-
-
[求助]自写KeStackAttachProcess问题
-
发表于:
2013-7-23 12:50
3558
-
[求助]自写KeStackAttachProcess问题
BOOLEAN AttachProcessMemory(PEPROCESS pEProcess,OUT ULONG *pOldCR3)
{
BOOLEAN retval=FALSE;
ULONG OldCR3;
KSPIN_LOCK Locker;
KIRQL Irql;
KeInitializeSpinLock(&Locker);
KeAcquireSpinLock(&Locker,&Irql);//提升到DPC
__asm
{
push eax;
mov eax,cr3;
mov OldCR3,eax;
mov eax,pEProcess;
// add eax,g_DirectoryTableBaseOffset;
add eax,0x18;
mov eax,[eax];//得到新的CR3
mov cr3,eax;
pop eax;
}
KeReleaseSpinLock(&Locker,Irql);
retval=TRUE;
if(retval)
{
*pOldCR3=OldCR3;
}
return retval;
}
BOOLEAN DetachProcessMemory(ULONG OldCR3)
{
KSPIN_LOCK Locker;
KIRQL Irql;
KeInitializeSpinLock(&Locker);
KeAcquireSpinLock(&Locker,&Irql);
__asm
{
push eax;
mov eax,OldCR3;
mov cr3,eax;
pop eax;
}
KeReleaseSpinLock(&Locker,Irql);
return TRUE;
}
上面2个函数为网上找的,使用的时候会蓝屏,有人帮分析下不,因为机器环境问题没法调试
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
