最近学写驱动,都搞了很多天了,关于取得DLL基址,老是出问题,高手帮忙看看
GetFuncTionAddress proc uses ecx esi lpFunctionName:PCHAR , pDllName:PUNICODE_STRING
local @hFile , @hSection ,@temp
local @size:LARGE_INTEGER
local @BaseAddress:PVOID
local @liViewSize:_LARGE_INTEGER ;用于节映射
local @pBaseAddress;
local @oa:OBJECT_ATTRIBUTES
local @iosb:IO_STATUS_BLOCK
lea ecx, @oa
InitializeObjectAttributes ecx, pDllName, OBJ_CASE_INSENSITIVE , NULL, NULL
invoke DbgPrint, $CTA0("\n-----00--------\n")
invoke ZwOpenFile , addr @hFile , FILE_EXECUTE or SYNCHRONIZE , addr @oa , addr @iosb , FILE_SHARE_READ , FILE_SYNCHRONOUS_IO_NONALERT
.if eax != STATUS_SUCCESS
invoke DbgPrint, $CTA0("\n打开dll文件失败:%X\n"),eax
ret
.endif
invoke DbgPrint, $CTA0("\n-----01--------\n")
lea eax , @oa
assume eax:ptr OBJECT_ATTRIBUTES
mov [eax].ObjectName , 0
assume eax:nothing
invoke ZwCreateSection , addr @hSection , SECTION_ALL_ACCESS , addr @oa , 0,PAGE_EXECUTE, SEC_IMAGE, @hFile
.if eax != STATUS_SUCCESS
invoke DbgPrint, $CTA0("\n创建节失败:%X\n"),eax
ret
.endif
invoke DbgPrint, $CTA0("\n-----02--------\n")
and @BaseAddress , 0
and @size.HighPart, 0
and @size.LowPart, 0
invoke ZwMapViewOfSection , @hSection , NtCurrentProcess , addr @BaseAddress , 0 , 1000 , 0 , addr @size , 1 , MEM_TOP_DOWN, PAGE_READWRITE
.if eax != STATUS_SUCCESS
invoke DbgPrint, $CTA0("\n节映射失败:%X\n"),eax
invoke ZwClose,@hFile
ret
.endif
invoke ZwClose,@hFile
invoke DbgPrint, $CTA0("\n-----OK--------\n")
ret
GetFuncTionAddress endp
winDBG调试信息如下:
-----00--------
-----01--------
-----02--------
节映射失败:40000003
还请各位指点一下,为什么我的函数调用 没有成功?谢谢
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
