首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 付费问答
    3. 发新帖
[旧帖] [求助]驱动程序通过进程名查找pid的问题? 0.00雪花
发表于: 2009-12-1 12:27 1790

[旧帖] [求助]驱动程序通过进程名查找pid的问题? 0.00雪花

Avada 活跃值
2009-12-1 12:27
1790
以下为关键代码,定义全局字符串变量proName,然后通过zwQuerySystemInformation函数得到一个含有进程名和进程pid的链表,然后遍历该链表,得到pid,驱动程序编译通过了,但是一运行就蓝屏,请大家指点指点(问题可能比较菜~~~),完整代码在附件里

 
typedef enum _SYSTEM_INFORMATION_CLASS { 
 SystemBasicInformation,     // 0 
 SystemProcessorInformation,    // 1 
 SystemPerformanceInformation,    // 2
 SystemTimeOfDayInformation,    // 3
 SystemNotImplemented1,     // 4
 SystemProcessesAndThreadsInformation,   // 5
 SystemCallCounts,      // 6
 SystemConfigurationInformation,    // 7
 SystemProcessorTimes,     // 8
 SystemGlobalFlag,      // 9
 SystemNotImplemented2,     // 10
 SystemModuleInformation,     // 11
 SystemLockInformation,     // 12
 SystemNotImplemented3,     // 13
 SystemNotImplemented4,     // 14
 SystemNotImplemented5,     // 15
 SystemHandleInformation,     // 16
 SystemObjectInformation,     // 17
 SystemPagefileInformation,     // 18
 SystemInstructionEmulationCounts,    // 19
 SystemInvalidInfoClass1,     // 20
 SystemCacheInformation,     // 21
 SystemPoolTagInformation,     // 22
 SystemProcessorStatistics,     // 23
 SystemDpcInformation,     // 24
 SystemNotImplemented6,     // 25
 SystemLoadImage,      // 26
 SystemUnloadImage,     // 27
 SystemTimeAdjustment,     // 28
 SystemNotImplemented7,     // 29
 SystemNotImplemented8,     // 30
 SystemNotImplemented9,     // 31
 SystemCrashDumpInformation,    // 32
 SystemExceptionInformation,    // 33
 SystemCrashDumpStateInformation,    // 34
 SystemKernelDebuggerInformation,    // 35
 SystemContextSwitchInformation,    // 36
 SystemRegistryQuotaInformation,    // 37
 SystemLoadAndCallImage,     // 38
 SystemPrioritySeparation,     // 39
 SystemNotImplemented10,     // 40
 SystemNotImplemented11,     // 41
 SystemInvalidInfoClass2,     // 42
 SystemInvalidInfoClass3,     // 43
 SystemTimeZoneInformation,     // 44
 SystemLookasideInformation,    // 45
 SystemSetTimeSlipEvent,     // 46
 SystemCreateSession,     // 47
 SystemDeleteSession,     // 48
 SystemInvalidInfoClass4,     // 49
 SystemRangeStartInformation,    // 50
 SystemVerifierInformation,     // 51
 SystemAddVerifier,     // 52
 SystemSessionProcessesInformation    // 53
} SYSTEM_INFORMATION_CLASS;
typedef struct _SYSTEM_THREAD_INFORMATION {
 LARGE_INTEGER KernelTime;
 LARGE_INTEGER UserTime;
 LARGE_INTEGER CreateTime;
 ULONG WaitTime;
 PVOID StartAddress;
 CLIENT_ID ClientId;
 KPRIORITY Priority;
 KPRIORITY BasePriority;
 ULONG ContextSwitchCount;
 LONG State;
 LONG WaitReason;
} SYSTEM_THREAD_INFORMATION, * PSYSTEM_THREAD_INFORMATION;
typedef struct _SYSTEM_PROCESS_INFORMATION {
 ULONG NextEntryDelta;
 ULONG ThreadCount;
 ULONG Reserved1[6];
 LARGE_INTEGER CreateTime;
 LARGE_INTEGER UserTime;
 LARGE_INTEGER KernelTime;
 UNICODE_STRING ProcessName;
 KPRIORITY BasePriority;
 ULONG ProcessId;
 ULONG InheritedFromProcessId;
 ULONG HandleCount;
 ULONG Reserved2[2];
 VM_COUNTERS VmCounters;
 IO_COUNTERS IoCounters;
 SYSTEM_THREAD_INFORMATION Threads[1];
} SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION;


wchar_t ProName[20] = L"explorer.exe";//进程名
long pid; //进程pid,保存得到的pid


int getProcessIdByName()
{
 ULONG cbBuffer = 0x8000; // 初始化缓冲大小 32kb
 PVOID pBuffer = NULL;
 NTSTATUS Status;
 PSYSTEM_PROCESS_INFORMATION pInfo;
 do
 {
  pBuffer = ExAllocatePool (NonPagedPool, cbBuffer); //分配内存缓冲区
  if (pBuffer == NULL) // 如果内存分配失败
   return -1;
         Status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, pBuffer, cbBuffer, NULL);
  if (Status == STATUS_INFO_LENGTH_MISMATCH) //如果缓冲区太小
  {
   ExFreePool(pBuffer); // 释放缓冲区
   cbBuffer *= 2; // 增加缓冲区到原来的两倍大小 
  }
  else if (!NT_SUCCESS(Status)) // 如果执行失败
  {
   ExFreePool(pBuffer); // 释放分配的内存
   return -1; //返回1并拖出
  }
 }
 while (Status == STATUS_INFO_LENGTH_MISMATCH);
 pInfo = (PSYSTEM_PROCESS_INFORMATION)pBuffer;
 for (;;) 
 {
  LPWSTR pszProcessName = pInfo->ProcessName.Buffer;
  if (pszProcessName == NULL) 
   pszProcessName = L"NULL"; // 如果获取文件名失败
  if ( wcsstr(pInfo->ProcessName.Buffer,ProName) )
  {
   return (int)(pInfo->ProcessId);
  }
  //DbgPrint("pid %d ps %S\n",pInfo->ProcessId,pInfo->ProcessName.Buffer);
  if (pInfo->NextEntryDelta == 0) 
   break; 
  pInfo = (PSYSTEM_PROCESS_INFORMATION)(((PUCHAR)pInfo)+ pInfo->NextEntryDelta); 
 }
 ExFreePool(pBuffer);
 return -2; 
}

