none
a value of type "X" cannot be used to initialize an entity of type "Y" RRS feed

  • Question

  • I have the following code (created as  a C++ project) and want know how can fix this error present in this line:

    PSYSTEM_MODULE_ENTRY pSysModuleEntry = ((PSYSTEM_MODULE_INFORMATION)(pSystemInfoBuffer))->Module;

    Code:

    #include "stdafx.h"
    #include <ntddk.h>
    #include <ntimage.h>
    
    typedef enum _SYSTEM_INFORMATION_CLASS
    {
        SystemBasicInformation,
        SystemProcessorInformation,
        SystemPerformanceInformation,
        SystemTimeOfDayInformation,
        SystemPathInformation,
        SystemProcessInformation,
        SystemCallCountInformation,
        SystemDeviceInformation,
        SystemProcessorPerformanceInformation,
        SystemFlagsInformation,
        SystemCallTimeInformation,
        SystemModuleInformation
    } SYSTEM_INFORMATION_CLASS,
    *PSYSTEM_INFORMATION_CLASS;
    
    typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY
    {
        ULONG  Unknown1;
        ULONG  Unknown2;
    #ifdef _WIN64
            ULONG Unknown3;
            ULONG Unknown4;
    #endif
        PVOID  Base;
        ULONG  Size;
        ULONG  Flags;
        USHORT  Index;
        USHORT  NameLength;
        USHORT  LoadCount;
        USHORT  PathLength;
        CHAR  ImageName[256];
    } SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
    
    typedef struct _SYSTEM_MODULE_INFORMATION
    {
        ULONG Count;
        SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
    } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
    
    typedef struct _SYSTEM_MODULE_ENTRY
    {
    	ULONG Unused;
    	ULONG Always0;
    	PVOID ModuleBaseAddress;
    	ULONG ModuleSize;
    	ULONG Unknown;
    	ULONG ModuleEntryIndex;
    	USHORT ModuleNameLength;
    	USHORT ModuleNameOffset;
    	CHAR ModuleName [256];
    } SYSTEM_MODULE_ENTRY, * PSYSTEM_MODULE_ENTRY;
    
    NTSTATUS 
    ZwQuerySystemInformation (
        SYSTEM_INFORMATION_CLASS SystemInformationClass, 
        PVOID SystemInformation, 
        ULONG SystemInformationLength, 
        ULONG *ReturnLength);
    
    PVOID
    KernelGetModuleBase(
        PCHAR  pModuleName
        )
    {
        PVOID pModuleBase = NULL;
        PULONG pSystemInfoBuffer = NULL;
    
        __try
        {
            NTSTATUS status = STATUS_INSUFFICIENT_RESOURCES;
            ULONG    SystemInfoBufferSize = 0;
    
            status = ZwQuerySystemInformation(SystemModuleInformation,
                &SystemInfoBufferSize,
                0,
                &SystemInfoBufferSize);
    
            if (!SystemInfoBufferSize)
                return NULL;
    
            pSystemInfoBuffer = (PULONG)ExAllocatePool(NonPagedPool, SystemInfoBufferSize*2);
    
            if (!pSystemInfoBuffer)
                return NULL;
    
            memset(pSystemInfoBuffer, 0, SystemInfoBufferSize*2);
    
            status = ZwQuerySystemInformation(SystemModuleInformation,
                pSystemInfoBuffer,
                SystemInfoBufferSize*2,
                &SystemInfoBufferSize);
    
            if (NT_SUCCESS(status))
            {
                PSYSTEM_MODULE_ENTRY pSysModuleEntry =
                    ((PSYSTEM_MODULE_INFORMATION)(pSystemInfoBuffer))->Module;
                ULONG i;
                
                for (i = 0; i <((PSYSTEM_MODULE_INFORMATION)(pSystemInfoBuffer))->Count; i++)
                {
                    if (_stricmp(pSysModuleEntry[i].ModuleName +
                                 pSysModuleEntry[i].ModuleNameOffset, pModuleName) == 0)
                    {
                        pModuleBase = pSysModuleEntry[i].ModuleBaseAddress;
                        break;
                    }
                }
            }
    
        }
        __except(EXCEPTION_EXECUTE_HANDLER)
        {
            pModuleBase = NULL;
        }
        if(pSystemInfoBuffer) {
            ExFreePool(pSystemInfoBuffer);
        }
    
        return pModuleBase;
    }
    
    VOID ImgBase(PVOID lpBase, PULONG pImageBase) {
    
    	PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)lpBase;
    	if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
    		return;
    
    	PIMAGE_NT_HEADERS pNtHeader = (PIMAGE_NT_HEADERS)((char *)lpBase + pDosHeader->e_lfanew);
    	if (pNtHeader->Signature != IMAGE_NT_SIGNATURE)
    		return;
    
    	if (pImageBase)
    		*pImageBase = pNtHeader->OptionalHeader.ImageBase;
    	
    	return;
    }
    
    void testUnload(IN PDRIVER_OBJECT DriverObject)
    {
    	DbgPrint("Goodbye from test!\n");
    }
    
    #ifdef __cplusplus
    extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING  RegistryPath);
    #endif
    
    NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING  RegistryPath)
    {
    
    	DbgPrint("Hello from test!\n");
    
    	ULONG uImageBase = 0;
    
    	ImgBase(KernelGetModuleBase("win32k.sys"), &uImageBase);
    
    	DbgPrint("ulImageBase = 0x%X\n", uImageBase);
    	
    	DriverObject->DriverUnload = testUnload;
    	
    
    	return STATUS_SUCCESS;
    }
    

    Tuesday, October 24, 2017 7:45 PM

Answers

  • try delcaring pSystemInfoBuffer as  PVOID.  For this specific problem, AuxKlibQueryModuleInformation  does all the work for you to get the image base and size

    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    • Marked as answer by Doron Holan [MSFT] Tuesday, October 24, 2017 8:47 PM
    • Unmarked as answer by FL4SHC0D3R Tuesday, October 24, 2017 9:54 PM
    • Marked as answer by FL4SHC0D3R Wednesday, October 25, 2017 3:20 AM
    Tuesday, October 24, 2017 8:47 PM