码迷,mamicode.com
首页 > 其他好文 > 详细

由枚举模块到ring0内存结构的初步探索

时间:2015-07-23 21:35:40      阅读:306      评论:0      收藏:0      [点我收藏+]

标签:

是由获得进程模块而引发的一系列的问题,首先,在ring3层下枚举进程模块有ToolHelp,Psapi,还可以通过在ntdll中获得ZwQuerySystemInformation的函数地址来枚举,其中ZwQueryInformationProcess相当于是调用系统服务函数,其内部实现就是遍历PEB中的Moudle链表,

kd> dt _PEB

+0x00c Ldr              : Ptr32 _PEB_LDR_DATA   

kd> dt _PEB_LDR_DATA 

nt!_PEB_LDR_DATA

   +0x000 Length           : Uint4B

   +0x004 Initialized         : UChar

   +0x008 SsHandle         : Ptr32 Void

   +0x00c InLoadOrderModuleList : _LIST_ENTRY        //按模块的加载顺序

   +0x014 InMemoryOrderModuleList : _LIST_ENTRY     //按模块在内存中的地址顺序

   +0x01c InInitializationOrderModuleList : _LIST_ENTRY  //按初始化顺序

   +0x024 EntryInProgress  : Ptr32 Void

   +0x028 ShutdownInProgress : UChar

   +0x02c ShutdownThreadId : Ptr32 Void

整个链的结构就是下面这张图

   技术分享

typedef struct _PEB_LDR_DATA32   //xp sp3 x86
{
    ULONG Length;                              0x00
    BOOLEAN Initialized;                        0x04
    HANDLE SsHandle;                            0x08
    LIST_ENTRY InLoadOrderModuleList;           0x0c        //按模块的加载顺序
    LIST_ENTRY InMemoryOrderModuleList;        0x14        //按模块在内存中的地址顺序
    LIST_ENTRY InInitializationOrderModuleList;  0x1c        //按初始化顺序
    PVOID EntryInProgress;                       0x24
} PEB_LDR_DATA32, *PPEB_LDR_DATA32;

typedef struct _PEB_LDR_DATA64  //win7 sp1 x64
{
    ULONG Length;
    BOOLEAN Initialized;
    HANDLE SsHandle;
    LIST_ENTRY64 InLoadOrderModuleList;
    LIST_ENTRY64 InMemoryOrderModuleList;
    LIST_ENTRY64 InInitializationOrderModuleList;
    PVOID EntryInProgress;
    BOOLEAN  ShutdownInProgress;
    PVOID    ShutdownThreadId;
} PEB_LDR_DATA64, *PPEB_LDR_DATA64;


图中所示的_LDR_MOUDLE的结构如下:
typedef struct _LDR_DATA_TABLE_ENTRY32 { //xp sp3 x86
    LIST_ENTRY InLoadOrderLinks;
    LIST_ENTRY InMemoryOrderLinks;
    LIST_ENTRY InInitializationOrderLinks;
    PVOID DllBase;
    PVOID EntryPoint;
    ULONG SizeOfImage;
    UNICODE_STRING FullDllName;
    UNICODE_STRING BaseDllName;
    ULONG Flags;
    USHORT LoadCount;
    USHORT TlsIndex;
    union {
        LIST_ENTRY HashLinks;
        struct {
            PVOID SectionPointer;
            ULONG CheckSum;
        };
    };
    union {
        struct {
            ULONG TimeDateStamp;
        };
        struct {
            PVOID LoadedImports;
        };
    };
} LDR_DATA_TABLE_ENTRY32,*PLDR_DATA_TABLE_ENTRY32;


typedef struct _LDR_DATA_TABLE_ENTRY64    //win7 sp1 x64
{
    LIST_ENTRY64    InLoadOrderLinks;
    LIST_ENTRY64    InMemoryOrderLinks;
    LIST_ENTRY64    InInitializationOrderLinks;
    PVOID            DllBase;
    PVOID            EntryPoint;
    ULONG            SizeOfImage;
    UNICODE_STRING    FullDllName;
    UNICODE_STRING     BaseDllName;
    ULONG            Flags;
    USHORT            LoadCount;
    USHORT            TlsIndex;
    PVOID            SectionPointer;
    ULONG            CheckSum;
    PVOID            LoadedImports;
    PVOID            EntryPointActivationContext;
    PVOID            PatchInformation;
    LIST_ENTRY64    ForwarderLinks;
    LIST_ENTRY64    ServiceTagLinks;
    LIST_ENTRY64    StaticLinks;
    PVOID            ContextInformation;
    ULONG64            OriginalBase;
    LARGE_INTEGER    LoadTime;
} LDR_DATA_TABLE_ENTRY64, *PLDR_DATA_TABLE_ENTRY64;

 

很清晰的结构,只要遍历链表就能获得所有的模块的信息,具体的代码就不给出了。问题产生了,就像利用ActiveList来遍历进程一样,存在被断链的可能,如果被断链了,遍历Ldr的方法就失效了,模块也就被隐藏了。

那针对断链的隐藏进程有没有好的方法呢,答案是肯定的,这就利用到了进程中的内存管理。

我们知道Windows对于可执行映像都是采用内存映射文件的方式,而映射区对象(SectioinObject)中会存有与之关联的FileObject的指针,而文件对象中的域

+0x030 FileName         : _UNICODE_STRING   

存放的就是整个映像文件的路径,所以我们可以来暴力搜索进程内存来得到进程模块,这里我们可以借助一个SSDT的函数,NtQueryVirtualMemory() 来枚举进程空间内的所有内存的信息,怎么获得NtQueryVirtualMemory函数地址我就不赘述了,

函数原型:

typedef NTSTATUS
(*pfnNtQueryVirtualMemory)(HANDLE ProcessHandle,PVOID BaseAddress,
    MEMORY_INFORMATION_CLASS MemoryInformationClass,
    PVOID MemoryInformation,
    SIZE_T MemoryInformationLength,
    PSIZE_T ReturnLength);

 

其中的MEMORY_INFORMATION_CLASS 是一个枚举量,来表示查询的是哪种信息

Wrk中搜的枚举类型

typedef enum _MEMORY_INFORMATION_CLASS {
    MemoryBasicInformation
#if DEVL
    ,MemoryWorkingSetInformation
#endif
    ,MemoryMappedFilenameInformation
    ,MemoryRegionInformation
    ,MemoryWorkingSetExInformation
} MEMORY_INFORMATION_CLASS;

而我自己一般用的就是下面的简化版

typedef enum _MEMORY_INFORMATION_CLASS
{
    MemoryBasicInformation,  //内存基本信息
    MemoryWorkingSetList,
    MemorySectionName        //内存映射文件名信息  
}MEMORY_INFORMATION_CLASS;

 当我们使用MemoryBasicInformation 来查询时,MemoryInformation结构如下

typedef struct _MEMORY_BASIC_INFORMATION {  
    PVOID       BaseAddress;           //查询内存块所占的第一个页面基地址
    PVOID       AllocationBase;        //内存块所占的第一块区域基地址,小于等于BaseAddress,
    DWORD       AllocationProtect;     //区域被初次保留时赋予的保护属性
    SIZE_T      RegionSize;            //从BaseAddress开始,具有相同属性的页面的大小,
    DWORD       State;                 //页面的状态,有三种可能值MEM_COMMIT、MEM_FREE和MEM_RESERVE
    DWORD       Protect;               //页面的属性,其可能的取值与AllocationProtect相同
    DWORD       Type;                  //该内存块的类型,有三种可能值:MEM_IMAGE、MEM_MAPPED和MEM_PRIVATE
} MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION;

State指示虚拟内存的状态
MEM_COMMIT    指明已分配物理内存或者系统页文件。
MEM_RESERVE   指明页面被保留,但是没有分配任何物理内存。
MEM_FREE         空闲状态。该区域的虚拟地址没有分配任务物理内存

Type是指示物理存储器的类型

MEM_IMAGE   指明该区域的虚拟地址原先受内存映射的映像文件(如.exe或DLL文件)的支持,但也许不再受映像文件的支持。
         例如,当写入模块映像中的全局变量时,“写入时拷贝”的机制将由页文件来支持特定的页面,而不是受原始映像文件的支持。
MEM_MAPPED   该区域的虚拟地址原先是受内存映射的数据文件的支持,但也许不再受数据文件的支持。
         例如,数据文件可以使用“写入时拷贝”的保护属性来映射。对文件的任何写入操作都将导致页文件而不是原始数据支持特定的页面。
MEM_PRIVATE   指明该内存区域是私有的。不被其他进程共享。

 用MemorySectionName 查询时MemoryInformation结构如下

typedef struct _MEMORY_SECTION_NAME  {  
    UNICODE_STRING Name;  
    WCHAR     Buffer[_MAX_OBJECT_NAME];  
}MEMORY_SECTION_NAME,*PMEMORY_SECTION_NAME;

下面给出主要代码,思路就是调用NtQueryVirtualMemory来暴力遍历进程的所有内存

NTSTATUS EnumMoudleByNtQueryVirtualMemory(ULONG ProcessId)
{
    NTSTATUS Status;
    PEPROCESS  EProcess = NULL;
    HANDLE    hProcess = NULL;
    ULONG_PTR HighUserAddress  = 0;
    ULONG ulRet = 0;
#ifdef _WIN64
    HighUserAddress = 0x80000000000;
#else
    HighUserAddress = 0x80000000;
#endif

    if (ProcessId)
    {
        Status = PsLookupProcessByProcessId((HANDLE)ProcessId, &EProcess);
        if (!NT_SUCCESS(Status))
        {
            return Status;
        }    
    }
    if (IsRealProcess(EProcess))   //判断是否为僵尸进程,我只是判断了对象类型和句柄表是否存在
    {
        ObfDereferenceObject(EProcess);
        Status = ObOpenObjectByPointer(EProcess, 
            OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, 
            NULL, 
            GENERIC_ALL, 
            *PsProcessType, 
            KernelMode, 
            &hProcess
            );
        if (NT_SUCCESS(Status))
        {
            ULONG_PTR ulBase = 0;
            //改变PreviousMode
            PETHREAD EThread = PsGetCurrentThread();
            CHAR PreMode     = ChangePreMode(EThread);   //KernelMode
            do 
            {
                MEMORY_BASIC_INFORMATION mbi = {0};
                Status = NtQueryVirtualMemory(hProcess, 
                    (PVOID)ulBase, 
                    MemoryBasicInformation, 
                    &mbi, 
                    sizeof(MEMORY_BASIC_INFORMATION), 
                    &ulRet);
                if (NT_SUCCESS(Status))
                {    
                    //如果是Image 再查询SectionName,即FileObject Name
                    if (mbi.Type==MEM_IMAGE)
                    {
                        MEMORY_SECTION_NAME msn = {0};
                        Status = NtQueryVirtualMemory(hProcess,
                            (PVOID)ulBase,
                            MemorySectionName,
                            &msn,
                            sizeof(MEMORY_SECTION_NAME),
                            &ulRet);
                        if (NT_SUCCESS(Status)) 
                        {
                            UNICODE_STRING DosName;
                            DbgPrint("SectionName:%wZ\r\n",&(msn.SectionFileName));
                        //    DbgPrint("MoudleName:%S\r\n",msn.SectionFileName);        
                            RtlVolumeDeviceToDosName_(&(msn.SectionFileName),&DosName);
                            DbgPrint("SectionName:%wZ\r\n",&(DosName));
                        }
                    }
                    ulBase += mbi.RegionSize;
                }
                else ulBase += PAGE_SIZE;    
            } while (ulBase < (ULONG_PTR)HighUserAddress);
            NtClose(hProcess);
            RecoverPreMode(EThread,PreMode);
        }
    }
    return Status;
}
    

然后我们进一步探索NtQueryVirtualMemory的内部实现原理,先重点关注NtQueryVirtualMemory关于MemorySectionName==2 方式的处理流程,这里只以Win7 x86 Sp1为例列出我们要用到的几个结构,如果对于Windows 底层的内存管理想要深入了解,可以阅读《Windows内核原理及实现》和《Windows内核情景分析》中内存管理的相关章节。

 我们可以看到EProcess进程体的VadRoot

kd> dt _eprocess
+0x278 VadRoot          : _MM_AVL_TABLE
kd> dt _MMADDRESS_NODE
nt!_MMADDRESS_NODE
   +0x000 u1                 : <unnamed-tag>
   +0x004 LeftChild          : Ptr32 _MMADDRESS_NODE
   +0x008 RightChild         : Ptr32 _MMADDRESS_NODE
   +0x00c StartingVpn        : Uint4B
   +0x010 EndingVpn          : Uint4B

 可以看到Win 7Sp1 下的两种结构非常简单,提供不了太多有效的信息,我们再来看看xp sp3下的结构

kd> dt _eprocess
+0x11c VadRoot          : Ptr32 Void

 只是一个32位的指针,但是我们知道这个指针是指向_MMVAD结构,形成一颗二叉树结构

kd> dt _mmvad
nt!_MMVAD
   +0x000 StartingVpn         : Uint4B
   +0x004 EndingVpn           : Uint4B
   +0x008 Parent              : Ptr32 _MMVAD
   +0x00c LeftChild           : Ptr32 _MMVAD
   +0x010 RightChild          : Ptr32 _MMVAD
   +0x014 u                   : __unnamed
   +0x018 ControlArea         : Ptr32 _CONTROL_AREA
   +0x01c FirstPrototypePte   : Ptr32 _MMPTE
   +0x020 LastContiguousPte   : Ptr32 _MMPTE
   +0x024 u2                  : __unnamed

 

 然后尝试着在Win 7下输入 dt _MMVAD

kd> dt _mmvad
nt!_MMVAD
   +0x000 StartingVpn         : Uint4B
   +0x004 EndingVpn           : Uint4B
   +0x008 Parent              : Ptr32 _MMVAD
   +0x00c LeftChild           : Ptr32 _MMVAD
   +0x010 RightChild          : Ptr32 _MMVAD
   +0x014 u                   : __unnamed
   +0x018 ControlArea         : Ptr32 _CONTROL_AREA
   +0x01c FirstPrototypePte   : Ptr32 _MMPTE
   +0x020 LastContiguousPte   : Ptr32 _MMPTE
   +0x024 u2                  : __unnamed

 

 对比两个结构,发现了什么,没错,_MMADRESS_NODE只是_MMVAD结构体的前一部分,真正的内存块的节点还是_MMVAD结构

  我们可以以calc.exe为例来体验一下整个流程 Win7 x86 sp1

kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 87b73cf8  SessionId: 1  Cid: 0dd8    Peb: 7ffdf000  ParentCid: 07f4
    DirBase: 7f3455e0  ObjectTable: 97934428  HandleCount:  79.
    Image: calc.exe
kd> dt _eprocess 87b73cf8
 +0x278 VadRoot          : _MM_AVL_TABLE

