Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // In a seperate file
- NTSTATUS CreateSection(PHANDLE Handle, PUNICODE_STRING FullPath, ULONG Attributes, LARGE_INTEGER MaxSize, ULONG SectionProtection, ULONG AllocationAttributes)
- {
- OBJECT_ATTRIBUTES ObjAttributes;
- InitializeObjectAttributes(&ObjAttributes, FullPath, Attributes, NULL, NULL);
- return ZwCreateSection(Handle, SECTION_MAP_READ | SECTION_MAP_WRITE | SECTION_QUERY, &ObjAttributes, &MaxSize, SectionProtection, AllocationAttributes, NULL);
- }
- // In the function that uses it
- CreateSection(&ImportsSectionHandle, NULL, OBJ_EXCLUSIVE | OBJ_FORCE_ACCESS_CHECK, RtlConvertLongToLargeInteger(sizeof(SUSPICIOUS_PROCESS)), PAGE_READWRITE, SEC_COMMIT);
- ^ returns STATUS_SUCCESS
- ZwMapViewOfSection(ImportsSectionHandle, ZwCurrentProcess(), &ViewAddress, 0, sizeof(SUSPICIOUS_PROCESS), NULL, &ViewSize, ViewUnmap, 0, PAGE_READWRITE);
- ^ STATUS_SUCCESS
- RtlZeroMemory(ViewAddress, sizeof(SUSPICIOUS_PROCESS));
- ^ No BSOD
- // The SUSPICIOUS_PROCESS is declared as follows:
- typedef struct _SUSPICIOUS_PROCESS {
- HANDLE Pid;
- CHAR FunctionName[MAX_PATH];
- } SUSPICIOUS_PROCESS, *PSUSPICIOUS_PROCESS;
- // In another part of the project
- char * test = "erino";
- memcpy(ViewProc->FunctionName, test, strlen(test)); <---- BSOD
- DPrint("Func name is: %s", ViewProc->FunctionName);
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement