-
-
[求助]关于内存清0
-
发表于:
2009-8-5 16:00
4074
-
//蓝屏版内存清0
VOID ZeroIt(PEPROCESS pProcess){
ULONG start;
KAPC_STATE kapc;
KeStackAttachProcess(pProcess,&kapc);
for(start=0x00010000;start<0x60000000;start+=0x1000){
__try{
ProbeForWrite((PVOID)start,0x1000,4);
RtlZeroMemory((PVOID)start,0x1000);
}__except(1){
continue;
}
}
KeUnstackDetachProcess (&kapc);
}
//不蓝屏版内存清0
VOID ZeroIt(PEPROCESS pProcess){
ULONG start,tmp;
KAPC_STATE kapc;
PHYSICAL_ADDRESS physicalAddr;
KeStackAttachProcess(pProcess,&kapc);
for(start=0x00010000;start< 0x60000000;start+=0x1000){
physicalAddr = MmGetPhysicalAddress((PVOID)start);
if( physicalAddr.HighPart > g_PhysicalPage.HighPart )
continue;
if( physicalAddr.HighPart == g_PhysicalPage.HighPart &&
physicalAddr.LowPart >= g_PhysicalPage.LowPart )
continue;
if ( !(physicalAddr.HighPart | physicalAddr.LowPart) )
continue;
if(start!=(ULONG)MmGetVirtualForPhysical(physicalAddr))
continue;
__asm {
cli;
mov eax,cr0;
and eax,not 10000h;
mov cr0,eax;
}
__try{
RtlZeroMemory( (PVOID)start, 0x1000);
}__except(1){
}
__asm {
mov eax,cr0
or eax,10000h
mov cr0,eax
sti
}
}
KeUnstackDetachProcess (&kapc);
}
提问:
为什么第一个函数会蓝屏呢?不是用ProbeForWrite验证过了吗?
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