 

kd> dt _MM_AVL_TABLE 87b73cf8+0x278
nt!_MM_AVL_TABLE
   +0x000 BalancedRoot     : _MMADDRESS_NODE
   +0x014 DepthOfTree      : 0y01001 (0x9)
   +0x014 Unused           : 0y000
   +0x014 NumberGenericTableElements : 0y000000000000000010011111 (0x9f)
   +0x018 NodeHint         : 0x876c4ec8 Void
   +0x01c NodeFreeHint     : (null) 
kd> dt _MMADDRESS_NODE 87b73cf8+0x278
nt!_MMADDRESS_NODE
   +0x000 u1               : <unnamed-tag>
   +0x004 LeftChild        : (null) 
   +0x008 RightChild       : 0x87c327e0 _MMADDRESS_NODE
   +0x00c StartingVpn      : 0
   +0x010 EndingVpn        : 0

 

 注意Win 7下的根结点只利用了右子树,想当与跟节点的右子树才是真正意义上的AVL树的根节点,继续跟入:

kd> dt _MMVAD 0x87c327e0
nt!_MMVAD
   +0x000 u1               : <unnamed-tag>
   +0x004 LeftChild        : 0x87ac3248 _MMVAD
   +0x008 RightChild       : 0x87c2b3b8 _MMVAD
   +0x00c StartingVpn      : 0xd80
   +0x010 EndingVpn        : 0xe3f
   +0x014 u                : <unnamed-tag>
   +0x018 PushLock         : _EX_PUSH_LOCK
   +0x01c u5               : <unnamed-tag>
   +0x020 u2               : <unnamed-tag>
   +0x024 Subsection       : 0x880a3410 _SUBSECTION //我们接下来要跟的就是这个结构
   +0x024 MappedSubsection : 0x880a3410 _MSUBSECTION
   +0x028 FirstPrototypePte : 0x961b69c8 _MMPTE
   +0x02c LastContiguousPte : 0xfffffffc _MMPTE
   +0x030 ViewLinks        : _LIST_ENTRY [ 0x880a3408 - 0x880a3408 ]
   +0x038 VadsProcess      : 0x87b73cf9 _EPROCESS
kd> dt _SUBSECTION 0x880a3410
nt!_SUBSECTION
   +0x000 ControlArea      : 0x880a33c0 _CONTROL_AREA    //跟这个结构
   +0x004 SubsectionBase   : 0x961b69c8 _MMPTE
   +0x008 NextSubsection   : 0x880a3430 _SUBSECTION
   +0x00c PtesInSubsection : 1
   +0x010 UnusedPtes       : 0
   +0x010 GlobalPerSessionHead : (null) 
   +0x014 u                : <unnamed-tag>
   +0x018 StartingSector   : 0
   +0x01c NumberOfFullSectors : 2
kd> dt _CONTROL_AREA 0x880a33c0
nt!_CONTROL_AREA
   +0x000 Segment          : 0x961b6998 _SEGMENT
   +0x004 DereferenceList  : _LIST_ENTRY [ 0x0 - 0x880d7104 ]
   +0x00c NumberOfSectionReferences : 1
   +0x010 NumberOfPfnReferences : 0x86
   +0x014 NumberOfMappedViews : 1
   +0x018 NumberOfUserReferences : 2
   +0x01c u                : <unnamed-tag>
   +0x020 FlushInProgressCount : 0
   +0x024 FilePointer      : _EX_FAST_REF   //关联的文件对象就在这个结构里面了
   +0x028 ControlAreaLock  : 0n0
   +0x02c ModifiedWriteCount : 0
   +0x02c StartingFrame    : 0
   +0x030 WaitingForDeletion : (null) 
   +0x034 u2               : <unnamed-tag>
   +0x040 LockedPages      : 0n1
   +0x048 ViewList         : _LIST_ENTRY [ 0x87c32810 - 0x87c32810 ]
kd> dt _EX_FAST_REF 0x880a33c0+0x24
nt!_EX_FAST_REF
   +0x000 Object           : 0x880a1b43 Void  //关联的文件对象
   +0x000 RefCnt           : 0y011
   +0x000 Value            : 0x880a1b43

 

 注意,这里关联的文件对象要&0x0FFFFFFF8(最后三位清零)才是正真的文件对象

kd> !object 0x880a1b43&0x0fffffff8
Object: 880a1b40  Type: (863ff650) File
    ObjectHeader: 880a1b28 (new version)
    HandleCount: 0  PointerCount: 4
    Directory Object: 00000000  Name: \Windows\System32\calc.exe {HarddiskVolume1}  //文件对象名,完整路径

 

 

 了解了这些结构体之后,再看NtQueryVirtualMemory函数关于MemorySectionName的处理流程,贴出ida分析的过程,只分析了我们关注的MemorySectionName的方式,wrk中也有源码

