为了防止DLL注入 SSDT HOOK 了NtMapViewOfSection函数:
NTSTATUS MyNtMapViewOfSection(
__in HANDLE SectionHandle,
__in HANDLE ProcessHandle,
__inout PVOID *BaseAddress,
__in ULONG_PTR ZeroBits,
__in SIZE_T CommitSize,
__inout_opt PLARGE_INTEGER SectionOffset,
__inout PSIZE_T ViewSize,
__in SECTION_INHERIT InheritDisposition,
__in ULONG AllocationType,
__in ULONG Win32Protect
)
{
PSECTION Section;
PEPROCESS Process;
NTSTATUS status;
if (ObReferenceObjectByHandle (ProcessHandle,0,*PsProcessType,0,(PVOID *)&Process,NULL) == 0)
{
if (strstr((char*)PsGetProcessImageFileName(Process),"taskmgr"))
{
if (ObReferenceObjectByHandle (SectionHandle,0,0,0,(PVOID*)&Section,NULL) == 0)
{
if (Section->Segment->ControlArea!=0 && Section->Segment->ControlArea->FilePointer!=0)
{
if (Section->Segment->ControlArea->FilePointer->FileName.Buffer!=0)
{
if (wcsstr(Section->Segment->ControlArea->FilePointer->FileName.Buffer,L"npggNT.des"))
{
ObDereferenceObject(Section);
ObDereferenceObject(Process);
return STATUS_ACCESS_DENIED;
}
}
}
ObDereferenceObject(Section);
}
}
ObDereferenceObject(Process);
}
__asm
{
push Win32Protect
push AllocationType
push InheritDisposition
push ViewSize
push SectionOffset
push CommitSize
push ZeroBits
push BaseAddress
push ProcessHandle
push SectionHandle
call [g_MapViewOfSectionCall]
mov status ,eax
}
return status;
}
是防止了注入 但是有时候蓝屏 蓝在 if (Section->Segment->ControlArea->FilePointer->FileName.Buffer!=0) 这句
反复思考觉得可能是调用OpenFileMapping MapViewOfFile...函数映射文件导致的
不熟悉 _SECTION_OBJECT这对象。。。
请问怎么判断调用此函数是不是为了加载DLL?
------解决方案--------------------------------------------------------
这都能赶上。人品好的没法说。
------解决方案--------------------------------------------------------
