c++ - 在 ring0/kernel 中列出驱动程序？

Question

只是一个问题，我想知道是否可以连接到 Ring0/Kernel 以显示在内核中运行的已加载驱动程序列表？我是否需要为此编写驱动程序？

类似于如何轻松列出所有正在运行的进程。

哦，这是在 C++/Windows 中。

Answer 1

正如我所说，使用 driverquery 命令。

driverquery
Display a list of all installed device drivers and their properties.

Syntax

driverquery  [/s Computer] [/u Domain\User /p Password]
         [/fo {TABLE|LIST|CSV}] [/nh] [/v] [/si]
example

Show all installed device drivers in Table output:
driverquery

Show all installed device drivers in a CSV format:
DriverQuery /fo csv

Without a header:
DriverQuery /nh

Drivers that are not signed:
DriverQuery /si | findstr FALSE

Find drivers that are currently Running:
Driverquery.exe /v |findstr Running

Show installed device drivers on a remote machine
driverquery /s ipaddress

Show installed device drivers on server64 and authenticate as a different user:
driverquery /s server64 /u ss64Ddom\user123 /p p@sswor3d /fo list

Export a verbose listing of drivers to a file
driverquery /v /fo csv > T:\driverlist.csv

When running DriverQuery within PowerShell, the CSV output format can be used to turn the output into objects. The PowerShell function below turns DriverQuery into a graphical tool that will list drivers from both local and remote systems (assuming you have the appropriate permissions.)

function Show-DriverDialog {
    param(
        $ComputerName = $env:computername
    )

    driverquery.exe /S $ComputerName /FO CSV  | 
      ConvertFrom-Csv | 
      Out-GridView -Title "Driver on \\$ComputerName"

来源:http://windows.commands.com/driverquery

特别注意:

Find drivers that are currently Running:
Driverquery.exe /v | findstr Running