PAGE:0063F242                   ; NTSTATUS __stdcall NtQueryVirtualMemory(HANDLE ProcessHandle, PVOID BaseAddress, MEMORY_INFORMATION_CLASS MemoryInformationClass, PVOID MemoryInformation, ULONG MemoryInformationLength, PULONG ReturnLength)
PAGE:0063F242                   _NtQueryVirtualMemory@24 proc near
PAGE:0063F242                                                 ; DATA XREF: .text:0045CB68o
PAGE:0063F242
PAGE:0063F242                   var_7C= dword ptr -7Ch
PAGE:0063F242                   var_78= dword ptr -78h
PAGE:0063F242                   var_74= dword ptr -74h
PAGE:0063F242                   var_70= dword ptr -70h
PAGE:0063F242                   var_64= dword ptr -64h
PAGE:0063F242                   ApcState= dword ptr -60h
PAGE:0063F242                   var_48= dword ptr -48h
PAGE:0063F242                   var_44= dword ptr -44h
PAGE:0063F242                   var_40= dword ptr -40h
PAGE:0063F242                   var_3C= dword ptr -3Ch
PAGE:0063F242                   var_38= dword ptr -38h
PAGE:0063F242                   Object= dword ptr -34h
PAGE:0063F242                   AccessMode= byte ptr -30h
PAGE:0063F242                   var_2C= dword ptr -2Ch
PAGE:0063F242                   var_28= dword ptr -28h
PAGE:0063F242                   var_24= dword ptr -24h
PAGE:0063F242                   EProcess= dword ptr -20h
PAGE:0063F242                   var_1C??Attached= dword ptr -1Ch
PAGE:0063F242                   ms_exc= CPPEH_RECORD ptr -18h
PAGE:0063F242                   ProcessHandle= dword ptr  8
PAGE:0063F242                   BaseAddress= dword ptr  0Ch
PAGE:0063F242                   MemoryInformationClass= dword ptr  10h
PAGE:0063F242                   MemoryInformation= dword ptr  14h
PAGE:0063F242                   MemoryInformationLength= dword ptr  18h
PAGE:0063F242                   ReturnLength= dword ptr  1Ch
PAGE:0063F242
PAGE:0063F242 6A 6C             push    6Ch
PAGE:0063F244 68 18 0F 45 00    push    offset stru_450F18
PAGE:0063F249 E8 D2 4F E1 FF    call    __SEH_prolog4
PAGE:0063F24E 33 F6             xor     esi, esi
PAGE:0063F250 89 75 E4          mov     [ebp+var_1C??Attached], esi
PAGE:0063F253 89 75 DC          mov     [ebp+var_24], esi
PAGE:0063F256 8B 45 10          mov     eax, [ebp+MemoryInformationClass]
PAGE:0063F259 2B C6             sub     eax, esi              ; Handler MemoryBasicInformation
PAGE:0063F25B 74 28             jz      short Handler_MemoryBasicInformation
PAGE:0063F25D 48                dec     eax                   ; Handler MemoryWorkingSetList
PAGE:0063F25E 74 1F             jz      short Handler_MemoryWorkingSetList
PAGE:0063F260 48                dec     eax
PAGE:0063F261 74 32             jz      short loc_63F295      ; Handler_MemoryMappedFilenameInformation
PAGE:0063F263 48                dec     eax
PAGE:0063F264 74 13             jz      short loc_63F279
PAGE:0063F266 48                dec     eax
PAGE:0063F267 74 0A             jz      short loc_63F273
PAGE:0063F269 B8 03 00 00 C0    mov     eax, 0C0000003h
PAGE:0063F26E E9 D6 06 00 00    jmp     loc_63F949
PAGE:0063F273                   ; ---------------------------------------------------------------------------
PAGE:0063F273
PAGE:0063F273                   loc_63F273:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+25j
PAGE:0063F273 83 7D 18 08       cmp     [ebp+MemoryInformationLength], 8
PAGE:0063F277 EB 10             jmp     short loc_63F289
PAGE:0063F279                   ; ---------------------------------------------------------------------------
PAGE:0063F279
PAGE:0063F279                   loc_63F279:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+22j
PAGE:0063F279 83 7D 18 10       cmp     [ebp+MemoryInformationLength], 10h
PAGE:0063F27D EB 0A             jmp     short loc_63F289
PAGE:0063F27F                   ; ---------------------------------------------------------------------------
PAGE:0063F27F
PAGE:0063F27F                   Handler_MemoryWorkingSetList: ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+1Cj
PAGE:0063F27F 83 7D 18 04       cmp     [ebp+MemoryInformationLength], 4
PAGE:0063F283 EB 04             jmp     short loc_63F289
PAGE:0063F285                   ; ---------------------------------------------------------------------------
PAGE:0063F285
PAGE:0063F285                   Handler_MemoryBasicInformation:
PAGE:0063F285                                                 ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+19j
PAGE:0063F285 83 7D 18 1C       cmp     [ebp+MemoryInformationLength], 1Ch
PAGE:0063F289
PAGE:0063F289                   loc_63F289:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+35j
PAGE:0063F289                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x)+3Bj
PAGE:0063F289                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x)+41j
PAGE:0063F289 73 0A             jnb     short loc_63F295
PAGE:0063F28B B8 04 00 00 C0    mov     eax, 0C0000004h
PAGE:0063F290 E9 B4 06 00 00    jmp     loc_63F949
PAGE:0063F295                   ; ---------------------------------------------------------------------------
PAGE:0063F295
PAGE:0063F295                   loc_63F295:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+1Fj
PAGE:0063F295                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x):loc_63F289j
PAGE:0063F295 64 8B 1D 24 01 00+mov     ebx, large fs:124h    ; Handler_MemoryMappedFilenameInformation
PAGE:0063F29C 8A 83 3A 01 00 00 mov     al, [ebx+13Ah]        ; FS寄存器指向当前CPU的KPCR   KPCR+0x124指向当前线程对象
PAGE:0063F29C                                                 ; +0x13A获取先前的调用模式<KernelMode/UserMode>
PAGE:0063F2A2 88 45 D0          mov     [ebp+AccessMode], al
PAGE:0063F2A5 84 C0             test    al, al                ; KernelMode=0,UserMode=1
PAGE:0063F2A7 74 50             jz      short loc_63F2F9
PAGE:0063F2A9 89 75 FC          mov     [ebp+ms_exc.registration.TryLevel], esi ; 很明显的异常处理,与我们分析无关,忽略
PAGE:0063F2AC 6A 04             push    4                     ; Alignment
PAGE:0063F2AC                                                 ; UserMode
PAGE:0063F2AE FF 75 18          push    [ebp+MemoryInformationLength] ; Length
PAGE:0063F2B1 8B 7D 14          mov     edi, [ebp+MemoryInformation]
PAGE:0063F2B4 57                push    edi                   ; Address
PAGE:0063F2B5 E8 B3 E0 FB FF    call    _ProbeForWrite@12     ; 查看用户态内存是否可写
PAGE:0063F2BA 8B 4D 1C          mov     ecx, [ebp+ReturnLength]
PAGE:0063F2BD 3B CE             cmp     ecx, esi              ; 此时的esi=0,即比较ReturnLength是否为0
PAGE:0063F2BF 74 0F             jz      short loc_63F2D0      ; ReturnLength==0则跳转
PAGE:0063F2C1 A1 04 07 56 00    mov     eax, ds:_MmUserProbeAddress ; 检查此地址是否高于用户边界地址,
PAGE:0063F2C1                                                 ; _MmUserProbeAddress == 7fff0000
PAGE:0063F2C6 3B C8             cmp     ecx, eax
PAGE:0063F2C8 72 02             jb      short loc_63F2CC      ; 低于的话则跳转,正常来讲一定会跳
PAGE:0063F2CA 8B C8             mov     ecx, eax              ; 异常处理,忽略
PAGE:0063F2CC
PAGE:0063F2CC                   loc_63F2CC:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+86j
PAGE:0063F2CC 8B 01             mov     eax, [ecx]
PAGE:0063F2CE 89 01             mov     [ecx], eax
PAGE:0063F2D0
PAGE:0063F2D0                   loc_63F2D0:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+7Dj
PAGE:0063F2D0 C7 45 FC FE FF FF+mov     [ebp+ms_exc.registration.TryLevel], 0FFFFFFFEh ; 很明显的SEH处理,
PAGE:0063F2D0 FF                                              ; 改变TryLevel,忽略
PAGE:0063F2D7 EB 23             jmp     short loc_63F2FC      ; 一般参数没问题,直接跳转
PAGE:0063F2D9                   ; ---------------------------------------------------------------------------
PAGE:0063F2D9
PAGE:0063F2D9                   loc_63F2D9:                   ; DATA XREF: .text:stru_450F18o
PAGE:0063F2D9 8B 45 EC          mov     eax, [ebp+ms_exc.exc_ptr] ; 很明显,如果参数有问题,就直接返回了
PAGE:0063F2DC 8B 00             mov     eax, [eax]
PAGE:0063F2DE 8B 00             mov     eax, [eax]
PAGE:0063F2E0 89 45 D4          mov     [ebp+var_2C], eax
PAGE:0063F2E3 33 C0             xor     eax, eax
PAGE:0063F2E5 40                inc     eax
PAGE:0063F2E6 C3                retn
PAGE:0063F2E7                   ; ---------------------------------------------------------------------------
PAGE:0063F2E7
PAGE:0063F2E7                   loc_63F2E7:                   ; DATA XREF: .text:stru_450F18o
PAGE:0063F2E7 8B 65 E8          mov     esp, [ebp+ms_exc.old_esp] ; Exception handler 0 for function 63F242
PAGE:0063F2EA 8B 45 D4          mov     eax, [ebp+var_2C]
PAGE:0063F2ED
PAGE:0063F2ED                   loc_63F2ED:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+3DBj
PAGE:0063F2ED                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x)+55Bj
PAGE:0063F2ED                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x)+620j
PAGE:0063F2ED C7 45 FC FE FF FF+mov     [ebp+ms_exc.registration.TryLevel], 0FFFFFFFEh
PAGE:0063F2F4 E9 50 06 00 00    jmp     loc_63F949
PAGE:0063F2F9                   ; ---------------------------------------------------------------------------
PAGE:0063F2F9
PAGE:0063F2F9                   loc_63F2F9:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+65j
PAGE:0063F2F9 8B 7D 14          mov     edi, [ebp+MemoryInformation] ; KernelMode
PAGE:0063F2FC
PAGE:0063F2FC                   loc_63F2FC:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+95j
PAGE:0063F2FC 8B 45 0C          mov     eax, [ebp+BaseAddress] ; 还是参数的校验,我们要查询的虚拟地址
PAGE:0063F2FF 8B 0D FC 06 56 00 mov     ecx, ds:_MmHighestUserAddress ; MmHighestUserAddress==0x7ffeffff
PAGE:0063F2FF                                                 ; (这是用户空间可以访问的最高地址,
PAGE:0063F2FF                                                 ; 逻辑上的而已,上面还有个64K的禁区(飞地)就到内核空间了)
PAGE:0063F305 3B C1             cmp     eax, ecx
PAGE:0063F307 76 0A             jbe     short loc_63F313
PAGE:0063F309 B8 0D 00 00 C0    mov     eax, 0C000000Dh       ; Status的返回值 STATUS_INVALID_PARAMETER(参数无效)
PAGE:0063F30E E9 36 06 00 00    jmp     loc_63F949            ; 返回
PAGE:0063F313                   ; ---------------------------------------------------------------------------
PAGE:0063F313
PAGE:0063F313                   loc_63F313:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+C5j
PAGE:0063F313 8D B1 00 00 FF FF lea     esi, [ecx-10000h]     ; esi==0x7ffdffff
PAGE:0063F319 89 75 D8          mov     [ebp+var_28], esi     ; 保存允许查询的最高地址,作为查询的虚拟地址的终结点
PAGE:0063F31C BA 00 F0 FF FF    mov     edx, 0FFFFF000h
PAGE:0063F321 3B C6             cmp     eax, esi              ; 判断查询的虚拟地址是否高于终结点
PAGE:0063F323 0F 87 A6 05 00 00 ja      loc_63F8CF            ; 高于,跳转,等会再看具体处理
PAGE:0063F329 89 45 14          mov     [ebp+MemoryInformation], eax ; 将地址保存
PAGE:0063F32C 21 55 14          and     [ebp+MemoryInformation], edx ; edi==0FFFFF000h 取整得到虚拟地址的内存页首地址
PAGE:0063F32F 81 7D 14 00 00 FE+cmp     [ebp+MemoryInformation], 7FFE0000h ; 判断地址是否大于SharedUserData
PAGE:0063F32F 7F                                              ; 也就是说SharedUserData为最后一个合法的用户边界
PAGE:0063F336 0F 84 93 05 00 00 jz      loc_63F8CF
PAGE:0063F33C 83 7D 08 FF       cmp     [ebp+ProcessHandle], 0FFFFFFFFh
PAGE:0063F340 75 08             jnz     short loc_63F34A      ; 不是本身的进程就跳转
PAGE:0063F342 8B 73 50          mov     esi, [ebx+50h]        ; ebx为线程对象,+0x50就为进程对象
PAGE:0063F345 89 75 E0          mov     [ebp+EProcess], esi
PAGE:0063F348 EB 2A             jmp     short loc_63F374
PAGE:0063F34A                   ; ---------------------------------------------------------------------------
PAGE:0063F34A
PAGE:0063F34A                   loc_63F34A:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+FEj
PAGE:0063F34A 6A 00             push    0                     ; HandleInformation
PAGE:0063F34C 8D 45 CC          lea     eax, [ebp+Object]
PAGE:0063F34F 50                push    eax                   ; Object
PAGE:0063F350 FF 75 D0          push    dword ptr [ebp+AccessMode] ; AccessMode
PAGE:0063F353 FF 35 2C 00 56 00 push    ds:_PsProcessType     ; ObjectType
PAGE:0063F359 68 00 04 00 00    push    400h                  ; DesiredAccess
PAGE:0063F35E FF 75 08          push    [ebp+ProcessHandle]   ; Handle
PAGE:0063F361 E8 F6 D0 FB FF    call    _ObReferenceObjectByHandle@24 ; ObReferenceObjectByHandle(x,x,x,x,x,x)
PAGE:0063F366 8B 75 CC          mov     esi, [ebp+Object]
PAGE:0063F369 89 75 E0          mov     [ebp+EProcess], esi
PAGE:0063F36C 85 C0             test    eax, eax
PAGE:0063F36E 0F 8C D5 05 00 00 jl      loc_63F949
PAGE:0063F374
PAGE:0063F374                   loc_63F374:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+106j
PAGE:0063F374 83 7D 10 04       cmp     [ebp+MemoryInformationClass], 4 ; MemoryRegionInformation方式查询
PAGE:0063F378 75 4D             jnz     short loc_63F3C7
PAGE:0063F37A 56                push    esi
PAGE:0063F37B 8B 5D 18          mov     ebx, [ebp+MemoryInformationLength]
PAGE:0063F37E 53                push    ebx
PAGE:0063F37F 8B CF             mov     ecx, edi
PAGE:0063F381 E8 FF B8 DE FF    call    _MiGetWorkingSetInfoList@12 ; MiGetWorkingSetInfoList(x,x,x)
PAGE:0063F386 8B F8             mov     edi, eax
PAGE:0063F388 83 7D 08 FF       cmp     [ebp+ProcessHandle], 0FFFFFFFFh
PAGE:0063F38C 74 07             jz      short loc_63F395
PAGE:0063F38E 8B CE             mov     ecx, esi              ; Object
PAGE:0063F390 E8 98 70 E1 FF    call    @ObfDereferenceObject@4 ; ObfDereferenceObject(x)
PAGE:0063F395
PAGE:0063F395                   loc_63F395:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+14Aj
PAGE:0063F395 85 FF             test    edi, edi
PAGE:0063F397 7D 07             jge     short loc_63F3A0
PAGE:0063F399 8B C7             mov     eax, edi
PAGE:0063F39B E9 A9 05 00 00    jmp     loc_63F949
PAGE:0063F3A0                   ; ---------------------------------------------------------------------------
PAGE:0063F3A0
PAGE:0063F3A0                   loc_63F3A0:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+155j
PAGE:0063F3A0 C7 45 FC 02 00 00+mov     [ebp+ms_exc.registration.TryLevel], 2
PAGE:0063F3A7 8B 45 1C          mov     eax, [ebp+ReturnLength]
PAGE:0063F3AA 85 C0             test    eax, eax
PAGE:0063F3AC 74 0B             jz      short loc_63F3B9
PAGE:0063F3AE 89 18             mov     [eax], ebx
PAGE:0063F3B0 EB 07             jmp     short loc_63F3B9
PAGE:0063F3B2                   ; ---------------------------------------------------------------------------
PAGE:0063F3B2
PAGE:0063F3B2                   loc_63F3B2:                   ; DATA XREF: .text:stru_450F18o
PAGE:0063F3B2 33 C0             xor     eax, eax              ; Exception filter 2 for function 63F242
PAGE:0063F3B4 40                inc     eax
PAGE:0063F3B5 C3                retn
PAGE:0063F3B6                   ; ---------------------------------------------------------------------------
PAGE:0063F3B6
PAGE:0063F3B6                   loc_63F3B6:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x):loc_63F40Ej
PAGE:0063F3B6                                                 ; DATA XREF: .text:stru_450F18o
