我正在尝试编写简单的驱动程序,以便在执行流程时获取Image的完整路径
基于Steve Townsend Answer我在下面写了我ProcessCallback的代码,该代码来自我的驱动程序的PsSetCreateProcessNotifyRoutine中的DriverEntry:
void ProcessCallback(
IN HANDLE hParentId,
IN HANDLE hProcessId,
IN BOOLEAN bCreate
)
{
if(bCreate)
{
PEPROCESS proc = PsGetCurrentProcess();
WCHAR strBuffer[(sizeof(UNICODE_STRING) / sizeof(WCHAR)) + 260];
UNICODE_STRING str;
str =(UNICODE_STRING*)&strBuffer;
//initialize
str.Buffer = &strBuffer[sizeof(UNICODE_STRING) / sizeof(WCHAR)];
str.Length = 0x0;
str.MaximumLength = 260 * sizeof(WCHAR);
//note that the seconds arg (27) is ProcessImageFileName
ZwQueryInformationProcess(proc, 27, &strBuffer, sizeof(strBuffer), NULL);
DbgPrint("Start @ %wZ\n", str.Buffer);
}
else
DbgPrint("PID %i Terminated",hProcessId );
}
但是当我尝试构建我的代码时,我得到str =(UNICODE_STRING*)&strBuffer;的错误
:
错误无法转换为UNICODE_STRING *转换为UNICODE_STRING
什么错了?
答案 0 :(得分:0)
将UNICODE_STRING str改为应该有效的UNICODE_STRING * str。然后将str传递给ZwQueryInformationProcess