typedef struct _PROCESS_BASIC_INFORMATION {
        PVOID Reserved1;
        PPEB PebBaseAddress;
        PVOID Reserved2[2];
        ULONG_PTR UniqueProcessId;
        PVOID Reserved3;
} PROCESS_BASIC_INFORMATION;
#endif;

typedef LONG NTSTATUS, *PNTSTATUS;
typedef struct _UNICODE_STRING {
        USHORT Length;
        USHORT MaximumLength;
        PWSTR  Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef LONG(__stdcall *pfnZwCreateSection)(
             PHANDLE            SectionHandle,
              ACCESS_MASK        DesiredAccess,
          POBJECT_ATTRIBUTES ObjectAttributes,
          PLARGE_INTEGER     MaximumSize,
              ULONG              SectionPageProtection,
              ULONG              AllocationAttributes,
          HANDLE             FileHandle
        );

typedef LONG(__stdcall *pfnZwMapViewOfSection) (
        HANDLE SectionHandle,
        HANDLE ProcessHandle,
        OUT PVOID *BaseAddress,
        ULONG_PTR ZeroBits,
        SIZE_T CommitSize,
        PLARGE_INTEGER SectionOffset,
        PSIZE_T ViewSize,
        DWORD InheritDisposition,
        ULONG AllocationType,
        ULONG Win32Protect
        );

typedef LONG(__stdcall *pfnZwUnmapViewOfSection)(
        HANDLE ProcessHandle,
        PVOID BaseAddress
        );

pfnZwMapViewOfSection ZwMapViewOfSection = (pfnZwMapViewOfSection)GetProcAddress(GetModuleHandleA("ntdll"), "ZwMapViewOfSection");
pfnZwUnmapViewOfSection ZwUnmapViewOfSection = (pfnZwUnmapViewOfSection)GetProcAddress(GetModuleHandleA("ntdll"), "ZwUnmapViewOfSection");
pfnZwCreateSection ZwCreateSection = (pfnZwCreateSection)GetProcAddress(GetModuleHandleA("ntdll"), "ZwCreateSection");

typedef struct ShareMenoryArray
{
        int Num;

}*LPShareMenoryArray;

LPShareMenoryArray pShareMenory;

typedef struct _IO_STATUS_BLOCK {
        union {
                NTSTATUS Status;
                PVOID    Pointer;
        };
        ULONG_PTR Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
typedef LONG(__stdcall *pfnZwOpenFile)(
        _Out_ PHANDLE            FileHandle,
        _In_  ACCESS_MASK        DesiredAccess,
        _In_  POBJECT_ATTRIBUTES ObjectAttributes,
        _Out_ PIO_STATUS_BLOCK   IoStatusBlock,
        _In_  ULONG              ShareAccess,
        _In_  ULONG              OpenOptions
        );
pfnZwOpenFile ZwOpenFile = (pfnZwOpenFile)GetProcAddress(GetModuleHandleA("ntdll"), "ZwOpenFile");

        typedef LONG(__stdcall *pfnZwCreateFile)(
        _Out_    PHANDLE            FileHandle,
        _In_     ACCESS_MASK        DesiredAccess,
        _In_     POBJECT_ATTRIBUTES ObjectAttributes,
        _Out_    PIO_STATUS_BLOCK   IoStatusBlock,
        _In_opt_ PLARGE_INTEGER     AllocationSize,
        _In_     ULONG              FileAttributes,
        _In_     ULONG              ShareAccess,
        _In_     ULONG              CreateDisposition,
        _In_     ULONG              CreateOptions,
        _In_opt_ PVOID              EaBuffer,
        _In_     ULONG              EaLength
        );
        pfnZwCreateFile ZwCreateFile = (pfnZwCreateFile)GetProcAddress(GetModuleHandleA("ntdll"), "ZwCreateFile");
#define OBJ_CASE_INSENSITIVE    0x00000040L
#define OBJ_KERNEL_HANDLE       0x00000200L
#define InitializeObjectAttributes( p, n, a, r, s ) { \
        (p)->Length = sizeof(OBJECT_ATTRIBUTES);          \
        (p)->RootDirectory = r;                             \
        (p)->Attributes = a;                                \
        (p)->ObjectName = n;                                \
        (p)->SecurityDescriptor = s;                        \
        (p)->SecurityQualityOfService = NULL;               \
}
#define FILE_SYNCHRONOUS_IO_NONALERT            0x00000020

void aa()
{

        HANDLE hMySharedMapFile;
        HANDLE  hFile = NULL;
        wchar_t temp[] = L"Hello World！";   //定义宽字符串
        UNICODE_STRING str;
        str.Buffer = temp;
        str.Length = wcslen(temp)*sizeof(WCHAR);
        str.MaximumLength = wcslen(temp)*sizeof(WCHAR);
        SIZE_T size = 0;
        OBJECT_ATTRIBUTES  oa = { 0 };
        LARGE_INTEGER a;
        a.HighPart = 0;
        a.LowPart = 0x8EF6;
        IO_STATUS_BLOCK io_status = { 0 };
        InitializeObjectAttributes(&oa, &str, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, 0, 0);
        void* MapFileBaseAddress = NULL;
        LONG status = ZwCreateSection(&hMySharedMapFile, SECTION_MAP_READ, &oa, 0, PAGE_EXECUTE, SEC_IMAGE, INVALID_HANDLE_VALUE);     //这创建共享 老是失败 为什么啊
      
}

void bb()
{
    HANDLE hMySharedMapFile = CreateFileMapping(INVALID_HANDLE_VALUE, NULL, PAGE_READWRITE, 0, sizeof(ShareMenoryArray), _T("MyDataMenory"));

        pShareMenory = (LPShareMenoryArray)MapViewOfFile(hMySharedMapFile, FILE_MAP_ALL_ACCESS, 0, 0, 0);
        LONG stat = ZwMapViewOfSection(hMySharedMapFile, INVALID_HANDLE_VALUE, &MapFileBaseAddress, NULL, NULL, NULL, &size, 1 /* ViewShare */, NULL, PAGE_READWRITE);
pShareMenory  = 0x02040000
MapFileBaseAddress = 0x02050000   ///这为啥相差10000   求大神帮忙

}

R3层使用NT函数 不要搞驱动了, 我目的是  想共享内存通讯  
但MapViewOfFile CreateFileMapping 有钩子保护 所以我想使用NT函数绕过钩子
CreateFileMapping->ZwCreateSection
MapViewOfFile->ZwMapViewOfSection

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)