PAGE:0063F3B6 8B 65 E8          mov     esp, [ebp+ms_exc.old_esp] ; Exception handler 2 for function 63F242
PAGE:0063F3B9
PAGE:0063F3B9                   loc_63F3B9:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+16Aj
PAGE:0063F3B9                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x)+16Ej
PAGE:0063F3B9                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x)+1B9j
PAGE:0063F3B9                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x)+1C6j
PAGE:0063F3B9                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x):loc_63F5EEj
PAGE:0063F3B9                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x)+3B8j
PAGE:0063F3B9                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x)+3D2j
PAGE:0063F3B9                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x)+52Cj
PAGE:0063F3B9                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x)+538j
PAGE:0063F3B9                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x)+552j
PAGE:0063F3B9                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x)+617j
PAGE:0063F3B9 C7 45 FC FE FF FF+mov     [ebp+ms_exc.registration.TryLevel], 0FFFFFFFEh
PAGE:0063F3C0 33 C0             xor     eax, eax
PAGE:0063F3C2 E9 82 05 00 00    jmp     loc_63F949
PAGE:0063F3C7                   ; ---------------------------------------------------------------------------
PAGE:0063F3C7
PAGE:0063F3C7                   loc_63F3C7:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+136j
PAGE:0063F3C7 83 7D 10 01       cmp     [ebp+MemoryInformationClass], 1
PAGE:0063F3CB 75 43             jnz     short loc_63F410
PAGE:0063F3CD 56                push    esi                   ; BugCheckParameter1
PAGE:0063F3CE FF 75 18          push    [ebp+MemoryInformationLength] ; int
PAGE:0063F3D1 8B CF             mov     ecx, edi
PAGE:0063F3D3 E8 A3 96 E7 FF    call    _MiGetWorkingSetInfo@12 ; MiGetWorkingSetInfo(x,x,x)
PAGE:0063F3D8 8B D8             mov     ebx, eax
PAGE:0063F3DA 83 7D 08 FF       cmp     [ebp+ProcessHandle], 0FFFFFFFFh
PAGE:0063F3DE 74 07             jz      short loc_63F3E7
PAGE:0063F3E0 8B CE             mov     ecx, esi              ; Object
PAGE:0063F3E2 E8 46 70 E1 FF    call    @ObfDereferenceObject@4 ; ObfDereferenceObject(x)
PAGE:0063F3E7
PAGE:0063F3E7                   loc_63F3E7:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+19Cj
PAGE:0063F3E7 85 DB             test    ebx, ebx
PAGE:0063F3E9 0F 8C 58 05 00 00 jl      loc_63F947
PAGE:0063F3EF C7 45 FC 03 00 00+mov     [ebp+ms_exc.registration.TryLevel], 3
PAGE:0063F3F6 8B 45 1C          mov     eax, [ebp+ReturnLength]
PAGE:0063F3F9 85 C0             test    eax, eax
PAGE:0063F3FB 74 BC             jz      short loc_63F3B9
PAGE:0063F3FD 8B 0F             mov     ecx, [edi]
PAGE:0063F3FF 8D 0C 8D 04 00 00+lea     ecx, ds:4[ecx*4]
PAGE:0063F406 89 08             mov     [eax], ecx
PAGE:0063F408 EB AF             jmp     short loc_63F3B9
PAGE:0063F40A                   ; ---------------------------------------------------------------------------
PAGE:0063F40A
PAGE:0063F40A                   loc_63F40A:                   ; DATA XREF: .text:stru_450F18o
PAGE:0063F40A 33 C0             xor     eax, eax              ; Exception filter 3 for function 63F242
PAGE:0063F40C 40                inc     eax
PAGE:0063F40D C3                retn
PAGE:0063F40E                   ; ---------------------------------------------------------------------------
PAGE:0063F40E
PAGE:0063F40E                   loc_63F40E:                   ; DATA XREF: .text:stru_450F18o
PAGE:0063F40E EB A6             jmp     short loc_63F3B6      ; Exception handler 3 for function 63F242
PAGE:0063F410                   ; ---------------------------------------------------------------------------
PAGE:0063F410
PAGE:0063F410                   loc_63F410:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+189j
PAGE:0063F410 83 7D 08 FF       cmp     [ebp+ProcessHandle], 0FFFFFFFFh
PAGE:0063F414 74 11             jz      short loc_63F427      ; 如果不是自己进程本身就靠挂到其他进程空间
PAGE:0063F416 8D 45 A0          lea     eax, [ebp+ApcState]
PAGE:0063F419 50                push    eax                   ; ApcState
PAGE:0063F41A 56                push    esi                   ; Process
PAGE:0063F41B E8 7A 36 E2 FF    call    _KeStackAttachProcess@8 ; KeStackAttachProcess(x,x)
PAGE:0063F420 C7 45 E4 01 00 00+mov     [ebp+var_1C??Attached], 1
PAGE:0063F427
PAGE:0063F427                   loc_63F427:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+1D2j
PAGE:0063F427 66 FF 8B 86 00 00+dec     word ptr [ebx+86h]    ; ????
PAGE:0063F42E 8D 86 00 01 00 00 lea     eax, [esi+100h]       ; +0x100 AddressCreationLock : _EX_PUSH_LOCK
PAGE:0063F42E                                                 ; 获取进程的地址空间锁,因为涉及到遍历地址空间,
PAGE:0063F42E                                                 ; 就不可以在遍历的时候地址空间发生变化
PAGE:0063F434 6A 11             push    11h
PAGE:0063F436 59                pop     ecx                   ; ???应该是原子锁的问题,不是很清楚
PAGE:0063F437 8B D0             mov     edx, eax
PAGE:0063F439 33 C0             xor     eax, eax
PAGE:0063F43B F0 0F B1 0A       lock cmpxchg [edx], ecx
PAGE:0063F43F 85 C0             test    eax, eax
PAGE:0063F441 74 0B             jz      short loc_63F44E
PAGE:0063F443 8D 8E 00 01 00 00 lea     ecx, [esi+100h]
PAGE:0063F449 E8 C7 79 E4 FF    call    @ExfAcquirePushLockShared@4 ; ExfAcquirePushLockShared(x)
PAGE:0063F44E
PAGE:0063F44E                   loc_63F44E:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+1FFj
PAGE:0063F44E 80 8B 89 02 00 00+or      byte ptr [ebx+289h], 4 ; ???
PAGE:0063F44E 04                                              ;    +0x289 OwnsSessionWorkingSetShared : Pos 0, 1 Bit
PAGE:0063F44E                                                 ;    +0x289 OwnsProcessAddressSpaceExclusive : Pos 1, 1 Bit
PAGE:0063F44E                                                 ;    +0x289 OwnsProcessAddressSpaceShared : Pos 2, 1 Bit
PAGE:0063F44E                                                 ;    +0x289 SuppressSymbolLoad : Pos 3, 1 Bit
PAGE:0063F44E                                                 ;    +0x289 Prefetching      : Pos 4, 1 Bit
PAGE:0063F44E                                                 ;    +0x289 OwnsDynamicMemoryShared : Pos 5, 1 Bit
PAGE:0063F44E                                                 ;    +0x289 OwnsChangeControlAreaExclusive : Pos 6, 1 Bit
PAGE:0063F44E                                                 ;    +0x289 OwnsChangeControlAreaShared : Pos 7, 1 Bi
PAGE:0063F455 F6 86 70 02 00 00+test    byte ptr [esi+270h], 20h ; ???判断此进程的空间是否准备删除,EPROCESS->VmDeleted,如果删除就返回了
PAGE:0063F455 20                                              ; +0x270 Flags            : Uint4B
PAGE:0063F455                                                 ;    +0x270 CreateReported   : Pos 0, 1 Bit
PAGE:0063F455                                                 ;    +0x270 NoDebugInherit   : Pos 1, 1 Bit
PAGE:0063F455                                                 ;    +0x270 ProcessExiting   : Pos 2, 1 Bit
PAGE:0063F455                                                 ;    +0x270 ProcessDelete    : Pos 3, 1 Bit
PAGE:0063F455                                                 ;    +0x270 Wow64SplitPages  : Pos 4, 1 Bit
PAGE:0063F455                                                 ;    +0x270 VmDeleted        : Pos 5, 1 Bit
PAGE:0063F455                                                 ;    +0x270 OutswapEnabled   : Pos 6, 1 Bit
PAGE:0063F455                                                 ;    +0x270 Outswapped       : Pos 7, 1 Bit
PAGE:0063F455                                                 ;    +0x270 ForkFailed       : Pos 8, 1 Bit
PAGE:0063F455                                                 ;    +0x270 Wow64VaSpace4Gb  : Pos 9, 1 Bit
PAGE:0063F455                                                 ;    +0x270 AddressSpaceInitialized : Pos 10, 2 Bits
PAGE:0063F455                                                 ;    +0x270 SetTimerResolution : Pos 12, 1 Bit
PAGE:0063F455                                                 ;    +0x270 BreakOnTermination : Pos 13, 1 Bit
PAGE:0063F455                                                 ;    +0x270 DeprioritizeViews : Pos 14, 1 Bit
PAGE:0063F455                                                 ;    +0x270 WriteWatch       : Pos 15, 1 Bit
PAGE:0063F455                                                 ;    +0x270 ProcessInSession : Pos 16, 1 Bit
PAGE:0063F455                                                 ;    +0x270 OverrideAddressSpace : Pos 17, 1 Bit
PAGE:0063F455                                                 ;    +0x270 HasAddressSpace  : Pos 18, 1 Bit
PAGE:0063F455                                                 ;    +0x270 LaunchPrefetched : Pos 19, 1 Bit
PAGE:0063F455                                                 ;    +0x270 InjectInpageErrors : Pos 20, 1 Bit
PAGE:0063F455                                                 ;    +0x270 VmTopDown        : Pos 21, 1 Bit
PAGE:0063F455                                                 ;    +0x2
PAGE:0063F45C 74 67             jz      short loc_63F4C5      ; 正常流程跳转
PAGE:0063F45E 33 C9             xor     ecx, ecx              ; 肯定是如果准备删除了这里会需要处理资源
PAGE:0063F460 8D 86 00 01 00 00 lea     eax, [esi+100h]
PAGE:0063F466 8B D0             mov     edx, eax
PAGE:0063F468 6A 11             push    11h
PAGE:0063F46A 58                pop     eax
PAGE:0063F46B F0 0F B1 0A       lock cmpxchg [edx], ecx
PAGE:0063F46F 83 F8 11          cmp     eax, 11h
PAGE:0063F472 74 0B             jz      short loc_63F47F
PAGE:0063F474 8D 8E 00 01 00 00 lea     ecx, [esi+100h]
PAGE:0063F47A E8 7B 78 E4 FF    call    @ExfReleasePushLockShared@4 ; //释放锁
PAGE:0063F47F
PAGE:0063F47F                   loc_63F47F:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+230j
PAGE:0063F47F 80 A3 89 02 00 00+and     byte ptr [ebx+289h], 0FBh
PAGE:0063F486 66 FF 83 86 00 00+inc     word ptr [ebx+86h]
PAGE:0063F48D 0F B7 83 86 00 00+movzx   eax, word ptr [ebx+86h]
PAGE:0063F494 66 85 C0          test    ax, ax
PAGE:0063F497 75 0C             jnz     short loc_63F4A5
PAGE:0063F499 83 C3 40          add     ebx, 40h
PAGE:0063F49C 39 1B             cmp     [ebx], ebx
PAGE:0063F49E 74 05             jz      short loc_63F4A5
PAGE:0063F4A0 E8 D2 DE DE FF    call    _KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
PAGE:0063F4A5
PAGE:0063F4A5                   loc_63F4A5:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+255j
PAGE:0063F4A5                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x)+25Cj
PAGE:0063F4A5 F6 45 E4 01       test    byte ptr [ebp+var_1C??Attached], 1
PAGE:0063F4A9 74 10             jz      short loc_63F4BB
PAGE:0063F4AB 8D 45 A0          lea     eax, [ebp+ApcState]
PAGE:0063F4AE 50                push    eax
PAGE:0063F4AF E8 9E 37 E2 FF    call    _KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)
PAGE:0063F4B4 8B CE             mov     ecx, esi              ; Object
PAGE:0063F4B6 E8 72 6F E1 FF    call    @ObfDereferenceObject@4 ; ObfDereferenceObject(x)
PAGE:0063F4BB
PAGE:0063F4BB                   loc_63F4BB:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+267j
PAGE:0063F4BB B8 0A 01 00 C0    mov     eax, 0C000010Ah       ; STATUS_PROCESS_IS_TERMINATING
PAGE:0063F4C0 E9 84 04 00 00    jmp     loc_63F949
PAGE:0063F4C5                   ; ---------------------------------------------------------------------------
PAGE:0063F4C5
PAGE:0063F4C5                   loc_63F4C5:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+21Aj
PAGE:0063F4C5 F7 86 8C 02 00 00+test    dword ptr [esi+28Ch], 0FFFFFF00h ; esi==Process
PAGE:0063F4C5 00 FF FF FF                                     ; +0x28c实际+0x014 NumberGenericTableElements : Pos 8, 24 Bits
PAGE:0063F4C5                                                 ; 判断节点数量
PAGE:0063F4CF 74 3D             jz      short loc_63F50E
PAGE:0063F4D1 8B 45 E0          mov     eax, [ebp+EProcess]
PAGE:0063F4D4 8B B0 80 02 00 00 mov     esi, [eax+280h]       ; esi == Process->VadRoot->RightChild
PAGE:0063F4DA 8B 45 0C          mov     eax, [ebp+BaseAddress]
PAGE:0063F4DD 8B C8             mov     ecx, eax
PAGE:0063F4DF C1 E9 0C          shr     ecx, 0Ch              ; 右移12位,取得高20位,获得页帧编号
PAGE:0063F4DF                                                 ; ecx == 查询地址的页帧编号
PAGE:0063F4E2 EB 1E             jmp     short loc_63F502
PAGE:0063F4E4                   ; ---------------------------------------------------------------------------
PAGE:0063F4E4
PAGE:0063F4E4                   loc_63F4E4:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+2C2j
PAGE:0063F4E4 8B 56 0C          mov     edx, [esi+0Ch]        ; 遍历AVL树
PAGE:0063F4E7 3B CA             cmp     ecx, edx
PAGE:0063F4E9 72 09             jb      short loc_63F4F4
PAGE:0063F4EB 3B 4E 10          cmp     ecx, [esi+10h]
PAGE:0063F4EE 76 18             jbe     short loc_63F508      ; ???
PAGE:0063F4F0 3B CA             cmp     ecx, edx
PAGE:0063F4F2 73 05             jnb     short loc_63F4F9
PAGE:0063F4F4
PAGE:0063F4F4                   loc_63F4F4:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+2A7j
PAGE:0063F4F4 8B 56 04          mov     edx, [esi+4]
PAGE:0063F4F7 EB 03             jmp     short loc_63F4FC
PAGE:0063F4F9                   ; ---------------------------------------------------------------------------
PAGE:0063F4F9
PAGE:0063F4F9                   loc_63F4F9:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+2B0j
PAGE:0063F4F9 8B 56 08          mov     edx, [esi+8]
PAGE:0063F4FC
PAGE:0063F4FC                   loc_63F4FC:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+2B5j
PAGE:0063F4FC 85 D2             test    edx, edx
PAGE:0063F4FE 74 15             jz      short loc_63F515
PAGE:0063F500 8B F2             mov     esi, edx
PAGE:0063F502
PAGE:0063F502                   loc_63F502:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+2A0j
PAGE:0063F502 85 F6             test    esi, esi              ; 判断子节点是否有效
PAGE:0063F504 75 DE             jnz     short loc_63F4E4      ; 如果有效就跳转,遍历AVL树
PAGE:0063F506 EB 0D             jmp     short loc_63F515      ; 退出循环
PAGE:0063F508                   ; ---------------------------------------------------------------------------
PAGE:0063F508
PAGE:0063F508                   loc_63F508:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+2ACj
PAGE:0063F508 83 4D E4 02       or      [ebp+var_1C??Attached], 2 ; 如果之前有靠挂,Attached为1,此时or 2 ,Attached==3
PAGE:0063F508                                                 ; 如果没有靠挂,此时Attached = 2
PAGE:0063F50C EB 07             jmp     short loc_63F515
PAGE:0063F50E                   ; ---------------------------------------------------------------------------
PAGE:0063F50E
PAGE:0063F50E                   loc_63F50E:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+28Dj
PAGE:0063F50E 33 F6             xor     esi, esi
PAGE:0063F510 33 C9             xor     ecx, ecx
PAGE:0063F512 8B 45 0C          mov     eax, [ebp+BaseAddress]
PAGE:0063F515
