wdm驱动在内存中的装载地址

请问各位，要怎么才得到一个wdm驱动在内存中的装载地址呢？

我也想知道 ！

想知道哪个地址？
在DS里面
敲drivers不就看见了？

谢谢大家，我是想在我的应用或内核驱动中实现，还不是用别人的工具啊！！

我要的是象DLL的模块句柄那个东西！

我急用啊！！！知道的就告诉我吧！！！

不知道下面代码是否是你所需要的。

//
// 辅助结构，用来查询“NDIS.SYS”的地址
//
typedef struct _SYSTEM_MODULE // 11
{
    DWORD dReserved01;
    DWORD d04;
    PVOID pAddress;
    DWORD dSize;                // bytes
    DWORD dFlags;
    WORD  wId;                  // zero based
    WORD  wRank;                // 0 if not assigned
    WORD  w18;
    WORD  wNameOffset;
    char  ImageName [256];

}SYSTEM_MODULE,*PSYSTEM_MODULE;

typedef struct _SYSTEM_MODULE_INFORMATION
{
    DWORD         dwCount;
    SYSTEM_MODULE ModuleEntries[1];

}SYSTEM_MODULE_INFORMATION,*PSYSTEM_MODULE_INFORMATION;

typedef long ( __stdcall *NTQUERYSYSTEMINFORMATION)(DWORD,PVOID,DWORD,DWORD);

===========

//
// 查询“NDIS.SYS”的地址
//
void __fastcall DetectNDISAddress()
{
    NTQUERYSYSTEMINFORMATION NtQuerySystemInformation;
    PVOID ModuleInfoBuf;
    SYSTEM_MODULE_INFORMATION *SysModuleInfo;
    DWORD dwInfoSize = sizeof(SYSTEM_MODULE)*256;
    AnsiString TempModStr;

    ModuleInfoBuf = (PVOID)new byte[dwInfoSize];

    NtQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)GetProcAddress(
                                    GetModuleHandle( \"ntdll.dll\" ),
                                    \"NtQuerySystemInformation\"
                                    );

    NtQuerySystemInformation(11,ModuleInfoBuf,dwInfoSize,0);

    SysModuleInfo = (SYSTEM_MODULE_INFORMATION*)ModuleInfoBuf;
    
    for(DWORD i=0; i < SysModuleInfo->dwCount; i++)
    {
        TempModStr = AnsiString((char*)SysModuleInfo->ModuleEntries.ImageName).LowerCase();

        if(TempModStr.Pos(\"NDIS.SYS\") > 0)
        {
            NTOSKRNLKERNELADDRESS = (DWORD)SysModuleInfo->ModuleEntries.pAddress;
            break;
        }
//        Form1->Memo1->Lines->Add(\"Offset = + \" + IntToHex((__int64)SysModuleInfo->ModuleEntries.pAddress,8) +
//                               \" ImageName = \" + AnsiString((char*)SysModuleInfo->ModuleEntries.ImageName));
    }

    delete[] ModuleInfoBuf;
}
//---------------------------------------------------------------------------

先谢谢你了！！我试试看！！！

参考获得NTOSKRNL地址的方法。
.386
.model flat,stdcall
option casemap:none
include \\masm32\\include\\windows.inc
include \\masm32\\include\\kernel32.inc
include \\masm32\\include\\user32.inc

includelib \\masm32\\lib\\kernel32.lib
includelib \\masm32\\lib\\user32.lib
;NTSYSAPI
;NTSTATUS
;NTAPI
;ZwQuerySystemInformation(
;IN SYSTEM_INformATION_CLASS SystemInformationClass,
;IN OUT PVOID SystemInformation,
;IN ULONG SystemInformationLength,
;OUT PULONG ReturnLength OPTIONAL
;);
;Parameters
;SystemInformationClass
;The type of system information to be queried.The permitted values are a subset of
;the enumeration SYSTEM_INformATION_CLASS , described in the following section.
;SystemInformation
;Points to a caller-allocated buffer or variable that receives the requested system
;information.
;SystemInformationLength
;The size in bytes of SystemInformation , which the caller should set according to the
;given SystemInformationClass .
;ReturnLength
;Optionally points to a variable that receives the number of bytes actually returned to
;SystemInformation ; if SystemInformationLength is too small to contain the available
;information, the variable is normally set to zero except for two information classes
;(6 and 11) when it is set to the number of bytes required for the available information.
;If this information is not needed, ReturnLength may be a null pointer.
;Return value
;Returns STATUS_SUCCESS or an error status, such as STATUS_INVALID_INFO_CLASS ,
;`STATUS_NOT_IMPLEMENTED or STATUS_INFO_LENGTH_MISMATCH .
;ZWQUERYSYSTEMINformATION ZwQuerySystemInformation;
;The data returned to the SystemInformation buffer is a ULONG count of the number of
;modules followed immediately by an array of SYSTEM_MODULE_INformATION .
;The system modules are the Portable Executable (PE) format files loaded into the
;kernel address space (ntoskrnl.exe, hal.dll, device drivers, and so on) and ntdll.dll.
;The PSAPI function EnumDeviceDrivers uses this information class to obtain a list of
;the device drivers in the system. It is also used by the PSAPI functions
;GetDeviceDriverFileName and GetDeviceDriverBaseName
SystemModuleInformation               equ 11
PVOID  TYPEDEF DWORD
UNLONG TYPEDEF DWORD
CHAR   TYPEDEF BYTE
STATUS_SUCCESS =0
SYSTEM_MODULE_INformATION  STRUCT
Reserved  ULONG 2 DUP(?)
Base PVOID ?
SysModSize ULONG ?
Flags ULONG ?
Index USHORT ?
Unknown USHORT ?
LoadCount USHORT ?
ModuleNameOffset  USHORT ?
ImageName CHAR 256 DUP(?)
SYSTEM_MODULE_INformATION ENDS

