i developing kervel driver and dell communicating with each other. try to make a snapshot function and walk function
my struct is
struct SM_MSI {
wchar_t* Name;
SIZE_T Size;
uintptr_t Address;
};
in my snapshot function i do this.
ModulesList = ExAllocatePool(PagedPool, sizeof(SM_MSI) * index);
if (ModulesList == NULL) // check memory is allocated or not.
{
return STATUS_UNSUCCESSFUL;
}
index = 0;
for (PLIST_ENTRY pListEntry = (PLIST_ENTRY)((PPEB_LDR_DATA)pPeb->Ldr)->InLoadOrderModuleList.Flink;
pListEntry != &((PPEB_LDR_DATA)pPeb->Ldr)->InLoadOrderModuleList; pListEntry = (PLIST_ENTRY)pListEntry->Flink)
{
PLDR_DATA_TABLE_ENTRY pEntry = CONTAINING_RECORD(pListEntry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
if (pEntry->BaseDllName.Buffer > 0 && pEntry->BaseDllName.Length < 256) {
ModulesListCount = ModulesListCount + 1;
SM_MSI temp = { 0 };
temp.Name = (wchar_t*)ExAllocatePool(PagedPool, sizeof(wchar_t) * 256);
if (temp.Name != NULL)
wcscpy_s(temp.Name, 256, pEntry->BaseDllName.Buffer);
temp.Size = pEntry->SizeOfImage;
temp.Address = (uintptr_t)pEntry->DllBase;
memcpy((PVOID)((ULONG_PTR)ModulesList + ((index++) * sizeof(SM_MSI))), &temp, sizeof(SM_MSI));
}
}
in my walk function i do this
NTSTATUS ProcModulesWalk(OUT SM_MSI* module_sys_info) {
if (ModulesListCount == 0)
return STATUS_ACCESS_DENIED;
memcpy(module_sys_info, (SM_MSI*)((ULONG_PTR)ModulesList) + ModulesListIndex++, sizeof(SM_MSI));
if (ModulesListIndex >= ModulesListCount) {
ModulesListCount = 0;
ModulesListIndex = 0;
ExFreePool(ModulesList); // free memory
DbgPrintEx(0, 0, "free memory\n");
}
return STATUS_SUCCESS;
}
when i use this functions in my driver entry(when the driver load) all work good. but when i call it from the dll all "word fine" only for 2 seconds and then i get blue screen.
when i try to remove the Name variable from the SM_MSI struct all work perfect.?! so i understand the problem is the "wchar_t* Name" but i need this name so any idea what to do?
OK GUYS i solved it i forgat to alloc memory before i send it to the dll and then to driver.
You are trying to request your driver to find the base address and size of a module in a process given the module name. The solution is to not use a driver at all, and simply call EnumProcessModules. If the process you are trying to access has special protection, you shouldn't be tampering with it anyways; that would result in undefined behaviour.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.