日本免费高清视频-国产福利视频导航-黄色在线播放国产-天天操天天操天天操天天操|www.shdianci.com

學無先后,達者為師

網站首頁 編程語言 正文

詳解C語言內核中的鏈表與結構體_C 語言

作者:lyshark ? 更新時間: 2022-11-19 編程語言

Windows內核中是無法使用vector容器等數據結構的,當我們需要保存一個結構體數組時,就需要使用內核中提供的專用鏈表結構LIST_ENTRY通過一些列鏈表操作函數對結構體進行裝入彈出等操作,如下代碼是本人總結的內核中使用鏈表存儲多個結構體的通用案例。

首先實現一個枚舉用戶進程功能,將枚舉到的進程存儲到鏈表結構體內。

#include <ntifs.h>
#include <windef.h>

extern PVOID PsGetProcessPeb(_In_ PEPROCESS Process);
NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(HANDLE ProcessId, PEPROCESS *Process);
extern NTKERNELAPI PVOID PsGetProcessWow64Process(_In_ PEPROCESS Process);
extern NTKERNELAPI UCHAR* PsGetProcessImageFileName(IN PEPROCESS Process);
extern NTKERNELAPI HANDLE PsGetProcessInheritedFromUniqueProcessId(IN PEPROCESS Process);

typedef struct
{
	DWORD Pid;
	UCHAR ProcessName[2048];
	DWORD Handle;
	LIST_ENTRY ListEntry;
}ProcessList;

// 根據進程ID返回進程EPROCESS結構體失敗返回NULL
PEPROCESS LookupProcess(HANDLE Pid)
{
	PEPROCESS eprocess = NULL;
	NTSTATUS Status = STATUS_UNSUCCESSFUL;
	Status = PsLookupProcessByProcessId(Pid, &eprocess);
	if (NT_SUCCESS(Status))
	{
		return eprocess;
	}
	return NULL;
}

// 內核鏈表操作
// By: LyShark
BOOLEAN GetAllProcess()
{
	PEPROCESS eproc = NULL;
	LIST_ENTRY linkListHead;

	// 初始化鏈表頭部
	InitializeListHead(&linkListHead);
	ProcessList *pData = NULL;

	for (int temp = 0; temp < 100000; temp += 4)
	{
		eproc = LookupProcess((HANDLE)temp);
		if (eproc != NULL)
		{
			STRING nowProcessnameString = { 0 };
			RtlInitString(&nowProcessnameString, PsGetProcessImageFileName(eproc));

			// DbgPrint("進程名: %s --> 進程PID = %d --> 父進程PPID = %d\r\n", 
			// PsGetProcessImageFileName(eproc), PsGetProcessId(eproc), PsGetProcessInheritedFromUniqueProcessId(eproc));

			// 分配內核堆空間
			pData = (ProcessList *)ExAllocatePool(PagedPool, sizeof(ProcessList));
			RtlZeroMemory(pData, sizeof(ProcessList));

			// 設置變量
			pData->Pid = (DWORD)PsGetProcessId(eproc);
			RtlCopyMemory(pData->ProcessName, PsGetProcessImageFileName(eproc), strlen(PsGetProcessImageFileName(eproc)) * 2);
			pData->Handle = (DWORD)PsGetProcessInheritedFromUniqueProcessId(eproc);

			// 插入元素到
			InsertTailList(&linkListHead, &pData->ListEntry);
			ObDereferenceObject(eproc);
		}
	}

	// 輸出鏈表內的數據
	while (!IsListEmpty(&linkListHead))
	{
		LIST_ENTRY *pEntry = RemoveHeadList(&linkListHead);
		pData = CONTAINING_RECORD(pEntry, ProcessList, ListEntry);

		DbgPrint("%d \n", pData->Pid);
		DbgPrint("%s \n", pData->ProcessName);
		DbgPrint("%d \n", pData->Handle);
		ExFreePool(pData);
	}
	return TRUE;
}

VOID UnDriver(PDRIVER_OBJECT driver)
{
	DbgPrint(("Uninstall Driver Is OK \n"));
}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath)
{
	DbgPrint("hello lyshark.com \n");

	GetAllProcess();

	Driver->DriverUnload = UnDriver;
	return STATUS_SUCCESS;
}

運行后將可以在DbgView中看到輸出的進程信息:

如果需要返回一個結構體,則可以這樣來寫代碼。

#include <ntifs.h>
#include <windef.h>

typedef struct
{
	int count;
	char username[256];
	char password[256];
}MyData;

// 模擬返回一個結構
BOOLEAN GetProcess(PVOID OutPut)
{
	RtlZeroMemory(OutPut, sizeof(MyData));
	MyData *data = OutPut;

	data->count = 100;
	RtlCopyMemory(data->username, "lyshark.com", sizeof("lyshark.com"));
	RtlCopyMemory(data->password, "https://www.cnblogs.com/lyshark", sizeof("https://www.cnblogs.com/lyshark"));
	return TRUE;
}

VOID UnDriver(PDRIVER_OBJECT driver)
{
	DbgPrint(("Uninstall Driver Is OK \n"));
}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath)
{
	DbgPrint("hello lyshark.com \n");
	PVOID Ptr = (PVOID)ExAllocatePool(NonPagedPool, sizeof(MyData));


	GetProcess(Ptr);

	MyData *data = (MyData *)Ptr;

	DbgPrint("count = %d \n", data->count);
	DbgPrint("username = %s \n", data->username);
	DbgPrint("password = %s \n", data->password);

	Driver->DriverUnload = UnDriver;
	return STATUS_SUCCESS;
}

輸出效果如下:

原文鏈接:https://www.cnblogs.com/LyShark/p/16723935.html

欄目分類
最近更新