-
-
[旧帖] [求助]菜鸟关于驱动和应用程序通信问题 0.00雪花
-
发表于: 2011-10-8 19:59
-
我最近想写个用驱动遍历读取EPROCESS,从而显示系统所有进程的程序,但是数据交互中出了点问题,大家帮忙看下吧 谢谢了。
应用程序部分
typedef struct _PROCESS_INFO
{
PUCHAR pImageFileName;
ULONG dwProcessId;
}PROCESS_INFO,*PPROCESS_INFO;
typedef struct _DEVICE_EXTENSION
{
ULONG data_num;
PROCESS_INFO process_info[30];
}DEVICE_EXTENSION;
。。。。。
DEVICE_EXTENSION dev_extentsion;
ULONG NumOfByte;
DeviceIoControl(hDev,GET_EPROCESS,NULL,0,&dev_extentsion,sizeof(DEVICE_EXTENSION),&NumOfByte,NULL);
驱动部分
DEVICE_EXTENSION dev_extension;
//将EPROCESS内容存储到结构变量dev_extension中提供给应用程序
NTSTATUS GetProcessInfo()
{
ULONG FirstProcess;
ULONG EProcess;
ULONG i = 0;
PLIST_ENTRY ActiveProcessLinks;
EProcess = FirstProcess = (ULONG)PsGetCurrentProcess();
for (i;dev_extension.data_num < MAX_PROCESS_NUM;i++)
{
dev_extension.process_info[i].dwProcessId = *(PULONG)(EProcess+PID_OFFSET);
dev_extension.process_info[i].pImageFileName = (PUCHAR)(EProcess+PNAME_OFFSET);
dev_extension.data_num++;
ActiveProcessLinks = (PLIST_ENTRY)(EProcess+PLINK_OFFSET);
EProcess = (ULONG)ActiveProcessLinks->Flink-PLINK_OFFSET;
if (EProcess == FirstProcess)
break;
}
return STATUS_SUCCESS;
}
NTSTATUS DriverIoControlDispatch(IN PDEVICE_OBJECT pDevobj,IN PIRP pIrp)
{
PIO_STACK_LOCATION stack =
IoGetCurrentIrpStackLocation(pIrp);
ULONG code;
PVOID IoBuffer = pIrp->AssociatedIrp.SystemBuffer;
ULONG DesireLength;
ULONG OutputBufferLength ;
code = stack->Parameters.DeviceIoControl.IoControlCode;
KdPrint(("enter my deviceControl\n"));
switch (code)
{
case GET_EPROCESS:
{
ULONG i = 0;
ULONG test;
GetProcessInfo();
DesireLength = sizeof(PROCESS_INFO)*MAX_PROCESS_NUM + sizeof(ULONG);
OutputBufferLength = stack->Parameters.DeviceIoControl.OutputBufferLength;
if (DesireLength > OutputBufferLength)
{
DbgPrint("desireLength = %lu
outputBufferlength = %lu",DesireLength,OutputBufferLength);
DbgPrint("the output buffer is too small");
break;
}
RtlCopyMemory(IoBuffer, &dev_extension.data_num, DesireLength);
dev_extension.data_num = 0;
break;
}
}
在驱动中用DbgPrint输出显示很正常,所以应该是传递的问题。请大家帮帮忙,或者给我说下 应该看哪个方面的东西,谢谢
应用程序部分
typedef struct _PROCESS_INFO
{
PUCHAR pImageFileName;
ULONG dwProcessId;
}PROCESS_INFO,*PPROCESS_INFO;
typedef struct _DEVICE_EXTENSION
{
ULONG data_num;
PROCESS_INFO process_info[30];
}DEVICE_EXTENSION;
。。。。。
DEVICE_EXTENSION dev_extentsion;
ULONG NumOfByte;
DeviceIoControl(hDev,GET_EPROCESS,NULL,0,&dev_extentsion,sizeof(DEVICE_EXTENSION),&NumOfByte,NULL);
驱动部分
DEVICE_EXTENSION dev_extension;
//将EPROCESS内容存储到结构变量dev_extension中提供给应用程序
NTSTATUS GetProcessInfo()
{
ULONG FirstProcess;
ULONG EProcess;
ULONG i = 0;
PLIST_ENTRY ActiveProcessLinks;
EProcess = FirstProcess = (ULONG)PsGetCurrentProcess();
for (i;dev_extension.data_num < MAX_PROCESS_NUM;i++)
{
dev_extension.process_info[i].dwProcessId = *(PULONG)(EProcess+PID_OFFSET);
dev_extension.process_info[i].pImageFileName = (PUCHAR)(EProcess+PNAME_OFFSET);
dev_extension.data_num++;
ActiveProcessLinks = (PLIST_ENTRY)(EProcess+PLINK_OFFSET);
EProcess = (ULONG)ActiveProcessLinks->Flink-PLINK_OFFSET;
if (EProcess == FirstProcess)
break;
}
return STATUS_SUCCESS;
}
NTSTATUS DriverIoControlDispatch(IN PDEVICE_OBJECT pDevobj,IN PIRP pIrp)
{
PIO_STACK_LOCATION stack =
IoGetCurrentIrpStackLocation(pIrp);
ULONG code;
PVOID IoBuffer = pIrp->AssociatedIrp.SystemBuffer;
ULONG DesireLength;
ULONG OutputBufferLength ;
code = stack->Parameters.DeviceIoControl.IoControlCode;
KdPrint(("enter my deviceControl\n"));
switch (code)
{
case GET_EPROCESS:
{
ULONG i = 0;
ULONG test;
GetProcessInfo();
DesireLength = sizeof(PROCESS_INFO)*MAX_PROCESS_NUM + sizeof(ULONG);
OutputBufferLength = stack->Parameters.DeviceIoControl.OutputBufferLength;
if (DesireLength > OutputBufferLength)
{
DbgPrint("desireLength = %lu
outputBufferlength = %lu",DesireLength,OutputBufferLength);
DbgPrint("the output buffer is too small");
break;
}
RtlCopyMemory(IoBuffer, &dev_extension.data_num, DesireLength);
dev_extension.data_num = 0;
break;
}
}
在驱动中用DbgPrint输出显示很正常,所以应该是传递的问题。请大家帮帮忙,或者给我说下 应该看哪个方面的东西,谢谢
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
