/// <summary> /// Byte arr to struct arr version 3 字节数组转换成结构体,用于通讯信息转换 /// </summary> /// <param name="arr"></param> /// <param name="desArrNum"></param> /// <param name="desArr"></param> static public void fromBytes(byte[] arr, int desArrNum, ref MODULEINFO[] desArr) { MODULEINFO[] _struct = new MODULEINFO[desArrNum]; int size = Marshal.SizeOf(typeof(MODULEINFO)) * desArrNum; IntPtr ptr = Marshal.AllocHGlobal(size); for (int i = 0; i < desArrNum; i++) { Marshal.Copy(arr, i * Marshal.SizeOf(typeof(MODULEINFO)), ptr, Marshal.SizeOf(typeof(MODULEINFO))); _struct[i] = (MODULEINFO)Marshal.PtrToStructure(ptr, _struct[i].GetType()); } // 需要释放临时非托管区内存 Marshal.FreeHGlobal(ptr); desArr = _struct; }
/// <summary> /// 枚举进程模块 /// </summary> static public void EnumModules() { // 定义用于与驱动通信的变量 byte[] IoReturnBuffer = new byte[Marshal.SizeOf(typeof(MODULEINFO)) * ModuleNum]; uint BytesReturned = new uint(); System.Threading.NativeOverlapped lpOverlapped = new System.Threading.NativeOverlapped(); // 获取当前选中的进程pid uint pid; uint.TryParse(MainForm.main.ListView_Process.SelectedItems[0].SubItems[1].Text, out pid); // 保存当前进程的Eprocess供卸载模块使用 Common.CommonVar.currentEprocess = Convert.ToUInt64(MainForm.main.ListView_Process.SelectedItems[0].SubItems[5].Text.Substring(2), 16); // R0层获取进程的模块信息 bool bRet = DriverManager.IoControl(DriverManager.hDrv, (uint)IOCTL_CODE.GetProcessModules, pid, sizeof(uint), IoReturnBuffer, (uint)Marshal.SizeOf(typeof(MODULEINFO)) * ModuleNum, ref BytesReturned, ref lpOverlapped); // 将驱动传过来的字节流转换成进程模块信息结构体 MODULEINFO[] _moduleArr = new MODULEINFO[ModuleNum]; fromBytes(IoReturnBuffer, (int)ModuleNum, ref _moduleArr); // 如果进程列表框占满tab容器 MainForm.main.ListView_ProcessOther.Visible = true; if (MainForm.isProListViewDock) { MainForm.main.ListView_Process.Height = MainForm.main.ListView_Process.Height - MainForm.main.ListView_ProcessOther.Height; MainForm.isProListViewDock = false; } // 设置mProcOtherListView的表头 MainForm.main.ListView_ProcessOther.Columns.Clear(); MainForm.main.ListView_ProcessOther.Columns.Add("", 0, HorizontalAlignment.Left); MainForm.main.ListView_ProcessOther.Columns.Add("Base", 50, HorizontalAlignment.Left); MainForm.main.ListView_ProcessOther.Columns.Add("Size", 50, HorizontalAlignment.Left); MainForm.main.ListView_ProcessOther.Columns.Add("Company", 50, HorizontalAlignment.Left); MainForm.main.ListView_ProcessOther.Columns.Add("Path", 50, HorizontalAlignment.Left); // 定位到指定的右键菜单 MainForm.main.ListView_ProcessOther.ContextMenuStrip = MainForm.main.contextMenuStrip_procModulesList; // 将数据插入到mProcOtherListView中 MainForm.main.ListView_ProcessOther.BeginUpdate(); MainForm.main.ListView_ProcessOther.Items.Clear(); MainForm.main.imgList_icon_module.Images.Clear(); MainForm.main.ListView_ProcessOther.SmallImageList = MainForm.main.imgList_icon_module; for (int i = 0; _moduleArr[i].Size != 0; i++) { ListViewItem lvi = new ListViewItem(); if (0 < _moduleArr[i].Path.Length) { MainForm.main.imgList_icon_module.Images.Add(Icon.ExtractAssociatedIcon(_moduleArr[i].Path)); } lvi.ImageIndex = i; lvi.SubItems.Add("0x" + _moduleArr[i].Base.ToString("X16")); lvi.SubItems.Add(_moduleArr[i].Size.ToString()); lvi.SubItems.Add("unknow"); lvi.SubItems.Add(_moduleArr[i].Path); MainForm.main.ListView_ProcessOther.Items.Add(lvi); } MainForm.main.ListView_ProcessOther.AutoResizeColumns(ColumnHeaderAutoResizeStyle.HeaderSize); MainForm.main.ListView_ProcessOther.EndUpdate(); }