PAGE:0063F515                   loc_63F515:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+2BCj
PAGE:0063F515                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x)+2C4j
PAGE:0063F515                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x)+2CAj
PAGE:0063F515 F6 45 E4 02       test    byte ptr [ebp+var_1C??Attached], 2 ; 一般情况此时Attached=3,跳转发生
PAGE:0063F519 0F 85 0D 01 00 00 jnz     loc_63F62C
PAGE:0063F51F 85 F6             test    esi, esi
PAGE:0063F521 75 09             jnz     short loc_63F52C
PAGE:0063F523
PAGE:0063F523                   loc_63F523:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+2FAj
PAGE:0063F523 8B 75 D8          mov     esi, [ebp+var_28]
PAGE:0063F526 2B 75 14          sub     esi, [ebp+MemoryInformation]
PAGE:0063F529 46                inc     esi
PAGE:0063F52A EB 25             jmp     short loc_63F551
PAGE:0063F52C                   ; ---------------------------------------------------------------------------
PAGE:0063F52C
PAGE:0063F52C                   loc_63F52C:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+2DFj
PAGE:0063F52C 8B 46 0C          mov     eax, [esi+0Ch]
PAGE:0063F52F 3B C1             cmp     eax, ecx
PAGE:0063F531 73 16             jnb     short loc_63F549
PAGE:0063F533 8B CE             mov     ecx, esi
PAGE:0063F535 E8 E2 8D E4 FF    call    @MiGetNextNode@4      ; MiGetNextNode(x)
PAGE:0063F53A 85 C0             test    eax, eax
PAGE:0063F53C 74 E5             jz      short loc_63F523
PAGE:0063F53E 8B 70 0C          mov     esi, [eax+0Ch]
PAGE:0063F541 C1 E6 0C          shl     esi, 0Ch
PAGE:0063F544 2B 75 14          sub     esi, [ebp+MemoryInformation]
PAGE:0063F547 EB 08             jmp     short loc_63F551
PAGE:0063F549                   ; ---------------------------------------------------------------------------
PAGE:0063F549
PAGE:0063F549                   loc_63F549:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+2EFj
PAGE:0063F549 C1 E0 0C          shl     eax, 0Ch
PAGE:0063F54C 2B 45 14          sub     eax, [ebp+MemoryInformation]
PAGE:0063F54F 8B F0             mov     esi, eax
PAGE:0063F551
PAGE:0063F551                   loc_63F551:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+2E8j
PAGE:0063F551                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x)+305j
PAGE:0063F551 33 C9             xor     ecx, ecx
PAGE:0063F553 8B 45 E0          mov     eax, [ebp+EProcess]
PAGE:0063F556 05 00 01 00 00    add     eax, 100h
PAGE:0063F55B 8B D0             mov     edx, eax
PAGE:0063F55D 6A 11             push    11h
PAGE:0063F55F 58                pop     eax
PAGE:0063F560 F0 0F B1 0A       lock cmpxchg [edx], ecx
PAGE:0063F564 83 F8 11          cmp     eax, 11h
PAGE:0063F567 74 0E             jz      short loc_63F577
PAGE:0063F569 8B 4D E0          mov     ecx, [ebp+EProcess]
PAGE:0063F56C 81 C1 00 01 00 00 add     ecx, 100h
PAGE:0063F572 E8 83 77 E4 FF    call    @ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
PAGE:0063F577
PAGE:0063F577                   loc_63F577:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+325j
PAGE:0063F577 80 A3 89 02 00 00+and     byte ptr [ebx+289h], 0FBh
PAGE:0063F57E 66 FF 83 86 00 00+inc     word ptr [ebx+86h]
PAGE:0063F585 0F B7 83 86 00 00+movzx   eax, word ptr [ebx+86h]
PAGE:0063F58C 66 85 C0          test    ax, ax
PAGE:0063F58F 75 0C             jnz     short loc_63F59D
PAGE:0063F591 83 C3 40          add     ebx, 40h
PAGE:0063F594 39 1B             cmp     [ebx], ebx
PAGE:0063F596 74 05             jz      short loc_63F59D
PAGE:0063F598 E8 DA DD DE FF    call    _KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
PAGE:0063F59D
PAGE:0063F59D                   loc_63F59D:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+34Dj
PAGE:0063F59D                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x)+354j
PAGE:0063F59D F6 45 E4 01       test    byte ptr [ebp+var_1C??Attached], 1
PAGE:0063F5A1 74 11             jz      short loc_63F5B4
PAGE:0063F5A3 8D 45 A0          lea     eax, [ebp+ApcState]
PAGE:0063F5A6 50                push    eax
PAGE:0063F5A7 E8 A6 36 E2 FF    call    _KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)
PAGE:0063F5AC 8B 4D E0          mov     ecx, [ebp+EProcess]   ; Object
PAGE:0063F5AF E8 79 6E E1 FF    call    @ObfDereferenceObject@4 ; ObfDereferenceObject(x)
PAGE:0063F5B4
PAGE:0063F5B4                   loc_63F5B4:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+35Fj
PAGE:0063F5B4 33 C9             xor     ecx, ecx
PAGE:0063F5B6 39 4D 10          cmp     [ebp+MemoryInformationClass], ecx
PAGE:0063F5B9 75 67             jnz     short loc_63F622
PAGE:0063F5BB 83 65 E4 FD       and     [ebp+var_1C??Attached], 0FFFFFFFDh
PAGE:0063F5BF C7 45 FC 04 00 00+mov     [ebp+ms_exc.registration.TryLevel], 4
PAGE:0063F5C6 89 4F 04          mov     [edi+4], ecx
PAGE:0063F5C9 89 4F 08          mov     [edi+8], ecx
PAGE:0063F5CC 8B 45 14          mov     eax, [ebp+MemoryInformation]
PAGE:0063F5CF 89 07             mov     [edi], eax
PAGE:0063F5D1 89 77 0C          mov     [edi+0Ch], esi
PAGE:0063F5D4 C7 47 10 00 00 01+mov     dword ptr [edi+10h], 10000h
PAGE:0063F5DB C7 47 14 01 00 00+mov     dword ptr [edi+14h], 1
PAGE:0063F5E2 89 4F 18          mov     [edi+18h], ecx
PAGE:0063F5E5 83 4D E4 02       or      [ebp+var_1C??Attached], 2
PAGE:0063F5E9 8B 45 1C          mov     eax, [ebp+ReturnLength]
PAGE:0063F5EC 3B C1             cmp     eax, ecx
PAGE:0063F5EE
PAGE:0063F5EE                   loc_63F5EE:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+5FDj
PAGE:0063F5EE 0F 84 C5 FD FF FF jz      loc_63F3B9
PAGE:0063F5F4 C7 00 1C 00 00 00 mov     dword ptr [eax], 1Ch
PAGE:0063F5FA E9 BA FD FF FF    jmp     loc_63F3B9
PAGE:0063F5FF                   ; ---------------------------------------------------------------------------
PAGE:0063F5FF
PAGE:0063F5FF                   loc_63F5FF:                   ; DATA XREF: .text:stru_450F18o
PAGE:0063F5FF 8B 45 EC          mov     eax, [ebp+ms_exc.exc_ptr] ; Exception filter 4 for function 63F242
PAGE:0063F602 8B 00             mov     eax, [eax]
PAGE:0063F604 8B 00             mov     eax, [eax]
PAGE:0063F606 89 45 C8          mov     [ebp+var_38], eax
PAGE:0063F609 33 C0             xor     eax, eax
PAGE:0063F60B 40                inc     eax
PAGE:0063F60C C3                retn
PAGE:0063F60D                   ; ---------------------------------------------------------------------------
PAGE:0063F60D
PAGE:0063F60D                   loc_63F60D:                   ; DATA XREF: .text:stru_450F18o
PAGE:0063F60D 8B 65 E8          mov     esp, [ebp+ms_exc.old_esp] ; Exception handler 4 for function 63F242
PAGE:0063F610 F6 45 E4 02       test    byte ptr [ebp+var_1C??Attached], 2
PAGE:0063F614 0F 85 9F FD FF FF jnz     loc_63F3B9
PAGE:0063F61A 8B 45 C8          mov     eax, [ebp+var_38]
PAGE:0063F61D E9 CB FC FF FF    jmp     loc_63F2ED
PAGE:0063F622                   ; ---------------------------------------------------------------------------
PAGE:0063F622
PAGE:0063F622                   loc_63F622:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+377j
PAGE:0063F622                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x)+629j
PAGE:0063F622 B8 41 01 00 C0    mov     eax, 0C0000141h
PAGE:0063F627 E9 1D 03 00 00    jmp     loc_63F949
PAGE:0063F62C                   ; ---------------------------------------------------------------------------
PAGE:0063F62C
PAGE:0063F62C                   loc_63F62C:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+2D7j
PAGE:0063F62C 25 00 F0 FF FF    and     eax, 0FFFFF000h       ; eax == BaseAddress,这里取BaseAddress的虚拟内存页的首地址
PAGE:0063F631 89 45 0C          mov     [ebp+BaseAddress], eax
PAGE:0063F634 89 45 84          mov     [ebp+var_7C], eax
PAGE:0063F637 8B 46 0C          mov     eax, [esi+0Ch]        ; 取得此子节点的起始编号 MMVAD->StartingVpn
PAGE:0063F63A C1 E0 0C          shl     eax, 0Ch              ; 左移12位,取得虚拟内存页的页首地址
PAGE:0063F63D 89 45 88          mov     [ebp+var_78], eax
PAGE:0063F640 8B 46 14          mov     eax, [esi+14h]        ; 取得MMVAD->u 其实是此节点的内存描述信息,
PAGE:0063F640                                                 ; u是一个联合体,表示一个Flags
PAGE:0063F643 8B C8             mov     ecx, eax              ; ???对Flag进行某种运算
PAGE:0063F645 C1 E9 18          shr     ecx, 18h
PAGE:0063F648 83 E1 1F          and     ecx, 1Fh
PAGE:0063F64B 8B 0C 8D E8 1E 44+mov     ecx, ds:_MmProtectToValue[ecx*4] ; 很明显是取数组中的元素,
PAGE:0063F64B 00                                              ; 可以在Windbg中kd> dd MmProtectToValue查看
PAGE:0063F64B                                                 ; 其实MmProtectToValue就是一个数组,保存内存页的保护属性,
PAGE:0063F64B                                                 ; 前面的Flags其实就是得到数组的下标,然后从中取出值
PAGE:0063F652 89 4D 8C          mov     [ebp+var_74], ecx     ; 保存查询地址的内存页属性
PAGE:0063F655 85 C0             test    eax, eax
PAGE:0063F657 79 09             jns     short loc_63F662
PAGE:0063F659 C7 45 9C 00 00 02+mov     [ebp+var_64], 20000h
PAGE:0063F660 EB 61             jmp     short loc_63F6C3
PAGE:0063F662                   ; ---------------------------------------------------------------------------
PAGE:0063F662
PAGE:0063F662                   loc_63F662:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+415j
PAGE:0063F662 25 00 00 70 00    and     eax, (offset loc_6FFFFD+3) ; ????
PAGE:0063F667 2D 00 00 20 00    sub     eax, 200000h
PAGE:0063F66C F7 D8             neg     eax                   ; ????指令不懂
PAGE:0063F66E 1B C0             sbb     eax, eax
PAGE:0063F670 25 00 00 04 FF    and     eax, 0FF040000h
PAGE:0063F675 05 00 00 00 01    add     eax, 1000000h
PAGE:0063F67A 89 45 9C          mov     [ebp+var_64], eax     ; 之前就是对Flag进行某种运算,再保存
PAGE:0063F67D 83 7D 10 02       cmp     [ebp+MemoryInformationClass], 2 ; 我们就是2
PAGE:0063F681 75 40             jnz     short loc_63F6C3
PAGE:0063F683 8B 46 24          mov     eax, [esi+24h]        ; MMVAD->Subsection->ControlArea
PAGE:0063F686 83 38 00          cmp     dword ptr [eax], 0    ; 判断CONTROL_AREA->Segment 是否有效
PAGE:0063F689 74 2B             jz      short loc_63F6B6      ; 无效则跳转
PAGE:0063F68B 8B 00             mov     eax, [eax]
PAGE:0063F68D 89 45 08          mov     [ebp+ProcessHandle], eax ; 取出来,保存
PAGE:0063F690 8B 40 24          mov     eax, [eax+24h]        ; CONTROL_AREA->FilePointer 结构类型_EX_FAST_REF
PAGE:0063F693 83 E0 F8          and     eax, 0FFFFFFF8h       ; 去除标志,只要是CONTROL_AREA下的文件指针,
PAGE:0063F693                                                 ; 全部都要这样去除标志,得到文件对象
PAGE:0063F696 89 45 DC          mov     [ebp+var_24], eax     ; 保存这块虚拟内存的文件对象FilePointer
PAGE:0063F699 74 1B             jz      short loc_63F6B6
PAGE:0063F69B 8B 45 08          mov     eax, [ebp+ProcessHandle]
PAGE:0063F69E 83 C0 24          add     eax, 24h              ; PEX_FAST_REF结构
PAGE:0063F6A1 50                push    eax
PAGE:0063F6A2 E8 5F F5 E1 FF    call    @ObFastReferenceObject@4 ; 快速引用一个对象
PAGE:0063F6A7 85 C0             test    eax, eax              ; 判断文件对象是否有效
PAGE:0063F6A9 75 08             jnz     short loc_63F6B3      ; 有效跳转
PAGE:0063F6AB FF 75 08          push    [ebp+ProcessHandle]
PAGE:0063F6AE E8 A3 93 E5 FF    call    _MiReferenceControlAreaFile@4 ; MiReferenceControlAreaFile(x)
PAGE:0063F6B3
PAGE:0063F6B3                   loc_63F6B3:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+467j
PAGE:0063F6B3 89 45 DC          mov     [ebp+var_24], eax     ; 保存_File_Object
PAGE:0063F6B6
PAGE:0063F6B6                   loc_63F6B6:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+447j
PAGE:0063F6B6                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x)+457j
PAGE:0063F6B6 83 7D DC 00       cmp     [ebp+var_24], 0       ; 判断对象引用是否成功
PAGE:0063F6BA 75 07             jnz     short loc_63F6C3      ; 引用成功则跳转
PAGE:0063F6BC C7 45 DC 01 00 00+mov     [ebp+var_24], 1
PAGE:0063F6C3
PAGE:0063F6C3                   loc_63F6C3:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+41Ej
PAGE:0063F6C3                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x)+43Fj
PAGE:0063F6C3                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x)+478j
PAGE:0063F6C3 83 7D 10 03       cmp     [ebp+MemoryInformationClass], 3 ; 我们的方式是2
PAGE:0063F6C7 0F 85 D5 00 00 00 jnz     loc_63F7A2            ; 不为 3 就跳转
PAGE:0063F6CD 8B 4E 10          mov     ecx, [esi+10h]
PAGE:0063F6D0 2B 4E 0C          sub     ecx, [esi+0Ch]
PAGE:0063F6D3 41                inc     ecx
PAGE:0063F6D4 C1 E1 0C          shl     ecx, 0Ch
PAGE:0063F6D7 89 4D 10          mov     [ebp+MemoryInformationClass], ecx
PAGE:0063F6DA 33 D2             xor     edx, edx
PAGE:0063F6DC 8B 45 E0          mov     eax, [ebp+EProcess]
PAGE:0063F6DF 05 00 01 00 00    add     eax, 100h
PAGE:0063F6E4 8B F0             mov     esi, eax
PAGE:0063F6E6 6A 11             push    11h
PAGE:0063F6E8 58                pop     eax
PAGE:0063F6E9 F0 0F B1 16       lock cmpxchg [esi], edx
PAGE:0063F6ED 83 F8 11          cmp     eax, 11h
PAGE:0063F6F0 74 11             jz      short loc_63F703
PAGE:0063F6F2 8B 4D E0          mov     ecx, [ebp+EProcess]
PAGE:0063F6F5 81 C1 00 01 00 00 add     ecx, 100h
PAGE:0063F6FB E8 FA 75 E4 FF    call    @ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
PAGE:0063F700 8B 4D 10          mov     ecx, [ebp+MemoryInformationClass]
PAGE:0063F703
PAGE:0063F703                   loc_63F703:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+4AEj
PAGE:0063F703 80 A3 89 02 00 00+and     byte ptr [ebx+289h], 0FBh
PAGE:0063F70A 66 FF 83 86 00 00+inc     word ptr [ebx+86h]
PAGE:0063F711 0F B7 83 86 00 00+movzx   eax, word ptr [ebx+86h]
PAGE:0063F718 66 85 C0          test    ax, ax
PAGE:0063F71B 75 0F             jnz     short loc_63F72C
PAGE:0063F71D 83 C3 40          add     ebx, 40h
PAGE:0063F720 39 1B             cmp     [ebx], ebx
PAGE:0063F722 74 08             jz      short loc_63F72C
PAGE:0063F724 E8 4E DC DE FF    call    _KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
PAGE:0063F729 8B 4D 10          mov     ecx, [ebp+MemoryInformationClass]
PAGE:0063F72C
PAGE:0063F72C                   loc_63F72C:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+4D9j
PAGE:0063F72C                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x)+4E0j
PAGE:0063F72C F6 45 E4 01       test    byte ptr [ebp+var_1C??Attached], 1
PAGE:0063F730 74 14             jz      short loc_63F746
PAGE:0063F732 8D 45 A0          lea     eax, [ebp+ApcState]
PAGE:0063F735 50                push    eax
PAGE:0063F736 E8 17 35 E2 FF    call    _KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)
PAGE:0063F73B 8B 4D E0          mov     ecx, [ebp+EProcess]   ; Object
PAGE:0063F73E E8 EA 6C E1 FF    call    @ObfDereferenceObject@4 ; ObfDereferenceObject(x)
PAGE:0063F743 8B 4D 10          mov     ecx, [ebp+MemoryInformationClass]
PAGE:0063F746
PAGE:0063F746                   loc_63F746:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+4EEj
PAGE:0063F746 83 65 E4 FD       and     [ebp+var_1C??Attached], 0FFFFFFFDh
PAGE:0063F74A C7 45 FC 05 00 00+mov     [ebp+ms_exc.registration.TryLevel], 5
