-
-
[求助]关于ZwMapViewOfSection、NtCurrentProcess()的疑问
-
发表于:
2010-5-5 11:03
9844
-
[求助]关于ZwMapViewOfSection、NtCurrentProcess()的疑问
最近在看SSDT恢复的一些资料:
【原创】Anti SSDT Hook:
http://bbs.pediy.com/showthread.php?p=578346
关于SSDT的一点总结 :
http://bbs.pediy.com/showthread.php?t=100493
大概流程是用ZwCreateFile打开ntoskrnl.exe,ZwCreateSection创建一个Section,然后用ZwMapViewOfSection把这个Section映射到用户空间,从而可以像读写内存一样来读写ntoskrnl.exe。我的问题是:
1.有没有把ntoskrnl.exe的内容全部都拷贝到了内存里面?
2.ZwMapViewOfSection映射得到的基址都是<0x80000000的用户空间的地址,我想把ntoskrnl.exe映射到内核空间,不想让应用程序访问,应该怎么做?我看了下WDK的文档,说是得借助“system worker thread ”,但在System Worker Threads里面又没相关的信息。WDK原文如下:
The view must be mapped only from a system thread. (Otherwise, the view is accessible from the process whose context it is created in.) A driver can make sure that the view is mapped from the system process by using a system worker thread to perform the mapping operation. For more information, see System Worker Threads and Driver Thread Context.
3.ZwMapViewOfSection中的NtCurrentProcess()宏,我看了下它的定义是:
#define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 )
WinDBG里面输出的结果是FFFFFFFF,这是咋回事?
求解答
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
