If语句在C KDMF驱动程序中失败
我有这个代码,就是打算在进程中查找模块基址If语句在C KDMF驱动程序中失败,c,windows,windows-kernel,C,Windows,Windows Kernel,我有这个代码,就是打算在进程中查找模块基址 PVOID GetProcessModuleAdress(IN PEPROCESS __process,IN PUNICODE_STRING ModuleName) { KAPC_STATE kapc; KeStackAttachProcess(__process, &kapc); DbgPrint("KeStackAttachProcess Success\n"); PPEB pPeb = PsGetProce
PVOID GetProcessModuleAdress(IN PEPROCESS __process,IN PUNICODE_STRING ModuleName)
{
KAPC_STATE kapc;
KeStackAttachProcess(__process, &kapc);
DbgPrint("KeStackAttachProcess Success\n");
PPEB pPeb = PsGetProcessPeb(__process);
DbgPrint("PPEB Success");
__int32 pid = PsGetProcessId(__process);
DbgPrint("PID(In Module Addr) Success \n");
DbgPrint("ModuleName is:"); DbgPrint(ModuleName); DbgPrint("\n");
// Debug
for (PLIST_ENTRY pListEntry = pPeb->Ldr->InMemoryOrderModuleList.Flink; pListEntry != &pPeb->Ldr->InMemoryOrderModuleList; pListEntry = pListEntry->Flink)
{
PLDR_DATA_TABLE_ENTRY pEntry = CONTAINING_RECORD(pListEntry, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
DbgPrintEx(0, 0, "Module: (%wZ)\n", pEntry->BaseDllName);
}
// End Debug
for (PLIST_ENTRY pListEntry = pPeb->Ldr->InMemoryOrderModuleList.Flink; pListEntry != &pPeb->Ldr->InMemoryOrderModuleList; pListEntry = pListEntry->Flink)
{
PLDR_DATA_TABLE_ENTRY pEntry = CONTAINING_RECORD(pListEntry, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
if (&pEntry->BaseDllName == ModuleName)
{
DbgPrint("\n Module found:");
DbgPrint((PVOID)pEntry); DbgPrint("\n");
KeUnstackDetachProcess(&kapc);
return (PVOID)pEntry;
}
}
}
失败之处在于:
if (&pEntry->BaseDllName == ModuleName)
{
DbgPrint("\n Module found:");
DbgPrint((PVOID)pEntry); DbgPrint("\n");
KeUnstackDetachProcess(&kapc);
return (PVOID)pEntry;
}
这里我想找到进程本身的基址。这段代码在查找进程内的模块方面工作正常。windbg的输出:
Find Process Success!
KeStackAttachProcess Success
PPEB SuccessPID(In Module Addr) Success
ModuleName is:notepad.exe
Module: (notepad.exe)
Module: (ntdll.dll)
Module: (KERNEL32.DLL)
Module: (KERNELBASE.dll)
Module: (GDI32.dll)
Module: (win32u.dll)
Module: (gdi32full.dll)
Module: (msvcp_win.dll)
Module: (ucrtbase.dll)
Module: (USER32.dll)
Module: (msvcrt.dll)
Module: (combase.dll)
Module: (RPCRT4.dll)
Module: (bcryptPrimitives.dll)
Module: (shcore.dll)
Module: (advapi32.dll)
Module: (sechost.dll)
Module: (COMCTL32.dll)
Module: (IMM32.DLL)
Module: (kernel.appcore.dll)
Module: (uxtheme.dll)
Module: (clbcatq.dll)
Module: (MrmCoreR.dll)
Module: (MSCTF.dll)
Module: (OLEAUT32.dll)
Module: (windows.storage.dll)
Module: (profapi.dll)
Module: (powrprof.dll)
Module: (UMPDC.dll)
Module: (shlwapi.dll)
Module: (efswrt.dll)
Module: (MPR.dll)
Module: (wintypes.dll)
Module: (twinapi.appcore.dll)
Module: (RMCLIENT.dll)
Module: (SHELL32.dll)
Module: (cfgmgr32.dll)
Module: (cryptsp.dll)
Module: (oleacc.dll)
Module: (TextInputFramework.dll)
Module: (CoreUIComponents.dll)
Module: (CoreMessaging.dll)
Module: (ntmarta.dll)
Module: (iertutil.dll)
在第二个循环中,在第一次迭代中,它应该是if(“notepad.exe”==“notepad.exe”)。但它并不是if的“真实”部分。也许这是空字节字符串结尾的某种不匹配
编辑#1:
在代码的“调试”部分,我得到了正确的输出:
Find Process Success!
