在网上找到这段代码,是 SYS 驱动程序的一个函数,用来获取当前进程的全路径,程序运行良好。但其中有一句很迷惑,不知道什么用意,特来求解。
// 就是搞不明白这句是要判断什么?是要判断 dwAddress 指针是否有效吗?还是什么意思?为什么这么写呢?谢谢
if ( 0 == (dwAddress = *(DWORD*)dwAddress) )
{
return FALSE;
}
完整函数的代码如下:BOOLEAN drvfunc_get_processfullname( OUT PCHAR pszFullProcessName, IN ULONG uSize )
{
BOOLEAN bRet;
NTSTATUS ntStatus;
ULONG uOsMajorVersion = 0;
ULONG uOsMinorVersion = 0;
WCHAR wszProName[ MAX_PATH ] = {0};
UNICODE_STRING szSource;
ANSI_STRING szDest;
#if AMD64
__int64 dwAddress = 0;
#else
DWORD dwAddress = 0;
#endif if ( PASSIVE_LEVEL != KeGetCurrentIrql() )
{
return FALSE;
} // ...
bRet = FALSE; __try
{
ntStatus = drvfunc_get_os_version( &uOsMajorVersion, &uOsMinorVersion );
if ( NT_SUCCESS( ntStatus ) )
{
#if AMD64
dwAddress = (__int64)PsGetCurrentProcess();
#else
dwAddress = (DWORD)PsGetCurrentProcess();
#endif
if ( dwAddress > 0 && 0xFFFFFFFF != dwAddress )
{
// 目前只支持 Win 2000/xp/2003
if ( uOsMajorVersion >= 5 && uOsMinorVersion <= 2 )
{
// 取得 PEB,不同平台的位置是不同的。
if ( uOsMajorVersion == 5 && uOsMinorVersion < 2 )
{
dwAddress += BASE_PROCESS_PEB_OFFSET;
}
else
{
dwAddress += W2003_BASE_PROCESS_PEB_OFFSET;
} if ( 0 == (dwAddress = *(DWORD*)dwAddress) )
{
return FALSE;
}
// 通过peb取得RTL_USER_PROCESS_PARAMETERS
dwAddress += BASE_PEB_PROCESS_PARAMETER_OFFSET;
if ( 0 == (dwAddress = *(DWORD*)dwAddress) )
{
return FALSE;
}
// 在 RTL_USER_PROCESS_PARAMETERS->ImagePathName 保存了路径,偏移为38,
dwAddress += BASE_PROCESS_PARAMETER_FULL_IMAGE_NAME;
if ( (dwAddress = *(DWORD*)dwAddress) == 0 )
{
return FALSE;
}
// ..
//_snwprintf( wszProName, sizeof(wszProName)-sizeof(WCHAR), "%s", (PCWSTR)dwAddress );
szSource.Buffer = (PWSTR)dwAddress;
szSource.Length = wcslen((PWSTR)dwAddress)*sizeof(WCHAR);
RtlUnicodeStringToAnsiString( &szDest, &szSource, TRUE );
// ..
_snprintf( pszFullProcessName, uSize-sizeof(char), "%s", szDest.Buffer );
}
}
}
}
__except( EXCEPTION_EXECUTE_HANDLER )
{
} return TRUE;
}
// 就是搞不明白这句是要判断什么?是要判断 dwAddress 指针是否有效吗?还是什么意思?为什么这么写呢?谢谢
if ( 0 == (dwAddress = *(DWORD*)dwAddress) )
{
return FALSE;
}
完整函数的代码如下:BOOLEAN drvfunc_get_processfullname( OUT PCHAR pszFullProcessName, IN ULONG uSize )
{
BOOLEAN bRet;
NTSTATUS ntStatus;
ULONG uOsMajorVersion = 0;
ULONG uOsMinorVersion = 0;
WCHAR wszProName[ MAX_PATH ] = {0};
UNICODE_STRING szSource;
ANSI_STRING szDest;
#if AMD64
__int64 dwAddress = 0;
#else
DWORD dwAddress = 0;
#endif if ( PASSIVE_LEVEL != KeGetCurrentIrql() )
{
return FALSE;
} // ...
bRet = FALSE; __try
{
ntStatus = drvfunc_get_os_version( &uOsMajorVersion, &uOsMinorVersion );
if ( NT_SUCCESS( ntStatus ) )
{
#if AMD64
dwAddress = (__int64)PsGetCurrentProcess();
#else
dwAddress = (DWORD)PsGetCurrentProcess();
#endif
if ( dwAddress > 0 && 0xFFFFFFFF != dwAddress )
{
// 目前只支持 Win 2000/xp/2003
if ( uOsMajorVersion >= 5 && uOsMinorVersion <= 2 )
{
// 取得 PEB,不同平台的位置是不同的。
if ( uOsMajorVersion == 5 && uOsMinorVersion < 2 )
{
dwAddress += BASE_PROCESS_PEB_OFFSET;
}
else
{
dwAddress += W2003_BASE_PROCESS_PEB_OFFSET;
} if ( 0 == (dwAddress = *(DWORD*)dwAddress) )
{
return FALSE;
}
// 通过peb取得RTL_USER_PROCESS_PARAMETERS
dwAddress += BASE_PEB_PROCESS_PARAMETER_OFFSET;
if ( 0 == (dwAddress = *(DWORD*)dwAddress) )
{
return FALSE;
}
// 在 RTL_USER_PROCESS_PARAMETERS->ImagePathName 保存了路径,偏移为38,
dwAddress += BASE_PROCESS_PARAMETER_FULL_IMAGE_NAME;
if ( (dwAddress = *(DWORD*)dwAddress) == 0 )
{
return FALSE;
}
// ..
//_snwprintf( wszProName, sizeof(wszProName)-sizeof(WCHAR), "%s", (PCWSTR)dwAddress );
szSource.Buffer = (PWSTR)dwAddress;
szSource.Length = wcslen((PWSTR)dwAddress)*sizeof(WCHAR);
RtlUnicodeStringToAnsiString( &szDest, &szSource, TRUE );
// ..
_snprintf( pszFullProcessName, uSize-sizeof(char), "%s", szDest.Buffer );
}
}
}
}
__except( EXCEPTION_EXECUTE_HANDLER )
{
} return TRUE;
}
要得到process完整路径需要利用_EPROCESS结构中的_PEB结构指针和_PEB结构中的RTL_USER_PROCESS_PARAMETERS结构指针,来找到ImagePathName 字符串的地址,所以需要将dwAddress加上对应偏移量的方法找到_PEB结构指针和RTL_USER_PROCESS_PARAMETERS结构指针的地址,用if (0 == (dwAddress = *(DWORD*)dwAddress))来得到对应结构体的存储地址并判断该地址是否有效。