时间戳

首页 > 解决方案 > 如果语句在 C KDMF 驱动程序中失败

c - 如果语句在 C KDMF 驱动程序中失败

问题描述

我有这段代码,旨在在过程中找到模块基地址。

PVOID GetProcessModuleAdress(IN PEPROCESS __process,IN PUNICODE_STRING ModuleName)
{
    KAPC_STATE kapc;
    KeStackAttachProcess(__process, &kapc);
    DbgPrint("KeStackAttachProcess Success\n");
    PPEB pPeb = PsGetProcessPeb(__process);
    DbgPrint("PPEB Success");
    __int32 pid = PsGetProcessId(__process);
    DbgPrint("PID(In Module Addr) Success \n");
    DbgPrint("ModuleName is:"); DbgPrint(ModuleName); DbgPrint("\n");
    // Debug
    for (PLIST_ENTRY pListEntry = pPeb->Ldr->InMemoryOrderModuleList.Flink; pListEntry != &pPeb->Ldr->InMemoryOrderModuleList; pListEntry = pListEntry->Flink)
    {
        PLDR_DATA_TABLE_ENTRY pEntry = CONTAINING_RECORD(pListEntry, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
        DbgPrintEx(0, 0, "Module: (%wZ)\n", pEntry->BaseDllName);
    }
    // End Debug
    for (PLIST_ENTRY pListEntry = pPeb->Ldr->InMemoryOrderModuleList.Flink; pListEntry != &pPeb->Ldr->InMemoryOrderModuleList; pListEntry = pListEntry->Flink)
    {
        PLDR_DATA_TABLE_ENTRY pEntry = CONTAINING_RECORD(pListEntry, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
        if (&pEntry->BaseDllName == ModuleName)
        {
            DbgPrint("\n Module found:");
            DbgPrint((PVOID)pEntry); DbgPrint("\n");
            KeUnstackDetachProcess(&kapc);
            return (PVOID)pEntry;
        }
    }

}

失败的部分在这里:

        if (&pEntry->BaseDllName == ModuleName)
        {
            DbgPrint("\n Module found:");
            DbgPrint((PVOID)pEntry); DbgPrint("\n");
            KeUnstackDetachProcess(&kapc);
            return (PVOID)pEntry;
        }

在这里我想找到进程本身的基地址。并且此代码在查找流程中的模块方面工作正常。来自windbg的输出:

Find Process Success!
KeStackAttachProcess Success
PPEB SuccessPID(In Module Addr) Success 
ModuleName is:notepad.exe
Module: (notepad.exe)
Module: (ntdll.dll)
Module: (KERNEL32.DLL)
Module: (KERNELBASE.dll)
Module: (GDI32.dll)
Module: (win32u.dll)
Module: (gdi32full.dll)
Module: (msvcp_win.dll)
Module: (ucrtbase.dll)
Module: (USER32.dll)
Module: (msvcrt.dll)
Module: (combase.dll)
Module: (RPCRT4.dll)
Module: (bcryptPrimitives.dll)
Module: (shcore.dll)
Module: (advapi32.dll)
Module: (sechost.dll)
Module: (COMCTL32.dll)
Module: (IMM32.DLL)
Module: (kernel.appcore.dll)
Module: (uxtheme.dll)
Module: (clbcatq.dll)
Module: (MrmCoreR.dll)
Module: (MSCTF.dll)
Module: (OLEAUT32.dll)
Module: (windows.storage.dll)
Module: (profapi.dll)
Module: (powrprof.dll)
Module: (UMPDC.dll)
Module: (shlwapi.dll)
Module: (efswrt.dll)
Module: (MPR.dll)
Module: (wintypes.dll)
Module: (twinapi.appcore.dll)
Module: (RMCLIENT.dll)
Module: (SHELL32.dll)
Module: (cfgmgr32.dll)
Module: (cryptsp.dll)
Module: (oleacc.dll)
Module: (TextInputFramework.dll)
Module: (CoreUIComponents.dll)
Module: (CoreMessaging.dll)
Module: (ntmarta.dll)
Module: (iertutil.dll)

在第二个循环中,在第一次迭代中应该是 if("notepad.exe" == "notepad.exe")。但它没有进入 if 的“真实”部分。也许这是空字节字符串结尾的某种不匹配?

