PMDL NTAPI IoCreateWriteMdlForAddress(PVOID InAddress, PVOID *OutAddress, size_t Size) ////创建内存可写;
{
PMDL pMdl = NULL;
if (Size>0)
{
if ((InAddress == NULL) | (Size == 0))
return NULL;
if (OutAddress == NULL)
return NULL;
if (!MmIsAddressValid(OutAddress))
return NULL;
}
else
{
return NULL;
}
pMdl = MmCreateMdl(NULL, InAddress, Size);
if (pMdl == NULL)
{
return NULL;
}
MmBuildMdlForNonPagedPool(pMdl);
if (!FlagOn(pMdl->MdlFlags, MDL_MAPPED_TO_SYSTEM_VA))
SetFlag(pMdl->MdlFlags, MDL_MAPPED_TO_SYSTEM_VA);
*OutAddress = MmMapLockedPages(pMdl, KernelMode);
return pMdl;
}
void HookImportFunction(void *ImageBase, void *OldFunction, void *NewFunction, char *FunctionName)
{
PVOID *OutAddress = NULL; // [rsp+30h] [rbp-48h]
void *pContext; // [rsp+40h] [rbp-38h]
STRING DestinationString; // [rsp+48h] [rbp-30h]
void *v9;
memset(&DestinationString, 0, 0x20ui64);
RtlInitAnsiString(&DestinationString, FunctionName);
pContext = OldFunction;
if (DetourEnumerateImportsEx(ImageBase, &pContext, NULL, DETOUR_IMPORT_FUNC_CALLBACKEX))
{
PMDL MemoryDescriptorList = IoCreateWriteMdlForAddress(
v9 , &OutAddress, 8); //关键在这行
if (MemoryDescriptorList)
{
OutAddress = NewFunction;
MmUnmapLockedPages(OutAddress, MemoryDescriptorList);
IoFreeMdl(MemoryDescriptorList);
}
}
}
PMDL MemoryDescriptorList = IoCreateWriteMdlForAddress(NULL, &OutAddress, 8);
这行代码有问题,会蓝屏。
如果改成 直接
IoCreateWriteMdlForAddress(NULL, &OutAddress, 8); 就不会蓝屏。这是为什么???
IoCreateWriteMdlForAddress 返回类型为
PMDL
还有个问题
IoCreateWriteMdlForAddress(v9 , &OutAddress, 8); 这里面的V9应该是必须有值的,为什么IDA逆向出来的伪代码里V9是没有赋值的???
谁能帮我解决的,请私信我下,可付费
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