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

上传的附件:
收藏
免费 0
支持
分享
最新回复 (1)
moonife
雪    币: 370
活跃值: (52)
能力值: ( LV13,RANK:350 )
在线值:
发帖
回帖
粉丝
私信
2
LPWSTR pszProcessName = pInfo->ProcessName.Buffer;
  if (pszProcessName == NULL)
   pszProcessName = L"NULL"; // 如果获取文件名失败
  if ( wcsstr(pInfo->ProcessName.Buffer,ProName) )
  {
   return (int)(pInfo->ProcessId);
  }
当pInfo->ProcessName.Buffer=NULL 时
在wcsstr(pInfo->ProcessName.Buffer,ProName)中发生非法访问0地址
mov     dx,word ptr [eax] (eax=0)
其实这个问题你有想到要过滤了pszProcessName = L"NULL";只是可能失误没写对
wcsstr(pszProcessName,ProName)这样就好了

windbg command:!analyze -v
PROCESS_NAME: spoolsv.exe

FAULTING_IP:
nt!wcsstr+16
8053bdfb 668b10 mov dx,word ptr [eax]

EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 8053bdfb (nt!wcsstr+0x00000016)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000000
Attempt to read from address 00000000

ERROR_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: 00000000

READ_ADDRESS: 00000000

FOLLOWUP_IP:
MyDriverTry!getProcessIdByName+ba [f:\mydriver\mydrivertry.c @ 322]
f7a2954a 83c408 add esp,8

BUGCHECK_STR: ACCESS_VIOLATION

DEFAULT_BUCKET_ID: NULL_DEREFERENCE

LAST_CONTROL_TRANSFER: from f7a2954a to 8053bdfb

STACK_TEXT:
f5960d20 f7a2954a 00000000 f7a29700 f7a29480 nt!wcsstr+0x16
f5960d44 f7a298da f5960d64 805419ac 0110f754 MyDriverTry!getProcessIdByName+0xba [f:\mydriver\mydrivertry.c @ 322]
f5960d4c 805419ac 0110f754 00000400 0110f724 MyDriverTry!NewZwOpenProcess+0xa [f:\mydriver\mydrivertry.c @ 242]
f5960d4c 7c92eb94 0110f754 00000400 0110f724 nt!KiFastCallEntry+0xfc
0110f6fc 7c92dd87 7c812ffe 0110f754 00000400 ntdll!KiFastSystemCallRet
0110f700 7c812ffe 0110f754 00000400 0110f724 ntdll!ZwOpenProcess+0xc
0110f748 769c008e 000003d4 0110f770 76991a70 kernel32!ProcessIdToSessionId+0x5f
0110f768 769c0dcb 00000000 7699ca20 7699c6f0 ole32!AddHydraSessionID+0x54
0110ff10 769b0575 74c2bd1c 00000000 00000017 ole32!ICoCreateInstanceEx+0x202
0110ff38 769b0544 74c2bd1c 00000000 00000017 ole32!CComActivator::DoCreateInstance+0x28
0110ff5c 769b05b2 74c2bd1c 00000000 00000017 ole32!CoCreateInstanceEx+0x1e
0110ff8c 74c2bce7 74c2bd1c 00000000 00000017 ole32!CoCreateInstance+0x37
0110ffb4 7c80b6a3 00a82e28 000af3d0 00000000 localspl!InstallWebPrnSvcWorkerThread+0x4c
0110ffec 00000000 74c2bca3 00a82e28 00000000 kernel32!BaseThreadStart+0x37


STACK_COMMAND: kb

FAULTING_SOURCE_CODE:
318: {
319: LPWSTR pszProcessName = pInfo->ProcessName.Buffer;
320: if (pszProcessName == NULL)
321: pszProcessName = L"NULL"; // ¨¨?1???¨¨????t??¨º¡ì¡ã¨¹
> 322: if ( wcsstr(pInfo->ProcessName.Buffer,ProName) )
323: {
324: return (int)(pInfo->ProcessId);
325: }
326:
327: //DbgPrint("pid %d ps %S\n",pInfo->ProcessId,pInfo->ProcessName.Buffer);


SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: MyDriverTry!getProcessIdByName+ba

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: MyDriverTry

IMAGE_NAME: MyDriverTry.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4b14b9bb

FAILURE_BUCKET_ID: ACCESS_VIOLATION_MyDriverTry!getProcessIdByName+ba

BUCKET_ID: ACCESS_VIOLATION_MyDriverTry!getProcessIdByName+ba

Followup: MachineOwner

!analyze -v 很强悍的扩展命令
2009-12-1 15:13
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//