驅動下的查詢程序以及LoadImage下ZwProtectVirtualMemory死鎖處理辦法.

程序 · 發表 2018-11-12 00:30:23

摘要：先貼個查詢程序: ULONG dv_FindEProcess(PUCHAR ProcessName, PEPROCESS *pEprocess) { PLIST_ENTRY ActiveProcessLinks; ANSI_STRING tarName, curName; ...

先貼個查詢程序:

ULONG dv_FindEProcess(PUCHAR ProcessName, PEPROCESS *pEprocess)
{
PLIST_ENTRY ActiveProcessLinks;
ANSI_STRING tarName, curName;
RtlInitAnsiString(&tarName, ProcessName);
PUCHAR pName = NULL;
ULONG uPid = 0,uRetPid=0;
 
PCHAR FirstEProcess,NextEprocess;
FirstEProcess = NextEprocess = PsGetCurrentProcess();
__try 
{
do
{
pName = PsGetProcessImageFileName(NextEprocess);
uPid = *(PLONG32)(NextEprocess + dynData.EPROCESS_UniqueProcessId);
if (pName && uPid)
{
RtlInitAnsiString(&curName, pName);
DbgPrint("di-%Z(%d)", curName, uPid);
if (RtlEqualString(&tarName, &curName, TRUE))
{
if (pEprocess)
{
*pEprocess = NextEprocess;
}
 
uRetPid = uPid;
break;
}
}

ActiveProcessLinks = NextEprocess + dynData.EPROCESS_ActiveProcessLinks;
if (ActiveProcessLinks->Flink == NULL)
{
break;
}
 
NextEprocess = (PCHAR)ActiveProcessLinks->Flink - dynData.EPROCESS_ActiveProcessLinks;
} while (NextEprocess!= FirstEProcess);

}
__except (EXCEPTION_EXECUTE_HANDLER)
{
}

 
return uRetPid;
}

PsSetLoadImageNotifyRoutine下呼叫ZwProtectVirtualMemory卡死,原因就是AddressCreationLock.

我處理的辦法不是是解鎖,而是直接把AddressCreationLock清零,這樣呼叫 ZwProtectVirtualMemory的時候就會跳過檢測,不卡死了.

如下處理:

驅動下的查詢程序以及LoadImage下ZwProtectVirtualMemory死鎖處理辦法.

您可能也會喜歡…