aboutsummaryrefslogtreecommitdiff
path: root/KMemDriver/VAD.c
diff options
context:
space:
mode:
authorToni Uhlig <matzeton@googlemail.com>2019-09-15 16:23:03 +0200
committerToni Uhlig <matzeton@googlemail.com>2019-09-15 16:23:03 +0200
commit6ca45bb8c15713521134bbf61b7bcaa49e4ef229 (patch)
tree54036879aaa9c3f524751e21c1e79325ebc22afd /KMemDriver/VAD.c
parent9d575399136a0d1fab1f93eb03b42092f506a28e (diff)
VAD Unlink test, currently not working as expected
Diffstat (limited to 'KMemDriver/VAD.c')
-rw-r--r--KMemDriver/VAD.c37
1 files changed, 37 insertions, 0 deletions
diff --git a/KMemDriver/VAD.c b/KMemDriver/VAD.c
index 94c7397..7c3e9d6 100644
--- a/KMemDriver/VAD.c
+++ b/KMemDriver/VAD.c
@@ -5,6 +5,9 @@
#include <ntddk.h>
#include <Ntstrsafe.h>
+#define MM_ZERO_ACCESS 0
+
+
TABLE_SEARCH_RESULT
VADFindNodeOrParent(
IN PMM_AVL_TABLE Table,
@@ -130,4 +133,38 @@ NTSTATUS VADProtect(
pVadShort->u.VadFlags.Protection = prot;
return status;
+}
+
+NTSTATUS VADUnlink(IN PEPROCESS pProcess, IN ULONG_PTR address)
+{
+ NTSTATUS status = STATUS_SUCCESS;
+ PMMVAD_SHORT pVadShort = NULL;
+
+ status = VADFind(pProcess, address, &pVadShort);
+ if (!NT_SUCCESS(status))
+ return status;
+
+ // Erase image name
+ if (pVadShort->u.VadFlags.VadType == VadImageMap)
+ {
+ PMMVAD pVadLong = (PMMVAD)pVadShort;
+ if (pVadLong->Subsection && pVadLong->Subsection->ControlArea && pVadLong->Subsection->ControlArea->FilePointer.Object)
+ {
+ PFILE_OBJECT pFile = (PFILE_OBJECT)(pVadLong->Subsection->ControlArea->FilePointer.Value & ~0xF);
+ pFile->FileName.Buffer[0] = L'\0';
+ pFile->FileName.Length = 0;
+ }
+ else
+ return STATUS_INVALID_ADDRESS;
+ }
+ // Make NO_ACCESS
+ else if (pVadShort->u.VadFlags.VadType == VadDevicePhysicalMemory)
+ {
+ pVadShort->u.VadFlags.Protection = MM_ZERO_ACCESS;
+ }
+ // Invalid VAD type
+ else
+ status = STATUS_INVALID_PARAMETER;
+
+ return status;
} \ No newline at end of file
Powered by cgit, Themed by Ted Yin.