编辑#1:在我的代码的“调试”部分中,我得到正确的输出:

Find Process Success!
KeStackAttachProcess Success
PPEB SuccessPID(In Module Addr) Success 
ModuleName is:notepad.exe
Module: (notepad.exe)
Module: (ntdll.dll)
Module: (KERNEL32.DLL)
Module: (KERNELBASE.dll)
Module: (GDI32.dll)
Module: (win32u.dll)
Module: (gdi32full.dll)
Module: (msvcp_win.dll)
Module: (ucrtbase.dll)
Module: (USER32.dll)
Module: (msvcrt.dll)
Module: (combase.dll)
Module: (RPCRT4.dll)
Module: (bcryptPrimitives.dll)
Module: (shcore.dll)
Module: (advapi32.dll)
Module: (sechost.dll)
Module: (COMCTL32.dll)
Module: (IMM32.DLL)
Module: (kernel.appcore.dll)
Module: (uxtheme.dll)
Module: (clbcatq.dll)
Module: (MrmCoreR.dll)
Module: (MSCTF.dll)
Module: (OLEAUT32.dll)
Module: (windows.storage.dll)
Module: (profapi.dll)
Module: (powrprof.dll)
Module: (UMPDC.dll)
Module: (shlwapi.dll)
Module: (efswrt.dll)
Module: (MPR.dll)
Module: (wintypes.dll)
Module: (twinapi.appcore.dll)
Module: (RMCLIENT.dll)
Module: (SHELL32.dll)
Module: (cfgmgr32.dll)
Module: (cryptsp.dll)
Module: (oleacc.dll)
Module: (TextInputFramework.dll)
Module: (CoreUIComponents.dll)
Module: (CoreMessaging.dll)
Module: (ntmarta.dll)
Module: (iertutil.dll)

但在那之后……奇怪的事情发生了。输出代码:

DbgPrintEx(0, 0, "First Argument: (%wZ)\n", &pEntry->BaseDllName);
        DbgPrint("\n");
        DbgPrintEx(0,0,"%d",strlen(&pEntry->BaseDllName));
        DbgPrint("\n");
        DbgPrintEx(0, 0, "Second Argument: (%wZ)\n", ModuleName);
        DbgPrint("\n");
        DbgPrintEx(0,0,"%d",strlen(ModuleName));
        DbgPrint("\n");

并输出:

First Argument: (notepad.exe)

1
Second Argument: (
11
First Argument: (ntdll.dll)

1
Second Argument: (
11
First Argument: (KERNEL32.DLL)

1
Second Argument: (
11
First Argument: (KERNELBASE.dll)

1
Second Argument: (
11
First Argument: (GDI32.dll)

1
Second Argument: (
11
First Argument: (win32u.dll)

1
Second Argument: (
11
First Argument: (gdi32full.dll)

1
Second Argument: (
11
First Argument: (msvcp_win.dll)

1
Second Argument: (
11
First Argument: (ucrtbase.dll)

1
Second Argument: (
11
First Argument: (USER32.dll)

1
Second Argument: (
11
First Argument: (msvcrt.dll)

1
Second Argument: (
11
First Argument: (combase.dll)

1
Second Argument: (
11
First Argument: (RPCRT4.dll)

1
Second Argument: (
11
First Argument: (bcryptPrimitives.dll)

1
Second Argument: (
11
First Argument: (shcore.dll)

1
Second Argument: (
11
First Argument: (advapi32.dll)

1
Second Argument: (
11
First Argument: (sechost.dll)

1
Second Argument: (
11
First Argument: (COMCTL32.dll)

1
Second Argument: (
11
First Argument: (IMM32.DLL)

1
Second Argument: (
11
First Argument: (kernel.appcore.dll)

1
Second Argument: (
11
First Argument: (uxtheme.dll)

1
Second Argument: (
11
First Argument: (clbcatq.dll)

1
Second Argument: (
11
First Argument: (MrmCoreR.dll)

1
Second Argument: (
11
First Argument: (MSCTF.dll)

1
Second Argument: (
11
First Argument: (OLEAUT32.dll)

1
Second Argument: (
11
First Argument: (windows.storage.dll)

1
Second Argument: (
11
First Argument: (profapi.dll)

1
Second Argument: (
11
First Argument: (powrprof.dll)

1
Second Argument: (
11
First Argument: (UMPDC.dll)

1
Second Argument: (
11
First Argument: (shlwapi.dll)

1
Second Argument: (
11
First Argument: (efswrt.dll)

1
Second Argument: (
11
First Argument: (MPR.dll)

1
Second Argument: (
11
First Argument: (wintypes.dll)

1
Second Argument: (
11
First Argument: (twinapi.appcore.dll)

strlen 中的常数长度非常奇怪

编辑 #3 将 if 语句更改为此函数,但仍然没有运气

if (RtlEqualUnicodeString(&pEntry->BaseDllName,&ModuleName,0))
        {
            DbgPrint("\n Module found:");
            DbgPrint((PVOID)pEntry); DbgPrint("\n");
            KeUnstackDetachProcess(&kapc);
            return (PVOID)pEntry;
        }

标签: cwindowswindows-kernel

解决方案

问题在这里:

if (&pEntry->BaseDllName == ModuleName)

您正在比较字符串指针,而不是字符串值。

尝试使用 strcmp(),如下所示:

if (strcmp(&pEntry->BaseDllName, ModuleName) == 0)

推荐阅读