Warning: file_get_contents(/data/phpspider/zhask/data//catemap/8/svg/2.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
If语句在C KDMF驱动程序中失败_C_Windows_Windows Kernel - Fatal编程技术网
Fatal编程技术网
  • c/
  • If语句在C KDMF驱动程序中失败

If语句在C KDMF驱动程序中失败

c windows

If语句在C KDMF驱动程序中失败,c,windows,windows-kernel,C,Windows,Windows Kernel,我有这个代码,就是打算在进程中查找模块基址 PVOID GetProcessModuleAdress(IN PEPROCESS __process,IN PUNICODE_STRING ModuleName) { KAPC_STATE kapc; KeStackAttachProcess(__process, &kapc); DbgPrint("KeStackAttachProcess Success\n"); PPEB pPeb = PsGetProce

我有这个代码,就是打算在进程中查找模块基址

PVOID GetProcessModuleAdress(IN PEPROCESS __process,IN PUNICODE_STRING ModuleName)
{
    KAPC_STATE kapc;
    KeStackAttachProcess(__process, &kapc);
    DbgPrint("KeStackAttachProcess Success\n");
    PPEB pPeb = PsGetProcessPeb(__process);
    DbgPrint("PPEB Success");
    __int32 pid = PsGetProcessId(__process);
    DbgPrint("PID(In Module Addr) Success \n");
    DbgPrint("ModuleName is:"); DbgPrint(ModuleName); DbgPrint("\n");
    // Debug
    for (PLIST_ENTRY pListEntry = pPeb->Ldr->InMemoryOrderModuleList.Flink; pListEntry != &pPeb->Ldr->InMemoryOrderModuleList; pListEntry = pListEntry->Flink)
    {
        PLDR_DATA_TABLE_ENTRY pEntry = CONTAINING_RECORD(pListEntry, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
        DbgPrintEx(0, 0, "Module: (%wZ)\n", pEntry->BaseDllName);
    }
    // End Debug
    for (PLIST_ENTRY pListEntry = pPeb->Ldr->InMemoryOrderModuleList.Flink; pListEntry != &pPeb->Ldr->InMemoryOrderModuleList; pListEntry = pListEntry->Flink)
    {
        PLDR_DATA_TABLE_ENTRY pEntry = CONTAINING_RECORD(pListEntry, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
        if (&pEntry->BaseDllName == ModuleName)
        {
            DbgPrint("\n Module found:");
            DbgPrint((PVOID)pEntry); DbgPrint("\n");
            KeUnstackDetachProcess(&kapc);
            return (PVOID)pEntry;
        }
    }

}
失败之处在于:

        if (&pEntry->BaseDllName == ModuleName)
        {
            DbgPrint("\n Module found:");
            DbgPrint((PVOID)pEntry); DbgPrint("\n");
            KeUnstackDetachProcess(&kapc);
            return (PVOID)pEntry;
        }
这里我想找到进程本身的基址。这段代码在查找进程内的模块方面工作正常。windbg的输出:

Find Process Success!
KeStackAttachProcess Success
PPEB SuccessPID(In Module Addr) Success 
ModuleName is:notepad.exe
Module: (notepad.exe)
Module: (ntdll.dll)
Module: (KERNEL32.DLL)
Module: (KERNELBASE.dll)
Module: (GDI32.dll)
Module: (win32u.dll)
Module: (gdi32full.dll)
Module: (msvcp_win.dll)
Module: (ucrtbase.dll)
Module: (USER32.dll)
Module: (msvcrt.dll)
Module: (combase.dll)
Module: (RPCRT4.dll)
Module: (bcryptPrimitives.dll)
Module: (shcore.dll)
Module: (advapi32.dll)
Module: (sechost.dll)
Module: (COMCTL32.dll)
Module: (IMM32.DLL)
Module: (kernel.appcore.dll)
Module: (uxtheme.dll)
Module: (clbcatq.dll)
Module: (MrmCoreR.dll)
Module: (MSCTF.dll)
Module: (OLEAUT32.dll)
Module: (windows.storage.dll)
Module: (profapi.dll)
Module: (powrprof.dll)
Module: (UMPDC.dll)
Module: (shlwapi.dll)
Module: (efswrt.dll)
Module: (MPR.dll)
Module: (wintypes.dll)
Module: (twinapi.appcore.dll)
Module: (RMCLIENT.dll)
Module: (SHELL32.dll)
Module: (cfgmgr32.dll)
Module: (cryptsp.dll)
Module: (oleacc.dll)
Module: (TextInputFramework.dll)
Module: (CoreUIComponents.dll)
Module: (CoreMessaging.dll)
Module: (ntmarta.dll)
Module: (iertutil.dll)
在第二个循环中,在第一次迭代中,它应该是if(“notepad.exe”==“notepad.exe”)。但它并不是if的“真实”部分。也许这是空字节字符串结尾的某种不匹配

编辑#1: 在代码的“调试”部分,我得到了正确的输出:

