API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Aug 15th, 2022
45
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C++ 2.41 KB | None | 0 0
raw download clone embed print report
  1.     HANDLE hFile, hSection;
  2.     IO_STATUS_BLOCK iosb;
  3.     NTSTATUS status;
  4.     STATIC_OBJECT_ATTRIBUTES(oa, "\\Device\\@@@@@@@@");
  5.  
  6.     if (0 <= (status = NtOpenFile(&hFile, FILE_ALL_ACCESS, &oa, &iosb, 0, FILE_SYNCHRONOUS_IO_NONALERT)))
  7.     {
  8.         status = NtCreateSection(&hSection, SECTION_ALL_ACCESS, 0, 0, PAGE_READWRITE, SEC_COMMIT, hFile);
  9.        
  10.         NtClose(hFile);
  11.        
  12.         if (0 <= status)
  13.         {
  14.             PVOID BaseAddress = 0;
  15.             SIZE_T ViewSize = 0;
  16.  
  17.             status = ZwMapViewOfSection(hSection, NtCurrentProcess(), &BaseAddress, 0, 0, 0,
  18.                 &ViewSize, ViewUnmap, MEM_TOP_DOWN, PAGE_READWRITE);
  19.  
  20.             NtClose(hSection);
  21.  
  22.             if (0 <= status)
  23.             {
  24.                 ZwUnmapViewOfSection(NtCurrentProcess(), BaseAddress);
  25.             }
  26.         }
  27.     }
  28.  
  29.     //-- NtOpenFile
  30. 00000005    27.67451668 NT::OnCreate(FFFFE0000233C960 00000884 fo=FFFFE00002990590)
  31. 00000006    27.67472649 NT::FCB::FCB<FFFFE00001A35150> 
  32. 00000007    27.67475128 PrivateCacheMap=FFFFE00002798CD8, buf = FFFFC00001E00000 2
  33.    
  34.     //-- NtCreateSection
  35. 00000008    51.80152512 NT::AcquireFileForNtCreateSection(FFFFE00002990590)
  36. 00000009    51.80153275 FastIoQueryStandardInfo
  37. 00000010    51.80154037 NT::ReleaseFileForNtCreateSection(FFFFE00002990590)
  38. 00000011    51.80155182 NT::AcquireFileForNtCreateSection(FFFFE00002990590)
  39. 00000012    51.80155563 NT::ReleaseFileForNtCreateSection(FFFFE00002990590)
  40.  
  41.     //-- NtClose(hFile)
  42. 00000014    77.45678711 NT::OnCleanup(FFFFE00001B47E60 00000404 fo=FFFFE00002990590 FFFFC00001E00000)  
  43. 00000015    77.45679474 CcPurgeCacheSection=1  
  44. 00000016    77.45679474 Flags=40042 0000000000000000   
  45. 00000017    78.69149017 NT::AcquireForLazyWrite(FFFFE00001A35150 1)
  46. 00000018    78.69151306 NT::ReleaseFromLazyWrite(FFFFE00001A35150 660e5c90)
  47. 00000019    78.69152069 NT::AcquireFileForNtCreateSection(FFFFE00002990590)
  48. 00000020    78.69152069 NT::ReleaseFileForNtCreateSection(FFFFE00002990590)
  49.    
  50.     //-- under debugger i access BaseAddress ( reference count on FileObject raised from 2 to 0x10 )
  51. 00000045    170.63281250    NT::OnRead(FFFFE00002376CD0 00060043 m=0)  
  52. 00000046    170.63284302    NT::DoRead[8a0]<0000000000000000>(00060043 mdl=FFFFE0000293DF50 ub=0000000000000000 w=1 fo=FFFFE00002990590 1000 -> 0) 
  53. 00000047    170.63284302    MmGetSystemAddressForMdlSafe=FFFFD000247E0000  
  54. 00000048    170.63284302    FFFFC00001E00000 << 1000   
  55. 00000049    170.63284302    NT::DoRead=0, 0000000000001000 
  56.  
  57.     // ZwUnmapViewOfSection - no visible effect in driver (in user mode view is unmapped of course). reference count on FileObject unchanged
  58.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!