HANDLE hSection
=
0
;
LARGE_INTEGER cbSectionOffset
=
{};
PVOID pViewBase
=
NULL;
SIZE_T cbViewSize
=
0
;
NTSTATUS ntstatus
=
0
;
vector<sectionData> dwSectionData;
ULONG nCanMapSize
=
0
;
nCanMapSize
=
calcTextSize(pInfo,dwSectionData);
if
(nCanMapSize <
0x10000
) {
return
bRet;
}
ULONG64 nNextMapAddress
=
nCanMapSize
+
(ULONG64)pInfo
-
>lpBaseOfDll;
ULONG nNextMapSize
=
pInfo
-
>SizeOfImage
-
nCanMapSize;
LARGE_INTEGER cbSectionSize
=
{
0
};
cbSectionSize.QuadPart
=
pInfo
-
>SizeOfImage;
ntstatus
=
ZwCreateSection(
&hSection,
SECTION_ALL_ACCESS,
NULL,
&cbSectionSize,
PAGE_EXECUTE_READWRITE,
SEC_COMMIT,
NULL);
pViewBase
=
0
;
cbSectionOffset.QuadPart
=
0
;
cbViewSize
=
0
;
ntstatus
=
ZwMapViewOfSection(
hSection,
NtCurrentProcess(),
&pViewBase,
0
,
0
,
&cbSectionOffset,
&cbViewSize,
ViewUnmap,
0
,
PAGE_EXECUTE_READWRITE);
if
(NT_SUCCESS(ntstatus))
{
RtlCopyMemory(pViewBase, pInfo
-
>lpBaseOfDll, pInfo
-
>SizeOfImage);
/
/
把内容写入section后,就把当前得 地址 卸载
ntstatus
=
ZwUnmapViewOfSection(NtCurrentProcess(), pViewBase);
ntstatus
=
ZwUnmapViewOfSection(NtCurrentProcess(), pInfo
-
>lpBaseOfDll);
if
(NT_SUCCESS(ntstatus))
{
/
/
映射 代码节区 全给他 PAGE_EXECUTE_READ并且加上 SEC_NO_CHANGE
pViewBase
=
pInfo
-
>lpBaseOfDll;
cbSectionOffset.QuadPart
=
0
;
cbViewSize
=
nCanMapSize;
ntstatus
=
ZwMapViewOfSection(
hSection,
NtCurrentProcess(),
&pViewBase,
0
,
0
,
&cbSectionOffset,
&cbViewSize,
ViewUnmap,
SEC_NO_CHANGE,
PAGE_EXECUTE_READ);
if
(NT_SUCCESS(ntstatus))
{
/
/
映射数据节区 给PAGE_READWRITE
pViewBase
=
(PVOID)nNextMapAddress;
cbSectionOffset.QuadPart
=
nCanMapSize;
cbViewSize
=
nNextMapSize;
ntstatus
=
ZwMapViewOfSection(
hSection,
NtCurrentProcess(),
&pViewBase,
0
,
0
,
&cbSectionOffset,
&cbViewSize,
ViewUnmap,
0
,
PAGE_READWRITE);
if
(NT_SUCCESS(ntstatus) && !dwSectionData.empty())
{
/
/
这个只是 还原数据段 的内存属性 你不喜欢可以不执行
vector<sectionData> ::iterator it
=
dwSectionData.begin();
SIZE_T tmpSize
=
0
;
DWORD OldAccessProtection
=
0
;
ULONG prot
=
0
;
PVOID pAddr
=
NULL;
for
(it; it !
=
dwSectionData.end();
+
+
it)
{
if
(it
-
>nProtection
=
=
PAGE_READONLY)
{
prot
=
it
-
>nProtection;
pAddr
=
(PVOID)((ULONG64)pInfo
-
>lpBaseOfDll
+
it
-
>VirtualAddress);
tmpSize
=
it
-
>VirtualSize;
ZwProtectVirtualMemory(NtCurrentProcess(), &pAddr, &tmpSize, prot, &OldAccessProtection);
}
}
}
}
}
}
if
(hSection) {
CloseHandle(hSection);
}
return
bRet;