Advertisement
Guest User

sections

a guest
May 24th, 2017
226
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 1.28 KB | None | 0 0
  1. // In a seperate file
  2. NTSTATUS CreateSection(PHANDLE Handle, PUNICODE_STRING FullPath, ULONG Attributes, LARGE_INTEGER MaxSize, ULONG SectionProtection, ULONG AllocationAttributes)
  3. {
  4.     OBJECT_ATTRIBUTES ObjAttributes;
  5.  
  6.     InitializeObjectAttributes(&ObjAttributes, FullPath, Attributes, NULL, NULL);
  7.    
  8.     return ZwCreateSection(Handle, SECTION_MAP_READ | SECTION_MAP_WRITE | SECTION_QUERY, &ObjAttributes, &MaxSize, SectionProtection, AllocationAttributes, NULL);
  9. }
  10.  
  11. // In the function that uses it
  12. CreateSection(&ImportsSectionHandle, NULL, OBJ_EXCLUSIVE | OBJ_FORCE_ACCESS_CHECK, RtlConvertLongToLargeInteger(sizeof(SUSPICIOUS_PROCESS)), PAGE_READWRITE, SEC_COMMIT);
  13. ^ returns STATUS_SUCCESS
  14.  
  15. ZwMapViewOfSection(ImportsSectionHandle, ZwCurrentProcess(), &ViewAddress, 0, sizeof(SUSPICIOUS_PROCESS), NULL, &ViewSize, ViewUnmap, 0, PAGE_READWRITE);
  16. ^ STATUS_SUCCESS
  17.  
  18. RtlZeroMemory(ViewAddress, sizeof(SUSPICIOUS_PROCESS));
  19. ^ No BSOD
  20.  
  21. // The SUSPICIOUS_PROCESS is declared as follows:
  22. typedef struct _SUSPICIOUS_PROCESS {
  23.     HANDLE Pid;
  24.     CHAR FunctionName[MAX_PATH];
  25. } SUSPICIOUS_PROCESS, *PSUSPICIOUS_PROCESS;
  26.  
  27. // In another part of the project
  28. char * test = "erino";
  29. memcpy(ViewProc->FunctionName, test, strlen(test)); <---- BSOD
  30.  
  31. DPrint("Func name is: %s", ViewProc->FunctionName);
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement