ULONG CreateMapFileAndReturnBaseAddress(IN PUNICODE_STRING pDriverName)
{

  NTSTATUS ntstatus;
  HANDLE hFile = NULL;
//  HANDLE hSection = NULL ;
  OBJECT_ATTRIBUTES  object_attributes;
  IO_STATUS_BLOCK io_status = {0};
  PVOID baseaddress = NULL;
  SIZE_T size = 0;
  //模块基址
  PVOID ModuleAddress = NULL;
   
  InitializeObjectAttributes(
    &object_attributes,
    pDriverName,
    OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
    NULL,
    NULL);
  //打开文件
  ntstatus = ZwCreateFile(
    &hFile,
    FILE_EXECUTE | SYNCHRONIZE,
    &object_attributes,
    &io_status,
    NULL,
    FILE_ATTRIBUTE_NORMAL,
    FILE_SHARE_READ,
    FILE_OPEN,
    FILE_NON_DIRECTORY_FILE |
    FILE_RANDOM_ACCESS |
    FILE_SYNCHRONOUS_IO_NONALERT,
    NULL,
    0);
  if( !NT_SUCCESS( ntstatus ))
  {
    KdPrint(("[GetFunctionAddress] error0\n"));
    KdPrint(("[GetFunctionAddress] ntstatus = 0x%x\n", ntstatus));
    return 0;
  }
  //创建区段
  InitializeObjectAttributes(
    &object_attributes,
    NULL,
    OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE,
    NULL,
        NULL);
  
  ntstatus = ZwCreateSection(
    &hSection,
    SECTION_ALL_ACCESS,
    &object_attributes,
    0,
    PAGE_EXECUTE,
    SEC_IMAGE,
    hFile);
  if( !NT_SUCCESS( ntstatus ))
  {
    KdPrint(("[GetFunctionAddress] error1\n"));
    KdPrint(("[GetFunctionAddress] ntstatus = 0x%x\n", ntstatus));
    return 0;
  }
  //映射区段到进程虚拟空间
  ntstatus = ZwMapViewOfSection(
    hSection,
    NtCurrentProcess(),  //ntddk.h定义的宏用来获取当前进程句柄
    &baseaddress,
    0,
    1000,
    0,
    &size,
    (SECTION_INHERIT)1,
    MEM_TOP_DOWN,
    PAGE_READWRITE);
  if( !NT_SUCCESS( ntstatus ))
  {
   
    return 0;
  }
  //得到模块基址

  ZwClose(hFile);

  DbgPrint("baseadress:%x\n",baseaddress);

  return baseaddress;
}   
想转化为asm
.code

[培训]《安卓高级研修班(网课)》月薪三万计划，掌握调试、分析还原ollvm、vmp的方法，定制art虚拟机自动化脱壳的方法