c - 如果语句在 C KDMF 驱动程序中失败
问题描述
我有这段代码,旨在在过程中找到模块基地址。
PVOID GetProcessModuleAdress(IN PEPROCESS __process,IN PUNICODE_STRING ModuleName)
{
KAPC_STATE kapc;
KeStackAttachProcess(__process, &kapc);
DbgPrint("KeStackAttachProcess Success\n");
PPEB pPeb = PsGetProcessPeb(__process);
DbgPrint("PPEB Success");
__int32 pid = PsGetProcessId(__process);
DbgPrint("PID(In Module Addr) Success \n");
DbgPrint("ModuleName is:"); DbgPrint(ModuleName); DbgPrint("\n");
// Debug
for (PLIST_ENTRY pListEntry = pPeb->Ldr->InMemoryOrderModuleList.Flink; pListEntry != &pPeb->Ldr->InMemoryOrderModuleList; pListEntry = pListEntry->Flink)
{
PLDR_DATA_TABLE_ENTRY pEntry = CONTAINING_RECORD(pListEntry, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
DbgPrintEx(0, 0, "Module: (%wZ)\n", pEntry->BaseDllName);
}
// End Debug
for (PLIST_ENTRY pListEntry = pPeb->Ldr->InMemoryOrderModuleList.Flink; pListEntry != &pPeb->Ldr->InMemoryOrderModuleList; pListEntry = pListEntry->Flink)
{
PLDR_DATA_TABLE_ENTRY pEntry = CONTAINING_RECORD(pListEntry, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
if (&pEntry->BaseDllName == ModuleName)
{
DbgPrint("\n Module found:");
DbgPrint((PVOID)pEntry); DbgPrint("\n");
KeUnstackDetachProcess(&kapc);
return (PVOID)pEntry;
}
}
}
失败的部分在这里:
if (&pEntry->BaseDllName == ModuleName)
{
DbgPrint("\n Module found:");
DbgPrint((PVOID)pEntry); DbgPrint("\n");
KeUnstackDetachProcess(&kapc);
return (PVOID)pEntry;
}
在这里我想找到进程本身的基地址。并且此代码在查找流程中的模块方面工作正常。来自windbg的输出:
Find Process Success!
KeStackAttachProcess Success
PPEB SuccessPID(In Module Addr) Success
ModuleName is:notepad.exe
Module: (notepad.exe)
Module: (ntdll.dll)
Module: (KERNEL32.DLL)
Module: (KERNELBASE.dll)
Module: (GDI32.dll)
Module: (win32u.dll)
Module: (gdi32full.dll)
Module: (msvcp_win.dll)
Module: (ucrtbase.dll)
Module: (USER32.dll)
Module: (msvcrt.dll)
Module: (combase.dll)
Module: (RPCRT4.dll)
Module: (bcryptPrimitives.dll)
Module: (shcore.dll)
Module: (advapi32.dll)
Module: (sechost.dll)
Module: (COMCTL32.dll)
Module: (IMM32.DLL)
Module: (kernel.appcore.dll)
Module: (uxtheme.dll)
Module: (clbcatq.dll)
Module: (MrmCoreR.dll)
Module: (MSCTF.dll)
Module: (OLEAUT32.dll)
Module: (windows.storage.dll)
Module: (profapi.dll)
Module: (powrprof.dll)
Module: (UMPDC.dll)
Module: (shlwapi.dll)
Module: (efswrt.dll)
Module: (MPR.dll)
Module: (wintypes.dll)
Module: (twinapi.appcore.dll)
Module: (RMCLIENT.dll)
Module: (SHELL32.dll)
Module: (cfgmgr32.dll)
Module: (cryptsp.dll)
Module: (oleacc.dll)
Module: (TextInputFramework.dll)
Module: (CoreUIComponents.dll)
Module: (CoreMessaging.dll)
Module: (ntmarta.dll)
Module: (iertutil.dll)
在第二个循环中,在第一次迭代中应该是 if("notepad.exe" == "notepad.exe")。但它没有进入 if 的“真实”部分。也许这是空字节字符串结尾的某种不匹配?
编辑#1:在我的代码的“调试”部分中,我得到正确的输出:
Find Process Success!
