use RtlAvlRemoveNode in VADUnlink iff all methods from BB failed

author: Toni Uhlig <matzeton@googlemail.com> 2019-09-17 20:29:16 +0200
committer: Toni Uhlig <matzeton@googlemail.com> 2019-09-17 20:29:16 +0200
commit: d4fc35fe9232df78521d7b51daf100b031814822 (patch)
tree: 1981040e58715d42a2eadde81f75de0f7b8ce257 /KMemDriver
parent: fe2c3f4acdbe12fe190a6fed83643d3deb68bea3 (diff)
2 files changed, 12 insertions, 4 deletions
diff --git a/KMemDriver/Imports.h b/KMemDriver/Imports.h
index 4547799..ed70956 100644
--- a/KMemDriver/Imports.h
+++ b/KMemDriver/Imports.h
@@ -130,4 +130,12 @@ NTSTATUS ZwFreeVirtualMemory(
 NTKERNELAPI
 PVOID
 NTAPI
-PsGetProcessWow64Process(IN PEPROCESS Process);
-\ No newline at end of file
+PsGetProcessWow64Process(IN PEPROCESS Process);
+
+NTSYSAPI
+PVOID
+NTAPI
+RtlAvlRemoveNode(
+	IN PRTL_AVL_TREE pTree,
+	IN PMMADDRESS_NODE pNode
+);
+\ No newline at end of file
diff --git a/KMemDriver/VAD.c b/KMemDriver/VAD.c
index 7c3e9d6..bb3cbb6 100644
--- a/KMemDriver/VAD.c
+++ b/KMemDriver/VAD.c
@@ -162,9 +162,9 @@ NTSTATUS VADUnlink(IN PEPROCESS pProcess, IN ULONG_PTR address)
 	{
 		pVadShort->u.VadFlags.Protection = MM_ZERO_ACCESS;
 	}
-	// Invalid VAD type
-	else
-		status = STATUS_INVALID_PARAMETER;
+	else {
+		RtlAvlRemoveNode((PMM_AVL_TABLE)((PUCHAR)pProcess + VAD_TREE_1803), (PMMADDRESS_NODE)pVadShort);
+	}
 
 	return status;
 }
 \ No newline at end of file
author	Toni Uhlig <matzeton@googlemail.com>	2019-09-17 20:29:16 +0200
committer	Toni Uhlig <matzeton@googlemail.com>	2019-09-17 20:29:16 +0200
commit	d4fc35fe9232df78521d7b51daf100b031814822 (patch)
tree	1981040e58715d42a2eadde81f75de0f7b8ce257 /KMemDriver
parent	fe2c3f4acdbe12fe190a6fed83643d3deb68bea3 (diff)