PAGE:0063F751 8B 45 88          mov     eax, [ebp+var_78]
PAGE:0063F754 89 07             mov     [edi], eax
PAGE:0063F756 8B 45 8C          mov     eax, [ebp+var_74]
PAGE:0063F759 89 47 04          mov     [edi+4], eax
PAGE:0063F75C 8B 45 9C          mov     eax, [ebp+var_64]
PAGE:0063F75F 89 47 08          mov     [edi+8], eax
PAGE:0063F762 89 4F 0C          mov     [edi+0Ch], ecx
PAGE:0063F765 83 4D E4 02       or      [ebp+var_1C??Attached], 2
PAGE:0063F769 8B 45 1C          mov     eax, [ebp+ReturnLength]
PAGE:0063F76C 85 C0             test    eax, eax
PAGE:0063F76E 0F 84 45 FC FF FF jz      loc_63F3B9
PAGE:0063F774 C7 00 10 00 00 00 mov     dword ptr [eax], 10h
PAGE:0063F77A E9 3A FC FF FF    jmp     loc_63F3B9
PAGE:0063F77F                   ; ---------------------------------------------------------------------------
PAGE:0063F77F
PAGE:0063F77F                   loc_63F77F:                   ; DATA XREF: .text:stru_450F18o
PAGE:0063F77F 8B 45 EC          mov     eax, [ebp+ms_exc.exc_ptr] ; Exception filter 5 for function 63F242
PAGE:0063F782 8B 00             mov     eax, [eax]
PAGE:0063F784 8B 00             mov     eax, [eax]
PAGE:0063F786 89 45 C4          mov     [ebp+var_3C], eax
PAGE:0063F789 33 C0             xor     eax, eax
PAGE:0063F78B 40                inc     eax
PAGE:0063F78C C3                retn
PAGE:0063F78D                   ; ---------------------------------------------------------------------------
PAGE:0063F78D
PAGE:0063F78D                   loc_63F78D:                   ; DATA XREF: .text:stru_450F18o
PAGE:0063F78D 8B 65 E8          mov     esp, [ebp+ms_exc.old_esp] ; Exception handler 5 for function 63F242
PAGE:0063F790 F6 45 E4 02       test    byte ptr [ebp+var_1C??Attached], 2
PAGE:0063F794 0F 85 1F FC FF FF jnz     loc_63F3B9
PAGE:0063F79A 8B 45 C4          mov     eax, [ebp+var_3C]
PAGE:0063F79D E9 4B FB FF FF    jmp     loc_63F2ED
PAGE:0063F7A2                   ; ---------------------------------------------------------------------------
PAGE:0063F7A2
PAGE:0063F7A2                   loc_63F7A2:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+485j
PAGE:0063F7A2 83 7D 10 00       cmp     [ebp+MemoryInformationClass], 0 ; 我们是2,继续跳转
PAGE:0063F7A6 75 12             jnz     short loc_63F7BA
PAGE:0063F7A8 56                push    esi
PAGE:0063F7A9 FF 75 0C          push    [ebp+BaseAddress]
PAGE:0063F7AC 8D 45 84          lea     eax, [ebp+var_7C]
PAGE:0063F7AF E8 7E B2 E4 FF    call    _MiQueryAddressSpan@12 ; MiQueryAddressSpan(x,x,x)
PAGE:0063F7B4 2B 45 84          sub     eax, [ebp+var_7C]
PAGE:0063F7B7 89 45 90          mov     [ebp+var_70], eax
PAGE:0063F7BA
PAGE:0063F7BA                   loc_63F7BA:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+564j
PAGE:0063F7BA 33 C9             xor     ecx, ecx
PAGE:0063F7BC 8B 45 E0          mov     eax, [ebp+EProcess]
PAGE:0063F7BF 05 00 01 00 00    add     eax, 100h             ; +0x100 AddressCreationLock : _EX_PUSH_LOCK
PAGE:0063F7BF                                                 ; 地址空间锁
PAGE:0063F7C4 8B D0             mov     edx, eax
PAGE:0063F7C6 6A 11             push    11h
PAGE:0063F7C8 58                pop     eax
PAGE:0063F7C9 F0 0F B1 0A       lock cmpxchg [edx], ecx
PAGE:0063F7CD 83 F8 11          cmp     eax, 11h
PAGE:0063F7D0 74 0E             jz      short loc_63F7E0
PAGE:0063F7D2 8B 4D E0          mov     ecx, [ebp+EProcess]
PAGE:0063F7D5 81 C1 00 01 00 00 add     ecx, 100h
PAGE:0063F7DB E8 1A 75 E4 FF    call    @ExfReleasePushLockShared@4 ; ExfReleasePushLockShared(x)
PAGE:0063F7E0
PAGE:0063F7E0                   loc_63F7E0:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+58Ej
PAGE:0063F7E0 80 A3 89 02 00 00+and     byte ptr [ebx+289h], 0FBh
PAGE:0063F7E7 66 FF 83 86 00 00+inc     word ptr [ebx+86h]
PAGE:0063F7EE 0F B7 83 86 00 00+movzx   eax, word ptr [ebx+86h]
PAGE:0063F7F5 66 85 C0          test    ax, ax
PAGE:0063F7F8 75 0C             jnz     short loc_63F806
PAGE:0063F7FA 83 C3 40          add     ebx, 40h
PAGE:0063F7FD 39 1B             cmp     [ebx], ebx
PAGE:0063F7FF 74 05             jz      short loc_63F806
PAGE:0063F801 E8 71 DB DE FF    call    _KiCheckForKernelApcDelivery@0 ; KiCheckForKernelApcDelivery()
PAGE:0063F806
PAGE:0063F806                   loc_63F806:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+5B6j
PAGE:0063F806                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x)+5BDj
PAGE:0063F806 F6 45 E4 01       test    byte ptr [ebp+var_1C??Attached], 1 ; 判断进程是否靠挂
PAGE:0063F80A 74 11             jz      short loc_63F81D
PAGE:0063F80C 8D 45 A0          lea     eax, [ebp+ApcState]
PAGE:0063F80F 50                push    eax
PAGE:0063F810 E8 3D 34 E2 FF    call    _KeUnstackDetachProcess@4 ; KeUnstackDetachProcess(x)
PAGE:0063F815 8B 4D E0          mov     ecx, [ebp+EProcess]   ; Object
PAGE:0063F818 E8 10 6C E1 FF    call    @ObfDereferenceObject@4 ; 解除对进程对象的引用
PAGE:0063F81D
PAGE:0063F81D                   loc_63F81D:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+5C8j
PAGE:0063F81D 83 7D 10 00       cmp     [ebp+MemoryInformationClass], 0
PAGE:0063F821 75 44             jnz     short loc_63F867
PAGE:0063F823 83 65 E4 FD       and     [ebp+var_1C??Attached], 0FFFFFFFDh
PAGE:0063F827 C7 45 FC 06 00 00+mov     [ebp+ms_exc.registration.TryLevel], 6
PAGE:0063F82E 6A 07             push    7
PAGE:0063F830 59                pop     ecx
PAGE:0063F831 8D 75 84          lea     esi, [ebp+var_7C]
PAGE:0063F834 F3 A5             rep movsd
PAGE:0063F836 83 4D E4 02       or      [ebp+var_1C??Attached], 2
PAGE:0063F83A 8B 45 1C          mov     eax, [ebp+ReturnLength]
PAGE:0063F83D 85 C0             test    eax, eax
PAGE:0063F83F E9 AA FD FF FF    jmp     loc_63F5EE
PAGE:0063F844                   ; ---------------------------------------------------------------------------
PAGE:0063F844
PAGE:0063F844                   loc_63F844:                   ; DATA XREF: .text:stru_450F18o
PAGE:0063F844 8B 45 EC          mov     eax, [ebp+ms_exc.exc_ptr] ; Exception filter 6 for function 63F242
PAGE:0063F847 8B 00             mov     eax, [eax]
PAGE:0063F849 8B 00             mov     eax, [eax]
PAGE:0063F84B 89 45 C0          mov     [ebp+var_40], eax
PAGE:0063F84E 33 C0             xor     eax, eax
PAGE:0063F850 40                inc     eax
PAGE:0063F851 C3                retn
PAGE:0063F852                   ; ---------------------------------------------------------------------------
PAGE:0063F852
PAGE:0063F852                   loc_63F852:                   ; DATA XREF: .text:stru_450F18o
PAGE:0063F852 8B 65 E8          mov     esp, [ebp+ms_exc.old_esp] ; Exception handler 6 for function 63F242
PAGE:0063F855 F6 45 E4 02       test    byte ptr [ebp+var_1C??Attached], 2
PAGE:0063F859 0F 85 5A FB FF FF jnz     loc_63F3B9
PAGE:0063F85F 8B 45 C0          mov     eax, [ebp+var_40]
PAGE:0063F862 E9 86 FA FF FF    jmp     loc_63F2ED
PAGE:0063F867                   ; ---------------------------------------------------------------------------
PAGE:0063F867
PAGE:0063F867                   loc_63F867:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+5DFj
PAGE:0063F867 83 7D DC 00       cmp     [ebp+var_24], 0       ; 又是对文件对象的判断
PAGE:0063F86B 0F 84 B1 FD FF FF jz      loc_63F622            ; 为NULL,跳转
PAGE:0063F871 83 7D DC 01       cmp     [ebp+var_24], 1
PAGE:0063F875 75 0A             jnz     short loc_63F881      ; 有效,则跳转
PAGE:0063F877 B8 98 00 00 C0    mov     eax, 0C0000098h       ; STATUS_FILE_INVALID 错误码
PAGE:0063F87C E9 C8 00 00 00    jmp     loc_63F949
PAGE:0063F881                   ; ---------------------------------------------------------------------------
PAGE:0063F881
PAGE:0063F881                   loc_63F881:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+633j
PAGE:0063F881 8D 45 BC          lea     eax, [ebp+var_44]
PAGE:0063F884 50                push    eax                   ; ReturnLength
PAGE:0063F885 FF 75 18          push    [ebp+MemoryInformationLength] ; Length
PAGE:0063F888 57                push    edi                   ; ObjectNameInfo
PAGE:0063F889 FF 75 DC          push    [ebp+var_24]          ; Object
PAGE:0063F88C E8 0D 10 FE FF    call    _ObQueryNameString@16 ; 在wrk中搜函数原型
PAGE:0063F891 8B F0             mov     esi, eax
PAGE:0063F893 8B 4D DC          mov     ecx, [ebp+var_24]     ; Object
PAGE:0063F896 E8 92 6B E1 FF    call    @ObfDereferenceObject@4 ; 释放对文件对象的引用
PAGE:0063F89B 8B 45 1C          mov     eax, [ebp+ReturnLength] ; 判断传入的返回值是否为NULL
PAGE:0063F89E 85 C0             test    eax, eax
PAGE:0063F8A0 74 29             jz      short loc_63F8CB      ; 为NULL,则跳转
PAGE:0063F8A2 C7 45 FC 07 00 00+mov     [ebp+ms_exc.registration.TryLevel], 7
PAGE:0063F8A9 8B 4D BC          mov     ecx, [ebp+var_44]     ; 实际字符串的长度
PAGE:0063F8AC 89 08             mov     [eax], ecx            ; 返回实际字符串的长度
PAGE:0063F8AE EB 14             jmp     short loc_63F8C4
PAGE:0063F8B0                   ; ---------------------------------------------------------------------------
PAGE:0063F8B0
PAGE:0063F8B0                   loc_63F8B0:                   ; DATA XREF: .text:stru_450F18o
PAGE:0063F8B0 8B 45 EC          mov     eax, [ebp+ms_exc.exc_ptr] ; Exception filter 7 for function 63F242
PAGE:0063F8B3 8B 00             mov     eax, [eax]
PAGE:0063F8B5 8B 00             mov     eax, [eax]
PAGE:0063F8B7 89 45 B8          mov     [ebp+var_48], eax
PAGE:0063F8BA 33 C0             xor     eax, eax
PAGE:0063F8BC 40                inc     eax
PAGE:0063F8BD C3                retn
PAGE:0063F8BE                   ; ---------------------------------------------------------------------------
PAGE:0063F8BE
PAGE:0063F8BE                   loc_63F8BE:                   ; DATA XREF: .text:stru_450F18o
PAGE:0063F8BE 8B 65 E8          mov     esp, [ebp+ms_exc.old_esp] ; Exception handler 7 for function 63F242
PAGE:0063F8C1 8B 75 B8          mov     esi, [ebp+var_48]
PAGE:0063F8C4
PAGE:0063F8C4                   loc_63F8C4:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+66Cj
PAGE:0063F8C4 C7 45 FC FE FF FF+mov     [ebp+ms_exc.registration.TryLevel], 0FFFFFFFEh
PAGE:0063F8CB
PAGE:0063F8CB                   loc_63F8CB:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+65Ej
PAGE:0063F8CB 8B C6             mov     eax, esi              ; ObQueryNameString 返回的status
PAGE:0063F8CD EB 7A             jmp     short loc_63F949
PAGE:0063F8CF                   ; ---------------------------------------------------------------------------
PAGE:0063F8CF
PAGE:0063F8CF                   loc_63F8CF:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+E1j
PAGE:0063F8CF                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x)+F4j
PAGE:0063F8CF BB 41 01 00 C0    mov     ebx, 0C0000141h
PAGE:0063F8D4 83 7D 10 00       cmp     [ebp+MemoryInformationClass], 0
PAGE:0063F8D8 75 6D             jnz     short loc_63F947
PAGE:0063F8DA C7 45 FC 01 00 00+mov     [ebp+ms_exc.registration.TryLevel], 1
PAGE:0063F8E1 46                inc     esi
PAGE:0063F8E2 89 77 04          mov     [edi+4], esi
PAGE:0063F8E5 6A 02             push    2
PAGE:0063F8E7 5B                pop     ebx
PAGE:0063F8E8 89 5F 08          mov     [edi+8], ebx
PAGE:0063F8EB 8B F0             mov     esi, eax
PAGE:0063F8ED 23 F2             and     esi, edx
PAGE:0063F8EF 89 37             mov     [edi], esi
PAGE:0063F8F1 23 C2             and     eax, edx
PAGE:0063F8F3 2B C8             sub     ecx, eax
PAGE:0063F8F5 41                inc     ecx
PAGE:0063F8F6 89 4F 0C          mov     [edi+0Ch], ecx
PAGE:0063F8F9 C7 47 10 00 20 00+mov     dword ptr [edi+10h], 2000h
PAGE:0063F900 C7 47 14 01 00 00+mov     dword ptr [edi+14h], 1
PAGE:0063F907 C7 47 18 00 00 02+mov     dword ptr [edi+18h], 20000h
PAGE:0063F90E 8B 45 1C          mov     eax, [ebp+ReturnLength]
PAGE:0063F911 85 C0             test    eax, eax
PAGE:0063F913 74 06             jz      short loc_63F91B
PAGE:0063F915 C7 00 1C 00 00 00 mov     dword ptr [eax], 1Ch
PAGE:0063F91B
PAGE:0063F91B                   loc_63F91B:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+6D1j
PAGE:0063F91B B8 00 00 FE 7F    mov     eax, 7FFE0000h
PAGE:0063F920 3B F0             cmp     esi, eax
PAGE:0063F922 75 1A             jnz     short loc_63F93E
PAGE:0063F924 89 47 04          mov     [edi+4], eax
PAGE:0063F927 89 5F 14          mov     [edi+14h], ebx
PAGE:0063F92A B8 00 10 00 00    mov     eax, 1000h
PAGE:0063F92F 89 47 0C          mov     [edi+0Ch], eax
PAGE:0063F932 89 47 10          mov     [edi+10h], eax
PAGE:0063F935 EB 07             jmp     short loc_63F93E
PAGE:0063F937                   ; ---------------------------------------------------------------------------
PAGE:0063F937
PAGE:0063F937                   loc_63F937:                   ; DATA XREF: .text:stru_450F18o
PAGE:0063F937 33 C0             xor     eax, eax              ; Exception filter 1 for function 63F242
PAGE:0063F939 40                inc     eax
PAGE:0063F93A C3                retn
PAGE:0063F93B                   ; ---------------------------------------------------------------------------
PAGE:0063F93B
PAGE:0063F93B                   loc_63F93B:                   ; DATA XREF: .text:stru_450F18o
PAGE:0063F93B 8B 65 E8          mov     esp, [ebp+ms_exc.old_esp] ; Exception handler 1 for function 63F242
PAGE:0063F93E
PAGE:0063F93E                   loc_63F93E:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+6E0j
PAGE:0063F93E                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x)+6F3j
PAGE:0063F93E C7 45 FC FE FF FF+mov     [ebp+ms_exc.registration.TryLevel], 0FFFFFFFEh
PAGE:0063F945 33 DB             xor     ebx, ebx
PAGE:0063F947
PAGE:0063F947                   loc_63F947:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+1A7j
PAGE:0063F947                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x)+696j
PAGE:0063F947 8B C3             mov     eax, ebx
PAGE:0063F949
PAGE:0063F949                   loc_63F949:                   ; CODE XREF: NtQueryVirtualMemory(x,x,x,x,x,x)+2Cj
PAGE:0063F949                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x)+4Ej
PAGE:0063F949                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x)+B2j
PAGE:0063F949                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x)+CCj
PAGE:0063F949                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x)+12Cj
PAGE:0063F949                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x)+159j
PAGE:0063F949                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x)+180j
PAGE:0063F949                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x)+27Ej
PAGE:0063F949                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x)+3E5j
PAGE:0063F949                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x)+63Aj
PAGE:0063F949                                                 ; NtQueryVirtualMemory(x,x,x,x,x,x)+68Bj
PAGE:0063F949 E8 17 49 E1 FF    call    __SEH_epilog4
PAGE:0063F94E C2 18 00          retn    18h
PAGE:0063F94E                   _NtQueryVirtualMemory@24 endp
PAGE:0063F94E

