驱动下的查找进程以及LoadImage下ZwProtectVirtualMemory死锁处理办法

先贴个查找进程:

ULONG dv_FindEProcess(PUCHAR ProcessName, PEPROCESS *pEprocess)
{
    PLIST_ENTRY ActiveProcessLinks;
    ANSI_STRING tarName, curName;
    RtlInitAnsiString(&tarName, ProcessName);
    PUCHAR pName = NULL;
    ULONG uPid = 0,uRetPid=0;
 
    PCHAR FirstEProcess,NextEprocess;
    FirstEProcess = NextEprocess = PsGetCurrentProcess();
    __try 
    {
        do
        {
            pName = PsGetProcessImageFileName(NextEprocess);
            uPid = *(PLONG32)(NextEprocess + dynData.EPROCESS_UniqueProcessId);
            if (pName && uPid)
            {
                RtlInitAnsiString(&curName, pName);
                DbgPrint("di-%Z(%d)", curName, uPid);
                if (RtlEqualString(&tarName, &curName, TRUE))
                {
                    if (pEprocess)
                    {
                        *pEprocess = NextEprocess;
                    }
 
                    uRetPid = uPid;
                    break;
                }
            }
             
            ActiveProcessLinks = NextEprocess + dynData.EPROCESS_ActiveProcessLinks;
            if (ActiveProcessLinks->Flink == NULL)
            {
                break;
            }
 
            NextEprocess = (PCHAR)ActiveProcessLinks->Flink - dynData.EPROCESS_ActiveProcessLinks;
        } while (NextEprocess!= FirstEProcess);
         
    }
    __except (EXCEPTION_EXECUTE_HANDLER)
    {
    }
     
 
    return uRetPid;
}

PsSetLoadImageNotifyRoutine下调用ZwProtectVirtualMemory卡死,原因就是AddressCreationLock.
我处理的办法不是是解锁,而是直接把AddressCreationLock清零,这样调用 ZwProtectVirtualMemory的时候就会跳过检测,不卡死了.
如下处理:

WIN10下LoadImage好像没有 AddressCreationLock 锁死的问题,至少我没发现过,WIN7下,一大堆Zw死锁.
刚遇到的时候纠结了很久才解决,希望对你们有所帮助.

打赏作者

发表评论

电子邮件地址不会被公开。 必填项已用*标注