[旧帖]
[求助]Win7 SSDT-HOOK执行MmMapLockedPagesSpecifyCache蓝屏
0.00雪花
发表于:
2015-9-22 14:52
3643
[旧帖] [求助]Win7 SSDT-HOOK执行MmMapLockedPagesSpecifyCache蓝屏
0.00雪花
在win7-SP1-32位系统中,采用SSDT-HOOK,MDL方式来hook指定的函数,但是在分配锁定MDL的时候就蓝屏了,在win7下测试时,采用驱动验证器来进行模拟低资源测试的(verifier),如果不开驱动验证器就不会蓝屏,开了驱动验证器比蓝,下面是MDL的代码,
typedef struct _SRVTABLE {
PVOID *ServicePointers;
ULONG Count;
ULONG Limit;
PVOID *NumArguments;
} SRVTABLE, *PSRVTABLE;
extern PSRVTABLE KeServiceDescriptorTable;
PVOID* MapServiceTable(
SERVICE_HOOK_DESCRIPTOR **HookDescriptors
)
{
*HookDescriptors = (SERVICE_HOOK_DESCRIPTOR *) ExAllocatePool( NonPagedPool, KeServiceDescriptorTable->Limit *sizeof(SERVICE_HOOK_DESCRIPTOR));
if( !*HookDescriptors )
{
return NULL;
}
memset( *HookDescriptors, 0, KeServiceDescriptorTable->Limit * sizeof(SERVICE_HOOK_DESCRIPTOR));
KeServiceTableMdl = IoAllocateMdl(KeServiceDescriptorTable->ServicePointers,
KeServiceDescriptorTable->Limit*4, FALSE, FALSE, NULL );
if( !KeServiceTableMdl )
{
return NULL;
}
__try
{
MmBuildMdlForNonPagedPool( KeServiceTableMdl );
KeServiceTableMdl->MdlFlags |= MDL_MAPPED_TO_SYSTEM_VA;
//执行下面这一句会蓝屏
lpReturn = MmMapLockedPagesSpecifyCache( KeServiceTableMdl, KernelMode, MmCached, NULL, FALSE, NormalPagePriority);
}
__except (EXCEPTION_EXECUTE_HANDLER) {
return NULL;
}
return lpReturn;
蓝屏错误码为
If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will be among the most commonly seen crashes. Arguments: Arg1: 00000000000000b2, MmMapLockedPages called on an MDL having incorrect flags. For example, calling MmMapLockedPages for an MDL that is already mapped to a system address is incorrect. Arg2: fffffa800a4e71b0, MDL address. Arg3: 0000000000000005, MDL flags. Arg4: 0000000000000005, Incorrect MDL flags. 由于刚接触内核驱动不久,很多不太懂,下面有些疑问希望知道的人能指导下
1.KeServiceDescriptorTable->Limit = 0; 在用windbg调试的时候发现这个值会等于0,在xp下也是为0,用ExAllocatePool分配0的时候看msdn上说这会有些问题,但是程序照样跑
2.开不开驱动验证器会导致蓝屏,大家在做驱动测试的时候会不会开着驱动验证器呢,毕竟这样可以模拟低资源的情况,做了处理就能避免蓝屏的危险
3.但是感觉这是驱动验证器的问题,不是程序本身,之前貌似看过低资源情况下锁定内存驱动验证器会触发bugcheck让系统蓝屏
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!