KeStackAttachProcess Success
PPEB SuccessPID(In Module Addr) Success
ModuleName is:notepad.exe
Module: (notepad.exe)
Module: (ntdll.dll)
Module: (KERNEL32.DLL)
Module: (KERNELBASE.dll)
Module: (GDI32.dll)
Module: (win32u.dll)
Module: (gdi32full.dll)
Module: (msvcp_win.dll)
Module: (ucrtbase.dll)
Module: (USER32.dll)
Module: (msvcrt.dll)
Module: (combase.dll)
Module: (RPCRT4.dll)
Module: (bcryptPrimitives.dll)
Module: (shcore.dll)
Module: (advapi32.dll)
Module: (sechost.dll)
Module: (COMCTL32.dll)
Module: (IMM32.DLL)
Module: (kernel.appcore.dll)
Module: (uxtheme.dll)
Module: (clbcatq.dll)
Module: (MrmCoreR.dll)
Module: (MSCTF.dll)
Module: (OLEAUT32.dll)
Module: (windows.storage.dll)
Module: (profapi.dll)
Module: (powrprof.dll)
Module: (UMPDC.dll)
Module: (shlwapi.dll)
Module: (efswrt.dll)
Module: (MPR.dll)
Module: (wintypes.dll)
Module: (twinapi.appcore.dll)
Module: (RMCLIENT.dll)
Module: (SHELL32.dll)
Module: (cfgmgr32.dll)
Module: (cryptsp.dll)
Module: (oleacc.dll)
Module: (TextInputFramework.dll)
Module: (CoreUIComponents.dll)
Module: (CoreMessaging.dll)
Module: (ntmarta.dll)
Module: (iertutil.dll)
但是在那之后。。。奇怪的事情发生了。输出代码:
DbgPrintEx(0, 0, "First Argument: (%wZ)\n", &pEntry->BaseDllName);
DbgPrint("\n");
DbgPrintEx(0,0,"%d",strlen(&pEntry->BaseDllName));
DbgPrint("\n");
DbgPrintEx(0, 0, "Second Argument: (%wZ)\n", ModuleName);
DbgPrint("\n");
DbgPrintEx(0,0,"%d",strlen(ModuleName));
DbgPrint("\n");
和输出:
First Argument: (notepad.exe)
1
Second Argument: (
11
First Argument: (ntdll.dll)
1
Second Argument: (
11
First Argument: (KERNEL32.DLL)
1
Second Argument: (
11
First Argument: (KERNELBASE.dll)
1
Second Argument: (
11
First Argument: (GDI32.dll)
1
Second Argument: (
11
First Argument: (win32u.dll)
1
Second Argument: (
11
First Argument: (gdi32full.dll)
1
Second Argument: (
11
First Argument: (msvcp_win.dll)
1
Second Argument: (
11
First Argument: (ucrtbase.dll)
1
Second Argument: (
11
First Argument: (USER32.dll)
1
Second Argument: (
11
First Argument: (msvcrt.dll)
1
Second Argument: (
11
First Argument: (combase.dll)
1
Second Argument: (
11
First Argument: (RPCRT4.dll)
1
Second Argument: (
11
First Argument: (bcryptPrimitives.dll)
1
Second Argument: (
11
First Argument: (shcore.dll)
1
Second Argument: (
11
First Argument: (advapi32.dll)
1
Second Argument: (
11
First Argument: (sechost.dll)
1
Second Argument: (
11
First Argument: (COMCTL32.dll)
1
Second Argument: (
11
First Argument: (IMM32.DLL)
1
Second Argument: (
11
First Argument: (kernel.appcore.dll)
1
Second Argument: (
11
First Argument: (uxtheme.dll)
1
Second Argument: (
11
First Argument: (clbcatq.dll)
1
Second Argument: (
11
First Argument: (MrmCoreR.dll)
1
Second Argument: (
11
First Argument: (MSCTF.dll)
1
Second Argument: (
11
First Argument: (OLEAUT32.dll)
1
Second Argument: (
11
First Argument: (windows.storage.dll)
1
Second Argument: (
11
First Argument: (profapi.dll)
1
Second Argument: (
11
First Argument: (powrprof.dll)
1
Second Argument: (
11
First Argument: (UMPDC.dll)
1
Second Argument: (
11
First Argument: (shlwapi.dll)
1
Second Argument: (
11
First Argument: (efswrt.dll)
1
Second Argument: (
11
First Argument: (MPR.dll)
1
Second Argument: (
11
First Argument: (wintypes.dll)
1
Second Argument: (
11
First Argument: (twinapi.appcore.dll)
斯特伦的恒定长度非常奇怪
编辑#3
已将if语句更改为此函数,但仍然没有成功
if (RtlEqualUnicodeString(&pEntry->BaseDllName,&ModuleName,0))
{
DbgPrint("\n Module found:");
DbgPrint((PVOID)pEntry); DbgPrint("\n");
KeUnstackDetachProcess(&kapc);
return (PVOID)pEntry;
}
问题在于:
if (&pEntry->BaseDllName == ModuleName)
您正在比较字符串指针,而不是字符串值
请尝试使用strcmp(),如下所示:
if (strcmp(&pEntry->BaseDllName, ModuleName) == 0)
您是否认为pEntry值不为空?嗯。。。它正在获取dll名称。所以我想没有。在尝试在windbg中打印出来后,我得到了:`ì1。奇怪的值,但它不是null。我假设strcmp使用的是字符串值,而不是地址。如果使用strcmp()而不是严格比较,则会比较这些值。这意味着strcmp(“notepad.exe”、“notepad.exe”)将返回0(意思是:相同),这是预期的结果。严格比较适用于其他语言,如c#,但不适用于c:)好的,也可以添加到DbgPrintEx()lenghth(提示:“strlen()”。可能其中一个字符串的开头/结尾包含空格或其他不可见字符。strlen()以整数形式返回字符串长度,因此,要在DbgPrintEx()中打印int值,必须使用格式“%d”。是否显示包含这些诊断项的代码?可能不在这里,只需编辑/更新您的问题-更容易评论;)