哪位帮我看看这个函数啊,不是很懂它。
NTSTATUS
MmMapViewOfSection(
IN PVOID SectionToMap,
IN PEPROCESS Process,
IN OUT PVOID *CapturedBase,
IN ULONG ZeroBits,
IN ULONG CommitSize,
IN OUT PLARGE_INTEGER SectionOffset,
IN OUT PULONG CapturedViewSize,
IN SECTION_INHERIT InheritDisposition,
IN ULONG AllocationType,
IN ULONG Protect
)
{
ControlArea = Section->Segment->ControlArea;
ImageCommitment = Section->Segment->ImageCommitment;
if (PsGetCurrentProcess() != Process) {
KeAttachProcess (&Process->Pcb);//改变Cr3,指向Attached进程的目录表。之后当前线程操作的用户空间就是Attached的进程。
Attached = TRUE;
}
//下面是根据节对象的类型来分别调用不同的函数来映射。
if (ControlArea->u.Flags.PhysicalMemory) {
//请问这里具体干什么的。还有就是不是页文件也能映射的吗。具体是哪个处理函数处理页面文件的?
MmLockPagableSectionByHandle(ExPageLockHandle);
status = MiMapViewOfPhysicalSection (ControlArea,
Process,
CapturedBase,
SectionOffset,
CapturedViewSize,
ProtectionMask,
ZeroBits,
AllocationType,
&ReleasedWsMutex);
MmUnlockPagableImageSection(ExPageLockHandle);
} else if (ControlArea->u.Flags.Image) {
//我的理解这里是要映射可执行文件
status = MiMapViewOfImageSection (
ControlArea,
Process,
CapturedBase,
SectionOffset,
CapturedViewSize,
Section,
InheritDisposition,
ZeroBits,
ImageCommitment,
&ReleasedWsMutex
);
} else {
//我的理解,这里是要映射共享数据文件
// Not an image section, therefore it is a data section.
//
status = MiMapViewOfDataSection (ControlArea,
Process,
CapturedBase,
SectionOffset,
CapturedViewSize,
Section,
InheritDisposition,
ProtectionMask,
CommitSize,
ZeroBits,
AllocationType,
&ReleasedWsMutex
);
}
if (Attached) {
KeDetachProcess();
}
}
}
[课程]FART 脱壳王!加量不加价!FART作者讲授!