-
-
[求助]自写KeStackAttachProcess问题
-
发表于:
2013-7-23 12:50
3560
-
[求助]自写KeStackAttachProcess问题
BOOLEAN AttachProcessMemory(PEPROCESS pEProcess,OUT ULONG *pOldCR3)
{
BOOLEAN retval=FALSE;
ULONG OldCR3;
KSPIN_LOCK Locker;
KIRQL Irql;
KeInitializeSpinLock(&Locker);
KeAcquireSpinLock(&Locker,&Irql);//提升到DPC
__asm
{
push eax;
mov eax,cr3;
mov OldCR3,eax;
mov eax,pEProcess;
// add eax,g_DirectoryTableBaseOffset;
add eax,0x18;
mov eax,[eax];//得到新的CR3
mov cr3,eax;
pop eax;
}
KeReleaseSpinLock(&Locker,Irql);
retval=TRUE;
if(retval)
{
*pOldCR3=OldCR3;
}
return retval;
}
BOOLEAN DetachProcessMemory(ULONG OldCR3)
{
KSPIN_LOCK Locker;
KIRQL Irql;
KeInitializeSpinLock(&Locker);
KeAcquireSpinLock(&Locker,&Irql);
__asm
{
push eax;
mov eax,OldCR3;
mov cr3,eax;
pop eax;
}
KeReleaseSpinLock(&Locker,Irql);
return TRUE;
}
上面2个函数为网上找的,使用的时候会蓝屏,有人帮分析下不,因为机器环境问题没法调试
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