Find Process Success!
KeStackAttachProcess Success
PPEB SuccessPID(In Module Addr) Success 
ModuleName is:notepad.exe
Module: (notepad.exe)
Module: (ntdll.dll)
Module: (KERNEL32.DLL)
Module: (KERNELBASE.dll)
Module: (GDI32.dll)
Module: (win32u.dll)
Module: (gdi32full.dll)
Module: (msvcp_win.dll)
Module: (ucrtbase.dll)
Module: (USER32.dll)
Module: (msvcrt.dll)
Module: (combase.dll)
Module: (RPCRT4.dll)
Module: (bcryptPrimitives.dll)
Module: (shcore.dll)
Module: (advapi32.dll)
Module: (sechost.dll)
Module: (COMCTL32.dll)
Module: (IMM32.DLL)
Module: (kernel.appcore.dll)
Module: (uxtheme.dll)
Module: (clbcatq.dll)
Module: (MrmCoreR.dll)
Module: (MSCTF.dll)
Module: (OLEAUT32.dll)
Module: (windows.storage.dll)
Module: (profapi.dll)
Module: (powrprof.dll)
Module: (UMPDC.dll)
Module: (shlwapi.dll)
Module: (efswrt.dll)
Module: (MPR.dll)
Module: (wintypes.dll)
Module: (twinapi.appcore.dll)
Module: (RMCLIENT.dll)
Module: (SHELL32.dll)
Module: (cfgmgr32.dll)
Module: (cryptsp.dll)
Module: (oleacc.dll)
Module: (TextInputFramework.dll)
Module: (CoreUIComponents.dll)
Module: (CoreMessaging.dll)
Module: (ntmarta.dll)
Module: (iertutil.dll)
但是在那之后。。。奇怪的事情发生了。输出代码:

DbgPrintEx(0, 0, "First Argument: (%wZ)\n", &pEntry->BaseDllName);
        DbgPrint("\n");
        DbgPrintEx(0,0,"%d",strlen(&pEntry->BaseDllName));
        DbgPrint("\n");
        DbgPrintEx(0, 0, "Second Argument: (%wZ)\n", ModuleName);
        DbgPrint("\n");
        DbgPrintEx(0,0,"%d",strlen(ModuleName));
        DbgPrint("\n");
和输出:

First Argument: (notepad.exe)

1
Second Argument: (
11
First Argument: (ntdll.dll)

1
Second Argument: (
11
First Argument: (KERNEL32.DLL)

1
Second Argument: (
11
First Argument: (KERNELBASE.dll)

1
Second Argument: (
11
First Argument: (GDI32.dll)

1
Second Argument: (
11
First Argument: (win32u.dll)

1
Second Argument: (
11
First Argument: (gdi32full.dll)

1
Second Argument: (
11
First Argument: (msvcp_win.dll)

1
Second Argument: (
11
First Argument: (ucrtbase.dll)

1
Second Argument: (
11
First Argument: (USER32.dll)

1
Second Argument: (
11
First Argument: (msvcrt.dll)

1
Second Argument: (
11
First Argument: (combase.dll)

1
Second Argument: (
11
First Argument: (RPCRT4.dll)

1
Second Argument: (
11
First Argument: (bcryptPrimitives.dll)

1
Second Argument: (
11
First Argument: (shcore.dll)

1
Second Argument: (
11
First Argument: (advapi32.dll)

1
Second Argument: (
11
First Argument: (sechost.dll)

1
Second Argument: (
11
First Argument: (COMCTL32.dll)

1
Second Argument: (
11
First Argument: (IMM32.DLL)

1
Second Argument: (
11
First Argument: (kernel.appcore.dll)

1
Second Argument: (
11
First Argument: (uxtheme.dll)

1
Second Argument: (
11
First Argument: (clbcatq.dll)

1
Second Argument: (
11
First Argument: (MrmCoreR.dll)

1
Second Argument: (
11
First Argument: (MSCTF.dll)

1
Second Argument: (
11
First Argument: (OLEAUT32.dll)

1
Second Argument: (
11
First Argument: (windows.storage.dll)

1
Second Argument: (
11
First Argument: (profapi.dll)

1
Second Argument: (
11
First Argument: (powrprof.dll)

1
Second Argument: (
11
First Argument: (UMPDC.dll)

1
Second Argument: (
11
First Argument: (shlwapi.dll)

1
Second Argument: (
11
First Argument: (efswrt.dll)

1
Second Argument: (
11
First Argument: (MPR.dll)

1
Second Argument: (
11
First Argument: (wintypes.dll)

1
Second Argument: (
11
First Argument: (twinapi.appcore.dll)
斯特伦的恒定长度非常奇怪

编辑#3 已将if语句更改为此函数,但仍然没有成功

if (RtlEqualUnicodeString(&pEntry->BaseDllName,&ModuleName,0))
        {
            DbgPrint("\n Module found:");
            DbgPrint((PVOID)pEntry); DbgPrint("\n");
            KeUnstackDetachProcess(&kapc);
            return (PVOID)pEntry;
        }
问题在于:

if (&pEntry->BaseDllName == ModuleName)
您正在比较字符串指针,而不是字符串值

请尝试使用strcmp(),如下所示:

if (strcmp(&pEntry->BaseDllName, ModuleName) == 0)
您是否认为pEntry值不为空?嗯。。。它正在获取dll名称。所以我想没有。在尝试在windbg中打印出来后,我得到了:`ì1。奇怪的值,但它不是null。我假设strcmp使用的是字符串值,而不是地址。如果使用strcmp()而不是严格比较,则会比较这些值。这意味着strcmp(“notepad.exe”、“notepad.exe”)将返回0(意思是:相同),这是预期的结果。严格比较适用于其他语言,如c#,但不适用于c:)好的,也可以添加到DbgPrintEx()lenghth(提示:“strlen()”。可能其中一个字符串的开头/结尾包含空格或其他不可见字符。strlen()以整数形式返回字符串长度,因此,要在DbgPrintEx()中打印int值,必须使用格式“%d”。是否显示包含这些诊断项的代码?可能不在这里,只需编辑/更新您的问题-更容易评论;)