KeStackAttachProcess Success
PPEB SuccessPID(In Module Addr) Success
ModuleName is:notepad.exe
Module: (notepad.exe)
Module: (ntdll.dll)
Module: (KERNEL32.DLL)
Module: (KERNELBASE.dll)
Module: (GDI32.dll)
Module: (win32u.dll)
Module: (gdi32full.dll)
Module: (msvcp_win.dll)
Module: (ucrtbase.dll)
Module: (USER32.dll)
Module: (msvcrt.dll)
Module: (combase.dll)
Module: (RPCRT4.dll)
Module: (bcryptPrimitives.dll)
Module: (shcore.dll)
Module: (advapi32.dll)
Module: (sechost.dll)
Module: (COMCTL32.dll)
Module: (IMM32.DLL)
Module: (kernel.appcore.dll)
Module: (uxtheme.dll)
Module: (clbcatq.dll)
Module: (MrmCoreR.dll)
Module: (MSCTF.dll)
Module: (OLEAUT32.dll)
Module: (windows.storage.dll)
Module: (profapi.dll)
Module: (powrprof.dll)
Module: (UMPDC.dll)
Module: (shlwapi.dll)
Module: (efswrt.dll)
Module: (MPR.dll)
Module: (wintypes.dll)
Module: (twinapi.appcore.dll)
Module: (RMCLIENT.dll)
Module: (SHELL32.dll)
Module: (cfgmgr32.dll)
Module: (cryptsp.dll)
Module: (oleacc.dll)
Module: (TextInputFramework.dll)
Module: (CoreUIComponents.dll)
Module: (CoreMessaging.dll)
Module: (ntmarta.dll)
Module: (iertutil.dll)
但在那之后……奇怪的事情发生了。输出代码:
DbgPrintEx(0, 0, "First Argument: (%wZ)\n", &pEntry->BaseDllName);
DbgPrint("\n");
DbgPrintEx(0,0,"%d",strlen(&pEntry->BaseDllName));
DbgPrint("\n");
DbgPrintEx(0, 0, "Second Argument: (%wZ)\n", ModuleName);
DbgPrint("\n");
DbgPrintEx(0,0,"%d",strlen(ModuleName));
DbgPrint("\n");
并输出:
First Argument: (notepad.exe)
1
Second Argument: (
11
First Argument: (ntdll.dll)
1
Second Argument: (
11
First Argument: (KERNEL32.DLL)
1
Second Argument: (
11
First Argument: (KERNELBASE.dll)
1
Second Argument: (
11
First Argument: (GDI32.dll)
1
Second Argument: (
11
First Argument: (win32u.dll)
1
Second Argument: (
11
First Argument: (gdi32full.dll)
1
Second Argument: (
11
First Argument: (msvcp_win.dll)
1
Second Argument: (
11
First Argument: (ucrtbase.dll)
1
Second Argument: (
11
First Argument: (USER32.dll)
1
Second Argument: (
11
First Argument: (msvcrt.dll)
1
Second Argument: (
11
First Argument: (combase.dll)
1
Second Argument: (
11
First Argument: (RPCRT4.dll)
1
Second Argument: (
11
First Argument: (bcryptPrimitives.dll)
1
Second Argument: (
11
First Argument: (shcore.dll)
1
Second Argument: (
11
First Argument: (advapi32.dll)
1
Second Argument: (
11
First Argument: (sechost.dll)
1
Second Argument: (
11
First Argument: (COMCTL32.dll)
1
Second Argument: (
11
First Argument: (IMM32.DLL)
1
Second Argument: (
11
First Argument: (kernel.appcore.dll)
1
Second Argument: (
11
First Argument: (uxtheme.dll)
1
Second Argument: (
11
First Argument: (clbcatq.dll)
1
Second Argument: (
11
First Argument: (MrmCoreR.dll)
1
Second Argument: (
11
First Argument: (MSCTF.dll)
1
Second Argument: (
11
First Argument: (OLEAUT32.dll)
1
Second Argument: (
11
First Argument: (windows.storage.dll)
1
Second Argument: (
11
First Argument: (profapi.dll)
1
Second Argument: (
11
First Argument: (powrprof.dll)
1
Second Argument: (
11
First Argument: (UMPDC.dll)
1
Second Argument: (
11
First Argument: (shlwapi.dll)
1
Second Argument: (
11
First Argument: (efswrt.dll)
1
Second Argument: (
11
First Argument: (MPR.dll)
1
Second Argument: (
11
First Argument: (wintypes.dll)
1
Second Argument: (
11
First Argument: (twinapi.appcore.dll)
strlen 中的常数长度非常奇怪
编辑 #3 将 if 语句更改为此函数,但仍然没有运气
if (RtlEqualUnicodeString(&pEntry->BaseDllName,&ModuleName,0))
{
DbgPrint("\n Module found:");
DbgPrint((PVOID)pEntry); DbgPrint("\n");
KeUnstackDetachProcess(&kapc);
return (PVOID)pEntry;
}
解决方案
问题在这里:
if (&pEntry->BaseDllName == ModuleName)
您正在比较字符串指针,而不是字符串值。
尝试使用 strcmp(),如下所示:
if (strcmp(&pEntry->BaseDllName, ModuleName) == 0)
推荐阅读
- html - 需要缩放 SVG 帮助
- python - python有没有办法通过从conf文件中读取源目录和目标目录来移动windows上的文件?
- html-table - Material UI 创建多行数据表行
- javascript - 在 Godaddy 的 Wordpress 网站中添加自定义全栈网页
- python-3.x - 如何在 django 中使用 sql 文件创建 postgresql 数据库?请逐步指导我。我有如下的sql
- api - Flutter 搜索 Spotify Song 并保存深层链接
- reactjs - 如果通过 npm 安装 react 和 react dom 包,是否需要 CDN 链接?
- javascript - 有没有办法在没有库的情况下抓取动态网站?
- flutter - 如何在颤动中为选定的复选框列表块更新表中的多条记录
- python - Pandas reset_index(drop=True) 无法与 groupby 一起正常工作