problem with t_module.name [Archive] - RCE Messageboard's Regroupment

hernan

January 17th, 2005, 18:46

I think there's a problem with the t_module.name member.
I'm listing the modules, and for the kernel32.dll module, in the t_module.name member, I think there's a 0 missing.

When I obtain the contents of t_module.name I get

kernel32c:\windows\system32\kernel32.dll

it seems that the shortname is missing the 'NULL" terminator. and since the complete name of the module is the next item in the structure, i get that too.
is that possible?

for the other modules (the name of my .exe file, and ntdll) I get the expected result while listing the modules.

anyone has experienced this?
thanks!
bye

focht

January 18th, 2005, 00:40

Hi,

-- snip plugin.h ---

typedef struct t_module {
...
char name[SHORTLEN]; // Short name of the module
char path[MAX_PATH]; // Full name of the module
...
} t_module;

...

#define SHORTLEN 8 // Maximal length of short name

-- snip plugin.h ---

What you see is valid.
A character style array like "char []" doesnt necessarily need to contain null terminator.
A string is a sequence of chars that ends with a null character (a char with the value 0, usually written as '\0' to emphasize that it's being used as a string terminator).

You can store a string into an array of char as long as there is enough
room in the array for the entire string plus the null terminator.
If an array of char contains a string, sizeof will still give the total
number of elements in the char array, while strlen() will give the
number of chars in the string contained in the array.
For an array A with a string stored in it, strlen(A) < sizeof(A) must be true.

In this case:

strlen( "kernel32"

== 8
sizeof( t_module.name) == 8

which basically means the array of char lacks the null terminator because there is no more space.
The entry is fully valid of course (see my first sentence).

To get the data, you need to use the "strncpy" function like this:

strncpy( buf, module.name, SHORTLEN);

Your destination buffers should always be declared to contain extra room for the null terminator.
When calling strncpy(), pass it a length value that is at least 1 character less than the overall size of the destination buffer, and make sure that the extra room is intialized ot set to '\0' before the buffer is used after the copying.

So the final solution whould be:

char buf[SHORTLEN+1]
strncpy( buf, module.name, SHORTLEN);
buf[SHORTLEN] = '\0';

Regards