DTaskManager v1.51 - http://dimio.altervista.org/eng/

Amongst several others. Nice To see it In AutoIt though.

Since Windows can be contrary at times (especially with paths), I have a suggestion:

; ### change raw system and blank paths to friendly paths
Local $FriendlyPath = StringLeft($ImageName, $iNameOffset)
Switch $FriendlyPath
    Case ('\SystemRoot\System32\Drivers\'), ('\Windows\System32\Drivers\')
        $aArray[$i][5] = (@SystemDir & '\Drivers\')
    Case ('\Windows\System32\'), ('\SystemRoot\System32\'), ('\??\' & @SystemDir & '\')
        $aArray[$i][5] = (@SystemDir & '\')

    Case (''); There's only 3 places this blank path can be --> System32, Drivers, dllcache

        ; First, lets check the System32 folder (most likely it's Not here, but just in case)
        If FileExists(@SystemDir & '\' & $ImageName) Then $aArray[$i][5] = (@SystemDir & '\')

        ; This is the most likely place for the blank path
        ; (You can replace &= if you wish. it was for testing to see if in both places)
        If FileExists(@SystemDir & '\Drivers\' & $ImageName) Then $aArray[$i][5] &= (@SystemDir & '\Drivers\')
        ; If someplace else (who knows where?), then it will remain blank in "Case Else"

        ; Since modules are "not normally" loaded from the dllcache --
        ; then we can assume that the next line of code is not needed --
        ; even though some will exist there for "system file protection".
        ; If FileExists(@SystemDir & '\dllcache\' & $ImageName) Then $aArray[$i][5] &= (@SystemDir & '\dllcache\')

    Case Else; If path is normal format or above cases are not valid
        $aArray[$i][5] = $FriendlyPath
EndSwitch

Below is suggested code (without comments)

Local $FriendlyPath = StringLeft($ImageName, $iNameOffset)
Switch $FriendlyPath
    Case ('\SystemRoot\System32\Drivers\'), ('\Windows\System32\Drivers\')
        $aArray[$i][5] = (@SystemDir & '\Drivers\')
    Case ('\Windows\System32\'), ('\SystemRoot\System32\'), ('\??\' & @SystemDir & '\')
        $aArray[$i][5] = (@SystemDir & '\')
    Case ('')
        If FileExists(@SystemDir & '\' & $ImageName) Then $aArray[$i][5] = (@SystemDir & '\')
        If FileExists(@SystemDir & '\Drivers\' & $ImageName) Then $aArray[$i][5] = (@SystemDir & '\Drivers\')
    Case Else
        $aArray[$i][5] = $FriendlyPath
EndSwitch

"The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward

Link to comment
Share on other sites

Right, nothing new. DTaskManager v1.51 - http://dimio.altervista.org/eng/

Actually, you don't even have to leave this site... it has been in ProDLLer for a while now.

It's good someone makes a decent function. My implementation is too closely tied to what I needed at the moment.

/Manko

Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...