DWORD isOk = 0;
BOOL ret = DeviceIoControl(deviceId, Protect, &data, sizeof(data), 0, 0, &isOk, 0);
DWORD error = GetLastError();
if (ret && isOk)
{
printf("错误 %d\n",error);
printf("大小 %I64d , 权限:%d 返回大小 %d\n", data.size, data.old, isOk);//但是应用层的大小和权限 返回值没变动
return TRUE;
}
return 0;
驱动层代码:
[C] 纯文本查看 复制代码PEPROCESS pe = { 0 };
UNICODE_STRING funcName = { 0 };
RtlInitUnicodeString(&funcName, L"ZwProtectVirtualMemory");
pZwProtectVirtualMemory function = (pZwProtectVirtualMemory)MmGetSystemRoutineAddress(&funcName);
DbgPrint("pZwProtectVirtualMemory:%p\n", function);
if (!MmIsAddressValid((PVOID)function))
{
return FALSE;
}
NTSTATUS status = PsLookupProcessByProcessId((HANDLE)ioData->pid, &pe);
KAPC_STATE apc = { 0 };
if (!NT_SUCCESS(status) && !MmIsAddressValid(pe)) { return FALSE; }
KeStackAttachProcess(pe, &apc);
DbgPrint("改权限地址:%p\n", ioData->address);
status = function(ZwCurrentProcess(), &ioData->address, &ioData->size, ioData->now, &ioData->old);
DbgPrint("结果:%x 权限: %d 大小 %I64d", status, ioData->old, ioData->size); // 这里新的权限和大小都被改变了
KeUnstackDetachProcess(&apc);
ObDereferenceObject(pe);
if (NT_SUCCESS(status)) {
return TRUE;
}
return FALSE;
驱动分发的代码:
[C] 纯文本查看 复制代码case Protect: {
PProtectData recvData = (PProtectData)pIrp->AssociatedIrp.SystemBuffer;
DbgPrint("接收-> old %d", recvData->old);
flag = MemProtect(recvData);
DbgPrint("改变-> new %d", recvData->old);//其实指针这里面也是改变了 只是方便查看,
break;
}
}
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = flag ? size : 0;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
这个是什么原因呢?