FindNtoskrnl proto

.data?
AddrZwQuerySystemInformation dd ?
ntoskrnl ULONG ?

.data
ntos db \"ntoskrnl.exe\",0

.code
FindNtoskrnl proc uses ebx esi edi
local n:UNLONG
local q:dword
xor eax,eax
mov n,eax
mov q,eax
;ZwQuerySystemInformation(11,&n,0,&n)
lea esi,n
push esi
push 0
push esi
push 11
call dword ptr[AddrZwQuerySystemInformation]
;PULONG q =PULONG(malloc(n));
invoke VirtualAlloc,NULL,n,MEM_COMMIT,PAGE_READWRITE
or eax,eax
jz Exit
mov q,eax
mov esi,eax
;zwQuerySystemInformation(11,q,n,0);
push 0
push n
push esi
push 11
call dword ptr[AddrZwQuerySystemInformation]
cmp eax,STATUS_SUCCESS
jnz Exit
;The data returned to the SystemInformation buffer is a ULONG count of the number of
;modules followed immediately by an array of SYSTEM_MODULE_INformATION .
;PSYSTEM_MODULE_INformATION p=PSYSTEM_MODULE_INformATION(q +1);
mov edx,esi
add edx,4;jump over the count of the number of modules
;ntoskrnl=0
mov ecx,dword ptr[esi]
;for (ULONG i =0;i <*q;i++)
;if (_stricmp(p.ImageName +p.ModuleNameOffset,\"ntoskrnl.exe\")==0)
xor ebx,ebx
sub edx,sizeof SYSTEM_MODULE_INformATION
@@:
add edx,sizeof SYSTEM_MODULE_INformATION
cmp ebx,ecx
inc ebx
ja Exit
assume edx:ptr SYSTEM_MODULE_INformATION
lea edi,[edx].ImageName
movzx eax,[edx].ModuleNameOffset
add edi,eax
mov eax,dword ptr[ntos]
cld
scasd
jnz @b
mov eax,dword ptr[ntos+4]
scasd
jnz @b
mov eax,[edx].Base;
assume edx:nothing
push eax
invoke VirtualFree,q,n,MEM_RELEASE
;free(q);
pop eax
ret
;return ntoskrnl;
Exit:
mov edx,q
test edx,edx
jz @f
invoke VirtualFree,q,n,MEM_RELEASE
@@:
xor eax,eax
ret
FindNtoskrnl endp

main:
xor eax,eax
mov ax,ds
test ax,4
jnz Exit1
call @f
db \"ntdll.dll\",0
@@:
call LoadLibraryA
or eax,eax
jz Exit1
call @f
db \"ZwQuerySystemInformation\",0
@@:
push eax
call GetProcAddress
or eax,eax
jz Exit1
mov AddrZwQuerySystemInformation,eax
;ZwQuerySystemInformation=(ZWQUERYSYSTEMINformATION)GetProcAddress(GetModuleHandle(\"ntdll.dll\"),\"NtQuerySystemInformation\");
;if(ZwQuerySystemInformation!=NULL)
;ntoskrnl=(ULONG)FindNtoskrnl();
call FindNtoskrnl
;printf(\"%x\\n\",ntoskrnl);
Exit1:
invoke ExitProcess,0
end main

看来大家还都好心人，小生在此谢过了！！！！！！

参考获得NTOSKRNL地址的方法。
 

这代码在NTOSKRNL在哪个地方？？告诉我来动态调试一下，看看它的原理！