コード例 #1
0
ファイル: cProcessMgr.cs プロジェクト: EjiHuang/KernelBox
        /// <summary>
        /// Byte arr to struct arr version 3 字节数组转换成结构体,用于通讯信息转换
        /// </summary>
        /// <param name="arr"></param>
        /// <param name="desArrNum"></param>
        /// <param name="desArr"></param>
        static public void fromBytes(byte[] arr, int desArrNum, ref MODULEINFO[] desArr)
        {
            MODULEINFO[] _struct = new MODULEINFO[desArrNum];
            int          size    = Marshal.SizeOf(typeof(MODULEINFO)) * desArrNum;
            IntPtr       ptr     = Marshal.AllocHGlobal(size);

            for (int i = 0; i < desArrNum; i++)
            {
                Marshal.Copy(arr, i * Marshal.SizeOf(typeof(MODULEINFO)), ptr, Marshal.SizeOf(typeof(MODULEINFO)));
                _struct[i] = (MODULEINFO)Marshal.PtrToStructure(ptr, _struct[i].GetType());
            }

            // 需要释放临时非托管区内存
            Marshal.FreeHGlobal(ptr);
            desArr = _struct;
        }
コード例 #2
0
ファイル: cProcessMgr.cs プロジェクト: EjiHuang/KernelBox
        /// <summary>
        /// 枚举进程模块
        /// </summary>
        static public void EnumModules()
        {
            // 定义用于与驱动通信的变量
            byte[] IoReturnBuffer = new byte[Marshal.SizeOf(typeof(MODULEINFO)) * ModuleNum];
            uint   BytesReturned  = new uint();

            System.Threading.NativeOverlapped lpOverlapped = new System.Threading.NativeOverlapped();

            // 获取当前选中的进程pid
            uint pid;

            uint.TryParse(MainForm.main.ListView_Process.SelectedItems[0].SubItems[1].Text, out pid);
            // 保存当前进程的Eprocess供卸载模块使用
            Common.CommonVar.currentEprocess = Convert.ToUInt64(MainForm.main.ListView_Process.SelectedItems[0].SubItems[5].Text.Substring(2), 16);

            // R0层获取进程的模块信息
            bool bRet = DriverManager.IoControl(DriverManager.hDrv, (uint)IOCTL_CODE.GetProcessModules, pid, sizeof(uint), IoReturnBuffer,
                                                (uint)Marshal.SizeOf(typeof(MODULEINFO)) * ModuleNum, ref BytesReturned, ref lpOverlapped);

            // 将驱动传过来的字节流转换成进程模块信息结构体
            MODULEINFO[] _moduleArr = new MODULEINFO[ModuleNum];
            fromBytes(IoReturnBuffer, (int)ModuleNum, ref _moduleArr);

            // 如果进程列表框占满tab容器
            MainForm.main.ListView_ProcessOther.Visible = true;
            if (MainForm.isProListViewDock)
            {
                MainForm.main.ListView_Process.Height = MainForm.main.ListView_Process.Height - MainForm.main.ListView_ProcessOther.Height;
                MainForm.isProListViewDock            = false;
            }

            // 设置mProcOtherListView的表头
            MainForm.main.ListView_ProcessOther.Columns.Clear();
            MainForm.main.ListView_ProcessOther.Columns.Add("", 0, HorizontalAlignment.Left);
            MainForm.main.ListView_ProcessOther.Columns.Add("Base", 50, HorizontalAlignment.Left);
            MainForm.main.ListView_ProcessOther.Columns.Add("Size", 50, HorizontalAlignment.Left);
            MainForm.main.ListView_ProcessOther.Columns.Add("Company", 50, HorizontalAlignment.Left);
            MainForm.main.ListView_ProcessOther.Columns.Add("Path", 50, HorizontalAlignment.Left);

            // 定位到指定的右键菜单
            MainForm.main.ListView_ProcessOther.ContextMenuStrip = MainForm.main.contextMenuStrip_procModulesList;

            // 将数据插入到mProcOtherListView中
            MainForm.main.ListView_ProcessOther.BeginUpdate();
            MainForm.main.ListView_ProcessOther.Items.Clear();
            MainForm.main.imgList_icon_module.Images.Clear();
            MainForm.main.ListView_ProcessOther.SmallImageList = MainForm.main.imgList_icon_module;
            for (int i = 0; _moduleArr[i].Size != 0; i++)
            {
                ListViewItem lvi = new ListViewItem();

                if (0 < _moduleArr[i].Path.Length)
                {
                    MainForm.main.imgList_icon_module.Images.Add(Icon.ExtractAssociatedIcon(_moduleArr[i].Path));
                }
                lvi.ImageIndex = i;

                lvi.SubItems.Add("0x" + _moduleArr[i].Base.ToString("X16"));
                lvi.SubItems.Add(_moduleArr[i].Size.ToString());
                lvi.SubItems.Add("unknow");
                lvi.SubItems.Add(_moduleArr[i].Path);

                MainForm.main.ListView_ProcessOther.Items.Add(lvi);
            }
            MainForm.main.ListView_ProcessOther.AutoResizeColumns(ColumnHeaderAutoResizeStyle.HeaderSize);
            MainForm.main.ListView_ProcessOther.EndUpdate();
        }