 下面是wrk中的源代码

技术分享
NTSTATUS
NtQueryVirtualMemory(
    __in HANDLE ProcessHandle,
    __in PVOID BaseAddress,
    __in MEMORY_INFORMATION_CLASS MemoryInformationClass,
    __out_bcount(MemoryInformationLength) PVOID MemoryInformation,
    __in SIZE_T MemoryInformationLength,
    __out_opt PSIZE_T ReturnLength
    )

/*++

Routine Description:

    This function provides the capability to determine the state,
    protection, and type of a region of pages within the virtual address
    space of the subject process.

    The state of the first page within the region is determined and then
    subsequent entries in the process address map are scanned from the
    base address upward until either the entire range of pages has been
    scanned or until a page with a nonmatching set of attributes is
    encountered. The region attributes, the length of the region of pages
    with matching attributes, and an appropriate status value are
    returned.

    If the entire region of pages does not have a matching set of
    attributes, then the returned length parameter value can be used to
    calculate the address and length of the region of pages that was not
    scanned.

Arguments:


    ProcessHandle - An open handle to a process object.

    BaseAddress - The base address of the region of pages to be
                  queried. This value is rounded down to the next host-page-
                  address boundary.

    MemoryInformationClass - The memory information class about which
                             to retrieve information.

    MemoryInformation - A pointer to a buffer that receives the specified
                        information.  The format and content of the buffer
                        depend on the specified information class.


        MemoryBasicInformation - Data type is PMEMORY_BASIC_INFORMATION.

            MEMORY_BASIC_INFORMATION Structure


            ULONG RegionSize - The size of the region in bytes beginning at
                               the base address in which all pages have
                               identical attributes.

            ULONG State - The state of the pages within the region.

                State Values

                MEM_COMMIT - The state of the pages within the region
                             is committed.

                MEM_FREE - The state of the pages within the region
                           is free.

                MEM_RESERVE - The state of the pages within the
                              region is reserved.

            ULONG Protect - The protection of the pages within the region.

                Protect Values

                PAGE_NOACCESS - No access to the region of pages is allowed.
                                An attempt to read, write, or execute within
                                the region results in an access violation.

                PAGE_EXECUTE - Execute access to the region of pages
                               is allowed. An attempt to read or write within
                               the region results in an access violation.

                PAGE_READONLY - Read-only and execute access to the region
                                of pages is allowed. An attempt to write within
                                the region results in an access violation.

                PAGE_READWRITE - Read, write, and execute access to the region
                                 of pages is allowed. If write access to the
                                 underlying section is allowed, then a single
                                 copy of the pages are shared. Otherwise,
                                 the pages are shared read-only/copy-on-write.

                PAGE_GUARD - Read, write, and execute access to the
                             region of pages is allowed; however, access to
                             the region causes a "guard region entered"
                             condition to be raised in the subject process.

                PAGE_NOCACHE - Disable the placement of committed
                               pages into the data cache.

                PAGE_WRITECOMBINE - Disable the placement of committed
                                    pages into the data cache, combine the
                                    writes as well.

            ULONG Type - The type of pages within the region.

                Type Values

                MEM_PRIVATE - The pages within the region are private.

                MEM_MAPPED - The pages within the region are mapped
                             into the view of a section.

                MEM_IMAGE - The pages within the region are mapped
                            into the view of an image section.

    MemoryInformationLength - Specifies the length in bytes of
                              the memory information buffer.

    ReturnLength - An optional pointer which, if specified, receives the
                   number of bytes placed in the process information buffer.

Return Value:

    NTSTATUS.

Environment:

    Kernel mode.

--*/

{
    ULONG LocalReturnLength;
    KPROCESSOR_MODE PreviousMode;
    PEPROCESS TargetProcess;
    PETHREAD Thread;
    NTSTATUS Status;
    PMMVAD Vad;
    PVOID Va;
    PVOID NextVaToQuery;
    LOGICAL Found;
    SIZE_T TheRegionSize;
    ULONG NewProtect;
    ULONG NewState;
    PVOID FilePointer;
    ULONG_PTR BaseVpn;
    MEMORY_BASIC_INFORMATION Info;
    PMEMORY_BASIC_INFORMATION BasicInfo;
    LOGICAL Attached;
    LOGICAL Leaped;
    ULONG MemoryInformationLengthUlong;
    KAPC_STATE ApcState;
    PETHREAD CurrentThread;
    PVOID HighestVadAddress;
    PVOID HighestUserAddress;

    Found = FALSE;
    Leaped = TRUE;
    FilePointer = NULL;

    //
    // Make sure the user‘s buffer is large enough for the requested operation.
    //
    // Check argument validity.
    //

    switch (MemoryInformationClass) {
        case MemoryBasicInformation:
            if (MemoryInformationLength < sizeof(MEMORY_BASIC_INFORMATION)) {
                return STATUS_INFO_LENGTH_MISMATCH;
            }
            break;

        case MemoryWorkingSetInformation:
            if (MemoryInformationLength < sizeof(ULONG_PTR)) {
                return STATUS_INFO_LENGTH_MISMATCH;
            }
            break;

        case MemoryWorkingSetExInformation:
            if (MemoryInformationLength < sizeof (MEMORY_WORKING_SET_EX_INFORMATION)) {
                return STATUS_INFO_LENGTH_MISMATCH;
            }
            break;

        case MemoryMappedFilenameInformation:
            break;

        default:
            return STATUS_INVALID_INFO_CLASS;
    }

    CurrentThread = PsGetCurrentThread ();
    PreviousMode = KeGetPreviousModeByThread(&CurrentThread->Tcb);

    if (PreviousMode != KernelMode) {

        //
        // Check arguments.
        //

        try {

            ProbeForWrite(MemoryInformation,
                          MemoryInformationLength,
                          sizeof(ULONG_PTR));

            if (ARGUMENT_PRESENT(ReturnLength)) {
                ProbeForWriteUlong_ptr(ReturnLength);
            }

        } except (EXCEPTION_EXECUTE_HANDLER) {

            //
            // If an exception occurs during the probe or capture
            // of the initial values, then handle the exception and
            // return the exception code as the status value.
            //

            return GetExceptionCode();
        }
    }

    if (BaseAddress > MM_HIGHEST_USER_ADDRESS) {
        return STATUS_INVALID_PARAMETER;
    }

    HighestUserAddress = MM_HIGHEST_USER_ADDRESS;
    HighestVadAddress  = (PCHAR) MM_HIGHEST_VAD_ADDRESS;

#if defined(_WIN64)

    if (ProcessHandle == NtCurrentProcess()) {
        TargetProcess = PsGetCurrentProcessByThread(CurrentThread);
    }
    else {
        Status = ObReferenceObjectByHandle (ProcessHandle,
                                            PROCESS_QUERY_INFORMATION,
                                            PsProcessType,
                                            PreviousMode,
                                            (PVOID *)&TargetProcess,
                                            NULL);

        if (!NT_SUCCESS(Status)) {
            return Status;
        }
    }

    //
    // If this is a wow64 process, then return the appropriate highest
    // user address depending on whether the process has been started with
    // a 2GB or a 4GB address space.
    //

    if (TargetProcess->Wow64Process != NULL) {

        if (TargetProcess->Flags & PS_PROCESS_FLAGS_WOW64_4GB_VA_SPACE) {
            HighestUserAddress = (PVOID) ((ULONG_PTR)_4gb - X64K - 1);
        }
        else {
            HighestUserAddress = (PVOID) ((ULONG_PTR)_2gb - X64K - 1);
        }

        HighestVadAddress  = (PCHAR)HighestUserAddress - X64K;

        if (BaseAddress > HighestUserAddress) {

            if (ProcessHandle != NtCurrentProcess()) {
                ObDereferenceObject (TargetProcess);
            }
            return STATUS_INVALID_PARAMETER;
        }
    }

#endif

    if ((BaseAddress > HighestVadAddress) ||
        (PAGE_ALIGN(BaseAddress) == (PVOID)MM_SHARED_USER_DATA_VA)) {

        //
        // Indicate a reserved area from this point on.
        //

        Status = STATUS_INVALID_ADDRESS;

        if (MemoryInformationClass == MemoryBasicInformation) {

            try {
                ((PMEMORY_BASIC_INFORMATION)MemoryInformation)->AllocationBase =
                                      (PCHAR) HighestVadAddress + 1;
                ((PMEMORY_BASIC_INFORMATION)MemoryInformation)->AllocationProtect =
                                                                      PAGE_READONLY;
                ((PMEMORY_BASIC_INFORMATION)MemoryInformation)->BaseAddress =
                                                       PAGE_ALIGN(BaseAddress);
                ((PMEMORY_BASIC_INFORMATION)MemoryInformation)->RegionSize =
                                    ((PCHAR)HighestUserAddress + 1) -
                                                (PCHAR)PAGE_ALIGN(BaseAddress);
                ((PMEMORY_BASIC_INFORMATION)MemoryInformation)->State = MEM_RESERVE;
                ((PMEMORY_BASIC_INFORMATION)MemoryInformation)->Protect = PAGE_NOACCESS;
                ((PMEMORY_BASIC_INFORMATION)MemoryInformation)->Type = MEM_PRIVATE;

                if (ARGUMENT_PRESENT(ReturnLength)) {
                    *ReturnLength = sizeof(MEMORY_BASIC_INFORMATION);
                }

                if (PAGE_ALIGN(BaseAddress) == (PVOID)MM_SHARED_USER_DATA_VA) {

                    //
                    // This is the page that is double mapped between
                    // user mode and kernel mode.
                    //

                    ((PMEMORY_BASIC_INFORMATION)MemoryInformation)->AllocationBase =
                                (PVOID)MM_SHARED_USER_DATA_VA;
                    ((PMEMORY_BASIC_INFORMATION)MemoryInformation)->Protect =
                                                                 PAGE_READONLY;
                    ((PMEMORY_BASIC_INFORMATION)MemoryInformation)->RegionSize =
                                                                 PAGE_SIZE;
                    ((PMEMORY_BASIC_INFORMATION)MemoryInformation)->State =
                                                                 MEM_COMMIT;
                }

            } except (EXCEPTION_EXECUTE_HANDLER) {

                //
                // Just return success.
                //

                NOTHING;
            }

            Status = STATUS_SUCCESS;
        }
            
#if defined(_WIN64)
        if (ProcessHandle != NtCurrentProcess()) {
            ObDereferenceObject (TargetProcess);
        }
#endif
            
        return Status;
    }

#if !defined(_WIN64)

    if (ProcessHandle == NtCurrentProcess()) {
        TargetProcess = PsGetCurrentProcessByThread(CurrentThread);
    }
    else {
        Status = ObReferenceObjectByHandle (ProcessHandle,
                                            PROCESS_QUERY_INFORMATION,
                                            PsProcessType,
                                            PreviousMode,
                                            (PVOID *)&TargetProcess,
                                            NULL);

        if (!NT_SUCCESS(Status)) {
            return Status;
        }
    }

#endif

    if (MemoryInformationClass == MemoryWorkingSetExInformation) {

        Status = MiGetWorkingSetInfoList (
                            (PMEMORY_WORKING_SET_EX_INFORMATION) MemoryInformation,
                            MemoryInformationLength,
                            TargetProcess);

        if (ProcessHandle != NtCurrentProcess()) {
            ObDereferenceObject (TargetProcess);
        }

        //
        // If MiGetWorkingSetInfoList failed then inform the caller.
        //

        if (!NT_SUCCESS(Status)) {
            return Status;
        }

        try {

            if (ARGUMENT_PRESENT (ReturnLength)) {
                *ReturnLength = MemoryInformationLength;
            }

        } except (EXCEPTION_EXECUTE_HANDLER) {
            NOTHING;
        }

        return STATUS_SUCCESS;
    }

    if (MemoryInformationClass == MemoryWorkingSetInformation) {

        Status = MiGetWorkingSetInfo (
                            (PMEMORY_WORKING_SET_INFORMATION) MemoryInformation,
                            MemoryInformationLength,
                            TargetProcess);

        if (ProcessHandle != NtCurrentProcess()) {
            ObDereferenceObject (TargetProcess);
        }

        //
        // If MiGetWorkingSetInfo failed then inform the caller.
        //

        if (!NT_SUCCESS(Status)) {
            return Status;
        }

        try {

            if (ARGUMENT_PRESENT(ReturnLength)) {
                *ReturnLength = ((((PMEMORY_WORKING_SET_INFORMATION)
                                    MemoryInformation)->NumberOfEntries - 1) *
                                        sizeof(ULONG_PTR)) +
                                        sizeof(MEMORY_WORKING_SET_INFORMATION);
            }

        } except (EXCEPTION_EXECUTE_HANDLER) {
        }

        return STATUS_SUCCESS;
    }

    //
    // If the specified process is not the current process, attach
    // to the specified process.
    //

    if (ProcessHandle != NtCurrentProcess()) {
        KeStackAttachProcess (&TargetProcess->Pcb, &ApcState);
        Attached = TRUE;
    }
    else {
        Attached = FALSE;
    }

    //
    // Get working set mutex and block APCs.
    //

    LOCK_ADDRESS_SPACE (TargetProcess);

    //
    // Make sure the address space was not deleted, if so, return an error.
    //

    if (TargetProcess->Flags & PS_PROCESS_FLAGS_VM_DELETED) {
        UNLOCK_ADDRESS_SPACE (TargetProcess);
        if (Attached == TRUE) {
            KeUnstackDetachProcess (&ApcState);
            ObDereferenceObject (TargetProcess);
        }
        return STATUS_PROCESS_IS_TERMINATING;
    }

