void OpenKernelFile()
{
NTSTATUS status;
HANDLE fileHandle;
UNICODE_STRING usDllName;
IO_STATUS_BLOCK IoStatusBlock;
RtlInitUnicodeString(&usDllName, L"\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll");
OBJECT_ATTRIBUTES oa = {sizeof oa, 0, &usDllName, OBJ_CASE_INSENSITIVE};
status = ZwOpenFile(&fileHandle, FILE_EXECUTE | SYNCHRONIZE, &oa, &IoStatusBlock, FILE_SHARE_READ, FILE_SYNCHRONOUS_IO_NONALERT);
HANDLE SectionHandle;
oa.ObjectName = NULL;
#define SEC_IMAGE 0x01000000
status = ZwCreateSection(&SectionHandle, SECTION_ALL_ACCESS, &oa, 0, PAGE_EXECUTE_READ, SEC_IMAGE, fileHandle);
PVOID BaseAddress = NULL;
ULONG size = 0;
status = ZwMapViewOfSection(SectionHandle, NtCurrentProcess(), &BaseAddress, 0, 1000, 0, &size, (SECTION_INHERIT)1, MEM_TOP_DOWN, PAGE_READWRITE);
ZwClose(fileHandle);
ZwClose(SectionHandle);
}
这段代码是在R0下运行,
可是BaseAddress得到的地址值(也就是映射的基址)非常小0x001f0000
这可是在R0没法访问的,蓝屏
有哪位达人能告诉我怎么做呢
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!