-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathutil.c
49 lines (47 loc) · 1.52 KB
/
util.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
#include "util.h"
int DoesEndWith(PUNICODE_STRING hay, PUNICODE_STRING needle){
int i, ldif;
PWSTR haySTR = hay->Buffer, needleSTR = needle->Buffer;
if( (ldif = hay->Length - needle->Length) < 0)
return 0;
if(RtlCompareMemory((char *)haySTR + ldif, needleSTR, needle->Length)
== needle->Length)
return 1;
return 0;
}
PROC_ENTRY *LocatePIDEntry(PLIST_ENTRY lst, HANDLE pid){
PLIST_ENTRY li;
PROC_ENTRY *Pentry;
for(li = lst->Flink; li != lst; li = li->Flink){
Pentry = CONTAINING_RECORD(li, PROC_ENTRY, PList);
if(Pentry->pid == pid)
return Pentry;
}
return NULL;
}
void RemoveModuleEntry(MODULE_ENTRY *Mentry){
RemoveEntryList(&(Mentry->MList));
ExFreePoolWithTag(Mentry->FullImgName.Buffer, TAG);
ExFreePoolWithTag(Mentry, TAG);
return;
}
void RemoveProcessEntry(PROC_ENTRY *Pentry){
PLIST_ENTRY li, nli;
for( li = Pentry->ModuleListHead.Flink;
li != &(Pentry->ModuleListHead); li = nli){
nli = li->Flink;
RemoveModuleEntry(CONTAINING_RECORD(li, MODULE_ENTRY, MList));
}
RemoveEntryList(&(Pentry->PList));
ExFreePoolWithTag(Pentry, TAG);
return;
}
MODULE_ENTRY *AllocModuleEntry(void){
MODULE_ENTRY *ret;
if(!(ret = ExAllocatePoolWithTag(PagedPool, sizeof(MODULE_ENTRY), TAG)))
return ret;
ret->FullImgName.MaximumLength = NTSTRSAFE_UNICODE_STRING_MAX_CCH*sizeof(WCHAR);
ret->FullImgName.Buffer
= ExAllocatePoolWithTag(PagedPool, NTSTRSAFE_UNICODE_STRING_MAX_CCH*sizeof(WCHAR), TAG);
return ret;
}