    //
    // Locate the VAD that contains the base address or the VAD
    // which follows the base address.
    //

    if (TargetProcess->VadRoot.NumberGenericTableElements != 0) {

        Vad = (PMMVAD) TargetProcess->VadRoot.BalancedRoot.RightChild;
        BaseVpn = MI_VA_TO_VPN (BaseAddress);

        while (TRUE) {

            if (Vad == NULL) {
                break;
            }

            if ((BaseVpn >= Vad->StartingVpn) &&
                (BaseVpn <= Vad->EndingVpn)) {
                Found = TRUE;
                break;
            }

            if (BaseVpn < Vad->StartingVpn) {
                if (Vad->LeftChild == NULL) {
                    break;
                }
                Vad = Vad->LeftChild;
            }
            else {
                ASSERT (BaseVpn > Vad->EndingVpn);

                if (Vad->RightChild == NULL) {
                    break;
                }

                Vad = Vad->RightChild;
            }
        }
    }
    else {
        Vad = NULL;
        BaseVpn = 0;
    }

    if (!Found) {

        //
        // There is no virtual address allocated at the base
        // address.  Return the size of the hole starting at
        // the base address.
        //

        if (Vad == NULL) {
            TheRegionSize = (((PCHAR)HighestVadAddress + 1) - 
                                         (PCHAR)PAGE_ALIGN(BaseAddress));
        }
        else {
            if (Vad->StartingVpn < BaseVpn) {

                //
                // We are looking at the Vad which occupies the range
                // just before the desired range.  Get the next Vad.
                //

                Vad = MiGetNextVad (Vad);
                if (Vad == NULL) {
                    TheRegionSize = (((PCHAR)HighestVadAddress + 1) - 
                                                (PCHAR)PAGE_ALIGN(BaseAddress));
                }
                else {
                    TheRegionSize = (PCHAR)MI_VPN_TO_VA (Vad->StartingVpn) -
                                                (PCHAR)PAGE_ALIGN(BaseAddress);
                }
            }
            else {
                TheRegionSize = (PCHAR)MI_VPN_TO_VA (Vad->StartingVpn) -
                                                (PCHAR)PAGE_ALIGN(BaseAddress);
            }
        }

        UNLOCK_ADDRESS_SPACE (TargetProcess);

        if (Attached == TRUE) {
            KeUnstackDetachProcess (&ApcState);
            ObDereferenceObject (TargetProcess);
        }

        //
        // Establish an exception handler and write the information and
        // returned length.
        //

        if (MemoryInformationClass == MemoryBasicInformation) {
            BasicInfo = (PMEMORY_BASIC_INFORMATION) MemoryInformation;
            Found = FALSE;
            try {

                BasicInfo->AllocationBase = NULL;
                BasicInfo->AllocationProtect = 0;
                BasicInfo->BaseAddress = PAGE_ALIGN(BaseAddress);
                BasicInfo->RegionSize = TheRegionSize;
                BasicInfo->State = MEM_FREE;
                BasicInfo->Protect = PAGE_NOACCESS;
                BasicInfo->Type = 0;

                Found = TRUE;
                if (ARGUMENT_PRESENT(ReturnLength)) {
                    *ReturnLength = sizeof(MEMORY_BASIC_INFORMATION);
                }

            } except (EXCEPTION_EXECUTE_HANDLER) {

                //
                // Just return success if the BasicInfo was successfully
                // filled in.
                //
                
                if (Found == FALSE) {
                    return GetExceptionCode ();
                }
            }

            return STATUS_SUCCESS;
        }
        return STATUS_INVALID_ADDRESS;
    }

    //
    // Found a VAD.
    //
   
    Va = PAGE_ALIGN(BaseAddress);
    Info.BaseAddress = Va;
    Info.AllocationBase = MI_VPN_TO_VA (Vad->StartingVpn);
    Info.AllocationProtect = MI_CONVERT_FROM_PTE_PROTECTION (
                                             Vad->u.VadFlags.Protection);
    
    //
    // There is a page mapped at the base address.
    //
    
    if ((Vad->u.VadFlags.PrivateMemory) || 
        (Vad->u.VadFlags.VadType == VadRotatePhysical)) {

        Info.Type = MEM_PRIVATE;
    }
    else {
        if (Vad->u.VadFlags.VadType == VadImageMap) {
            Info.Type = MEM_IMAGE;
        }
        else {
            Info.Type = MEM_MAPPED;
        }

        if (MemoryInformationClass == MemoryMappedFilenameInformation) {

            if (Vad->ControlArea != NULL) {
                FilePointer = Vad->ControlArea->FilePointer;
            }
            if (FilePointer == NULL) {
                FilePointer = (PVOID)1;
            }
            else {
                ObReferenceObject (FilePointer);
            }
        } 
    }

    Thread = PsGetCurrentThread ();

    LOCK_WS_SHARED (Thread, TargetProcess);

    Info.State = MiQueryAddressState (Va,
                                      Vad,
                                      TargetProcess,
                                      &Info.Protect,
                                      &NextVaToQuery);

    Va = NextVaToQuery;

    while (MI_VA_TO_VPN (Va) <= Vad->EndingVpn) {

        NewState = MiQueryAddressState (Va,
                                        Vad,
                                        TargetProcess,
                                        &NewProtect,
                                        &NextVaToQuery);

        if ((NewState != Info.State) || (NewProtect != Info.Protect)) {

            //
            // The state for this address does not match, calculate
            // size and return.
            //

            Leaped = FALSE;
            break;
        }
        Va = NextVaToQuery;
    }

    UNLOCK_WS_SHARED (Thread, TargetProcess);    

    //
    // We may have aggressively leaped past the end of the VAD.  Shorten the
    // Va here if we did.
    //

    if (Leaped == TRUE) {
        Va = MI_VPN_TO_VA (Vad->EndingVpn + 1);
    }

    Info.RegionSize = ((PCHAR)Va - (PCHAR)Info.BaseAddress);

    //
    // A range has been found, release the mutexes, detach from the
    // target process and return the information.
    //

    UNLOCK_ADDRESS_SPACE (TargetProcess);

    if (Attached == TRUE) {
        KeUnstackDetachProcess (&ApcState);
        ObDereferenceObject (TargetProcess);
    }

    if (MemoryInformationClass == MemoryBasicInformation) {
        Found = FALSE;
        try {

            *(PMEMORY_BASIC_INFORMATION)MemoryInformation = Info;

            Found = TRUE;
            if (ARGUMENT_PRESENT(ReturnLength)) {
                *ReturnLength = sizeof(MEMORY_BASIC_INFORMATION);
            }

        } except (EXCEPTION_EXECUTE_HANDLER) {

            //
            // Just return success if the BasicInfo was successfully
            // filled in.
            //
                
            if (Found == FALSE) {
                return GetExceptionCode ();
            }
        }
        return STATUS_SUCCESS;
    }

    //
    // Try to return the name of the file that is mapped.
    //

    if (FilePointer == NULL) {
        return STATUS_INVALID_ADDRESS;
    }

    if (FilePointer == (PVOID)1) {
        return STATUS_FILE_INVALID;
    }

    MemoryInformationLengthUlong = (ULONG)MemoryInformationLength;

    if ((SIZE_T)MemoryInformationLengthUlong < MemoryInformationLength) {
        return STATUS_INVALID_PARAMETER_5;
    }
    
    //
    // We have a referenced pointer to the file.  Call ObQueryNameString
    // and get the file name.
    //

    Status = ObQueryNameString (FilePointer,
                                (POBJECT_NAME_INFORMATION) MemoryInformation,
                                 MemoryInformationLengthUlong,
                                 &LocalReturnLength);

    ObDereferenceObject (FilePointer);

    if (ARGUMENT_PRESENT (ReturnLength)) {
        try {
            *ReturnLength = LocalReturnLength;
        } except (EXCEPTION_EXECUTE_HANDLER) {
            Status = GetExceptionCode ();
        }
    }

    return Status;
}
Wrk NtQueryVirtualMemory

 

所以,我们也可以自己来遍历二叉树来获得进程的所有模块,而不用NtQueryVirtualMemory函数,就是一个AVL树的遍历,主要代码如下

typedef struct _MMADDRESS_NODE              // 0x14
{
    union  u1{ULONG u1;};                    // +0x0(0x4)
    struct _MMADDRESS_NODE* LeftChild;       // +0x4(0x4)
    struct _MMADDRESS_NODE* RightChild;      // +0x8(0x4)
    ULONG StartingVpn;                       // +0xc(0x4)
    ULONG EndingVpn;                         // +0x10(0x4)
}MMADDRESS_NODE,*PMMADDRESS_NODE;

#pragma pack(push,1)

typedef struct _EX_FAST_REF
{
    union
    {
        PVOID Object;
        ULONG_PTR RefCnt:3;
        ULONG_PTR Value;
    };
} EX_FAST_REF, *PEX_FAST_REF;
#pragma pack(pop)

struct _SEGMENT                                // 0x38
{
    struct _CONTROL_AREA* ControlArea;        // +0x0(0x4)
    ULONG TotalNumberOfPtes;                  // +0x4(0x4)
    ULONG SegmentFlags;                       // +0x8(0x4)
    ULONG NumberOfCommittedPages;             // +0xc(0x4)
    ULONGLONG SizeOfSegment;                  // +0x10(0x8)
    union
    {
        struct _MMEXTEND_INFO* ExtendInfo;     // +0x18(0x4)
        void* BasedAddress;                    // +0x18(0x4)
    };
    EX_PUSH_LOCK SegmentLock;                  // +0x1c(0x4)
    ULONG u1;                                  // +0x20(0x4)
    ULONG u2;                                  // +0x24(0x4)
    struct _MMPTE* PrototypePte;               // +0x28(0x4)
    //ULONGLONG ThePtes[0x1];                  // +0x30(0x8)
};
struct _CONTROL_AREA                           // 0x50
{
    struct _SEGMENT* Segment;                  // +0x0(0x4)
    struct _LIST_ENTRY DereferenceList;        // +0x4(0x8)
    ULONG NumberOfSectionReferences;           // +0xc(0x4)
    ULONG NumberOfPfnReferences;               // +0x10(0x4)
    ULONG NumberOfMappedViews;                 // +0x14(0x4)
    ULONG NumberOfUserReferences;              // +0x18(0x4)
    ULONG  u;                                  // +0x1c(0x4)
    ULONG FlushInProgressCount;                // +0x20(0x4)
    struct _EX_FAST_REF FilePointer;           // +0x24(0x4)   
};
struct _SUBSECTION                             // 0x20
{
    struct _CONTROL_AREA* ControlArea;          // +0x0(0x4)
    struct _MMPTE* SubsectionBase;              // +0x4(0x4)
    struct _SUBSECTION* NextSubsection;         // +0x8(0x4)
    ULONG PtesInSubsection;                     // +0xc(0x4)
    ULONG UnusedPtes;                           // +0x10(0x4)
    struct _MM_AVL_TABLE* GlobalPerSessionHead; // +0x10(0x4)
    union u{ULONG u;};                          // +0x14(0x4)
    ULONG StartingSector;                       // +0x18(0x4)
    ULONG NumberOfFullSectors;                  // +0x1c(0x4)
};
typedef struct _MMVAD                           // 0x3c
{
    ULONG u1;                                   // +0x0(0x4)
    struct _MMVAD* LeftChild;                   // +0x4(0x4)
    struct _MMVAD* RightChild;                  // +0x8(0x4)
    ULONG StartingVpn;                          // +0xc(0x4)
    ULONG EndingVpn;                            // +0x10(0x4)
    ULONG u;                                    // +0x14(0x4)
    EX_PUSH_LOCK PushLock;                      // +0x18(0x4)
    ULONG u5;                                   // +0x1c(0x4)
    ULONG u2;                                   // +0x20(0x4)
    struct _SUBSECTION* Subsection;             // +0x24(0x4)
    struct _MSUBSECTION* MappedSubsection;      // +0x24(0x4)
    struct _MMPTE* FirstPrototypePte;           // +0x28(0x4)
    struct _MMPTE* LastContiguousPte;           // +0x2c(0x4)
    struct _LIST_ENTRY ViewLinks;               // +0x30(0x8)
    struct _EPROCESS* VadsProcess;              // +0x38(0x4)
}MMVAD;

typedef struct   _MM_AVL_TABLE                   // 0x20
{
    struct _MMADDRESS_NODE BalancedRoot;         // +0x0(0x14)
    ULONG DepthOfTree;                           // +0x14(0x4)
    ULONG Unused;                                // +0x14(0x4)
    ULONG NumberGenericTableElements;            // +0x14(0x4)
    void* NodeHint;                              // +0x18(0x4)
    void* NodeFreeHint;                          // +0x1c(0x4)
}MM_AVL_TABLE,*PMMAVL_TABLE;


#define GetVadRoot(eprocess)  ((PVOID)((char*)eprocess+0x278))


VOID PrintTree(MMVAD
* Root) { POBJECT_NAME_INFORMATION Str=(POBJECT_NAME_INFORMATION )ExAllocatePool(PagedPool,800); ULONG RetLen=0; if(!Str||!Root) return ; RtlZeroMemory(Str,800);//递归要节省堆栈资源,不要大量使用局部变量 __try { if(MmIsAddressValid(Root->Subsection)&&MmIsAddressValid(Root->Subsection->ControlArea)) { if(MmIsAddressValid((PVOID)Root->Subsection->ControlArea->FilePointer.Value)) { //最后三位清零 PFILE_OBJECT pFileObj=(PFILE_OBJECT)((Root->Subsection->ControlArea->FilePointer.Value>>3)<<3); if(MmIsAddressValid(pFileObj)) { NTSTATUS Status=ObQueryNameString(pFileObj,Str,800,&RetLen); if(NT_SUCCESS(Status)) { DbgPrint("Base:%08X Size:%dKb Name:%wZ\r\n",Root->Subsection->ControlArea->Segment->BasedAddress, (Root->Subsection->ControlArea->Segment->SizeOfSegment)/0x1000, (PUNICODE_STRING)(&(Str->Name))); } else { DbgPrint("不能获取到对象!%08X\n",Status); } } } } } __except(1) { DbgPrint("Invalid Address!\n"); } ExFreePool(Str); __try { if(MmIsAddressValid(Root->LeftChild)) PrintTree(Root->LeftChild); if(MmIsAddressValid(Root->RightChild)) PrintTree(Root->RightChild); } __except(1) { DbgPrint("Exception!"); return; } } VOID ShowProcessModule(ULONG Pid) { #ifdef _DBG _asm int 3 #endif PMMAVL_TABLE Table; PEPROCESS Epr=0; if(NT_SUCCESS(PsLookupProcessByProcessId((HANDLE)Pid,&Epr))) { KeAttachProcess(Epr); Table=(PMMAVL_TABLE)GetVadRoot(Epr); if(Table->BalancedRoot.LeftChild) PrintTree((MMVAD*)Table->BalancedRoot.LeftChild); if(Table->BalancedRoot.RightChild) PrintTree((MMVAD*)Table->BalancedRoot.RightChild); KeDetachProcess(); } }

由枚举模块到ring0内存结构的初步探索

标签:

原文地址:http://www.cnblogs.com/lanrenxinxin/p/4668462.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!