NtMapViewOfSection防止DLL注入的代码 为了防止DLL注入 SSDT HOOK 了NtMapViewOfSection函数:
C/C++ code?
NTSTATUS MyNtMapViewOfSection( __in HANDLE SectionHandle, __in HANDLE ProcessHandle, __inout PVOID *BaseAddress, __in ULONG_PTR ZeroBits, __in SIZE_T CommitSize, __inout_opt PLARGE_INTEGER SectionOffset, __inout PSIZE_T ViewSize, __in SECTION_INHERIT InheritDisposition, __in ULONG AllocationType, __in ULONG Win32Protect ) { PSECTION Section; PEPROCESS Process; NTSTATUS status; if (ObReferenceObjectByHandle (ProcessHandle,0,*PsProcessType,0,(PVOID *)&Process,NULL) == 0) { if (strstr((char*)PsGetProcessImageFileName(Process),"taskmgr")) { if (ObReferenceObjectByHandle (SectionHandle,0,0,0,(PVOID*)&Section,NULL) == 0) { if (Section->Segment->ControlArea!=0 && Section->Segment->ControlArea->FilePointer!=0) { if (Section->Segment->ControlArea->FilePointer->FileName.Buffer!=0) { if (wcsstr(Section->Segment->ControlArea->FilePointer->FileName.Buffer,L"npggNT.des")) { ObDereferenceObject(Section); ObDereferenceObject(Process); return STATUS_ACCESS_DENIED; } } } ObDereferenceObject(Section); } } ObDereferenceObject(Process); } __asm { push Win32Protect push AllocationType push InheritDisposition push ViewSize push SectionOffset push CommitSize push ZeroBits push BaseAddress push ProcessHandle push SectionHandle call [g_MapViewOfSectionCall] mov status ,eax } return status; }
是防止了注入 但是有时候蓝屏 蓝在 if (Section->Segment->ControlArea->FilePointer->FileName.Buffer!=0) 这句 反复思考觉得可能是调用OpenFileMapping MapViewOfFile...函数映射文件导致的 不熟悉 _SECTION_OBJECT这对象。。。 请问怎么判断调用此函数是不是为了加载DLL?
|