C ++ GetModuleFileName不返回正确的字符串
[英]C++ GetModuleFileName does not return correct strings
问题描述
Sometimes GetModuleFileName returns the correct string, however 99% of the time currently with current code I am using the string returns as ÀÙáøÛáws\\system32\\HID.DLL instead of E:\\Windows\\system32\\HID.DLL that should be the correct value. 
有时,GetModuleFileName返回正确的字符串,但是当前使用当前代码的当前代码中99%的时间返回的是ÀÙáøÛáws\\system32\\HID.DLL而不是应为正确值的E:\\Windows\\system32\\HID.DLL 。 With this in mind I can't compare the string with an list of all modules that should be loaded to see if that string is in the list, if not someone injected that DLL. 考虑到这一点,我无法将字符串与应加载的所有模块的列表进行比较,以查看该字符串是否在列表中(如果没有人注入该DLL)。
This code below might not be the best, however it is the code I attempted to use for this. 下面的代码可能不是最好的,但是这是我尝试使用的代码。 I did try all sorts of code changes to try to figure it out like not using TCHAR and investigating the returns from EnumProcessModules . 我确实尝试了各种代码更改来尝试找出它,例如不使用TCHAR并调查EnumProcessModules的返回EnumProcessModules 。
void _scan_dll_data(VBTrpSetup_t &setup, VBTrp_DetectData_t &_ret, VBTrp_InjectData_t &_dlllists) {
bool _detected_injected_dll = false;
std::vector<std::string> _ModuleContainer;
std::string _ModuleName;
HMODULE hMods[1024]; /* Hopefully enough for this. */
DWORD cbNeeded;
if (EnumProcessModules(setup.GameProcHandle, hMods, sizeof(hMods), &cbNeeded)) {
for (unsigned int i = 0; i < (cbNeeded / sizeof(HMODULE)); i++ ) {
char szModName[MAX_PATH];
if (GetModuleFileName(hMods[i], szModName, sizeof(szModName) / sizeof(char))) {
_ModuleName = szModName;
for (unsigned int i = 0; i < _dlllists.ModuleExcludeList.size(); i++) {
// item must not be in the ModuleExcludeList!!!
if (!_dlllists.ModuleExcludeList[i].compare(_ModuleName)) {
_ModuleContainer.push_back(_ModuleName);
}
}
}
}
}
if (_dlllists.ModuleList != _ModuleContainer) {
_detected_injected_dll = true;
_ret.DLLName = reinterpret_cast<LPCSTR>(_ModuleName.c_str());
}
if (_detected_injected_dll) {
_ret.value = TRUE;
}
else {
_ret.value = FALSE;
}
if (_ret.value == TRUE) {
_ret.int_value = -1;
} else {
_ret.int_value = NULL;
}
}
Hopefully the answer is something simple that I must have missed. 希望答案是我一定错过的简单事情。 I did do some parts of this according to MSDN examples. 我确实根据MSDN示例进行了部分操作。 Maybe those examples was wrong. 也许这些例子是错误的。 I am not so sure. 我不太确定。 Does anyone know how to fix this string issue it returns? 有谁知道如何解决此字符串返回的问题?
1 个解决方案
解决方案1
0 已采纳 2017-11-04 15:08:04
The fix was to definately use the Unicode versions and to make the whole function use wide unicode strings. 解决方法是一定要使用Unicode版本,并使整个函数使用宽的unicode字符串。 And the reason for this is because of a struct (related to PEB) that is internal and undocumented to ntdll.dll. 究其原因,是因为内部存在一个结构(与PEB相关),并且未在ntdll.dll中记录该结构。
So, basically changing everything to the GetModuleBaseNameW function because of the fact I was going to basename them anyway later, the wstring, noticing a second loop using i causing an overwrite of the i on the outer for loop and removing it, and adding checks on GetLastError for when the Handle is invalidated and toreturn the error code to the end user to handle cleanup. 因此,基本上将所有内容都更改为GetModuleBaseNameW函数,因为后来无论如何我都将它们基本命名为wstring,注意到第二个循环使用i导致覆盖外部for循环中的i并将其删除,并在其上添加检查GetLastError,用于何时使句柄无效并将错误代码返回给最终用户以进行清理。
The result is then this code: 结果就是下面的代码:
void _scan_dll_data(VBTrpSetup_t &setup, VBTrp_DetectData_t &_ret, VBTrp_InjectData_t &_dlllists) {
BOOL _detected_injected_dll = FALSE;
std::vector<std::wstring> _ModuleContainer;
HANDLE hProcess;
std::vector<HMODULE> hMods;
DWORD cbNeeded;
hProcess = GetCurrentProcess();
_ret.int_value = 0;
if (EnumProcessModulesEx(hProcess, hMods.data(), setup.NumOfModules, &cbNeeded, LIST_MODULES_ALL)) {
for (unsigned int i = 0; i < (cbNeeded / sizeof(HMODULE)); i++) {
wchar_t *szModName = L'\x0';
std::wstring _ModuleName;
if (GetModuleBaseNameW(hProcess, hMods[i], reinterpret_cast<LPWSTR>(szModName), MAX_PATH)) {
_ModuleName = szModName;
// item must not be in the ModuleExcludeList!!!
if (!_dlllists.ModuleExcludeList[i].compare(_ModuleName)) {
_ModuleContainer.push_back(_ModuleName);
}
} else {
_ret.error_code = GetLastError();
}
}
} else {
_ret.error_code = GetLastError();
}
if (_ret.error_code != ERROR_INVALID_HANDLE) {
for (unsigned int j = 0; j < _dlllists.ModuleList.size(); j++) {
if (_dlllists.ModuleList[j] != _ModuleContainer[j]) {
_detected_injected_dll = TRUE;
_ret.int_value = -1;
_ret.DLLName = (LPWSTR)_ModuleContainer[j].c_str();
// to avoid overwriting the first one.
break;
}
}
_ret.value = _detected_injected_dll;
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.