-
-
[求助]NtCreateSection OBJECT_ATTRIBUTES::ObjectName::Buffer指针的更改出错
-
发表于:
2016-4-9 19:21
3946
-
[求助]NtCreateSection OBJECT_ATTRIBUTES::ObjectName::Buffer指针的更改出错
如题:
NTSTATUS _stdcall _NtCreateSection(
OUT PHANDLE SectionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN PLARGE_INTEGER MaximumSize OPTIONAL,
IN ULONG SectionPageProtection,
IN ULONG AllocationAttributes,
IN HANDLE FileHandle OPTIONAL
)
{
WCHAR NAME[MAX_PATH];
memcpy(NAME, ObjectAttributes->ObjectName->Buffer, ObjectAttributes->ObjectName->maxlen);
ObjectAttributes->ObjectName->Buffer = NAME;
// 再call 原始call, 结果 原始call 死活返回0xc0000005
}
好吧, 今天勾NtCreateSection中,使用了局部变量指针(数据直接copy)代替
ObjectAttributes::ObjectName::Buffer (= WCHAR NAME[MAX_PATH]),
死活返回0xc0000005;
请教: why??
PS: wow system, 64位进程
已经解决:
方法如下:
// 对指定区域 设置线程为KernelMode
// 方法: KernelModeScope({指令...});
#define KernelModeScope(_x_) \
{ \
PKTHREAD Kthread= (PKTHREAD)PsGetCurrentThread(); \
char orgThrdMode = Kthread->PreviousMode; \
Kthread->PreviousMode =KernelMode; \
_x_; \
Kthread->PreviousMode =orgThrdMode; \
}
KernelModeScope({原call(...);})
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
