我在这段代码中遇到了麻烦,我试图将检索到的已加载系统模块列表保存在定义为的结构数组中:
typedef struct _DRIVER_INFO {
PVOID MappedBase;
PVOID ImageBase;
ULONG ImageSize;
WCHAR ModuleName[MAXIMUM_FILENAME_LENGTH];
WCHAR FullPathName[MAXIMUM_FILENAME_LENGTH];
} DRIVER_INFO;
数据源是一个定义为的结构体:
typedef struct _SYSTEM_MODULE_INFORMATION {
HANDLE Section;
PVOID MappedBase;
PVOID ImageBase;
ULONG ImageSize;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT OffsetToFileName;
UCHAR FullPathName[MAXIMUM_FILENAME_LENGTH];
} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
这是我无法完成的代码,我尝试了不同的函数来复制 wdm.h 中定义的字符串。 我必须在 WCHAR 中复制 UCHAR 字符串(甚至 UNICODE_STRING 也可以)
for (ULONG i = 0; i < moduleList->NumberOfModules; i++)
{
PRTL_PROCESS_MODULE_INFORMATION module = (PRTL_PROCESS_MODULE_INFORMATION)&moduleList->Modules[i];
DRIVER_INFO driverInfo;
driverInfo.MappedBase = module->MappedBase;
driverInfo.ImageBase = module->ImageBase;
driverInfo.ImageSize = module->ImageSize;
//Here i have to copy module.FullPathName in driverInfo.FullPathName
//and module.FullPathName + module.OffsetToFileName in driverInfo.ModuleName
systemDrivers[i] = driverInfo;
DebugMessage("Driver Path: %s\n", driverInfo.FullPathName);
}
编辑1:
仅使用第一个
RtlAnsiStringToUnicodeStringfor (ULONG i = 0; i < moduleList->NumberOfModules; i++)
{
PRTL_PROCESS_MODULE_INFORMATION module = (PRTL_PROCESS_MODULE_INFORMATION)&moduleList->Modules[i];
DRIVER_INFO driverInfo;
PCSTR moduleName = (PCSTR)(module->FullPathName + module->OffsetToFileName);
PCSTR fullPathName = (PCSTR)(module->FullPathName);
DebugMessage("Driver Name: %s, Driver Path: %s\n", moduleName, fullPathName);
//driverInfo.MappedBase = module->MappedBase;
//driverInfo.ImageBase = module->ImageBase;
//driverInfo.ImageSize = module->ImageSize;
RtlAnsiStringToUnicodeString(&driverInfo.ModuleName, (PCANSI_STRING)&moduleName, TRUE);
RtlAnsiStringToUnicodeString(&driverInfo.FullPathName, (PCANSI_STRING)&fullPathName, TRUE);
}
这样解决了,谢谢大家。
for (ULONG i = 0; i < moduleList->NumberOfModules; i++)
{
PRTL_PROCESS_MODULE_INFORMATION module = (PRTL_PROCESS_MODULE_INFORMATION)&moduleList->Modules[i];
PCSTR moduleName = (PCSTR)(module->FullPathName + module->OffsetToFileName);
ANSI_STRING ansiModuleName;
RtlInitAnsiString(&ansiModuleName, moduleName);
PCSTR fullPathName = (PCSTR)(module->FullPathName);
ANSI_STRING ansiFullPathName;
RtlInitAnsiString(&ansiFullPathName, fullPathName);
systemDrivers[i].MappedBase = module->MappedBase;
systemDrivers[i].ImageBase = module->ImageBase;
systemDrivers[i].ImageSize = module->ImageSize;
RtlAnsiStringToUnicodeString(&systemDrivers[i].ModuleName, &ansiModuleName, TRUE);
RtlAnsiStringToUnicodeString(&systemDrivers[i].FullPathName, &ansiFullPathName, TRUE);
}