From 6ca45bb8c15713521134bbf61b7bcaa49e4ef229 Mon Sep 17 00:00:00 2001
From: Toni Uhlig <matzeton@googlemail.com>
Date: Sun, 15 Sep 2019 16:23:03 +0200
Subject: VAD Unlink test, currently not working as expected

---
 KMemDriver/VAD.c | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

(limited to 'KMemDriver/VAD.c')

diff --git a/KMemDriver/VAD.c b/KMemDriver/VAD.c
index 94c7397..7c3e9d6 100644
--- a/KMemDriver/VAD.c
+++ b/KMemDriver/VAD.c
@@ -5,6 +5,9 @@
 #include <ntddk.h>
 #include <Ntstrsafe.h>
 
+#define MM_ZERO_ACCESS         0
+
+
 TABLE_SEARCH_RESULT
 VADFindNodeOrParent(
 	IN PMM_AVL_TABLE Table,
@@ -129,5 +132,39 @@ NTSTATUS VADProtect(
 	if (NT_SUCCESS(status))
 		pVadShort->u.VadFlags.Protection = prot;
 
+	return status;
+}
+
+NTSTATUS VADUnlink(IN PEPROCESS pProcess, IN ULONG_PTR address)
+{
+	NTSTATUS status = STATUS_SUCCESS;
+	PMMVAD_SHORT pVadShort = NULL;
+
+	status = VADFind(pProcess, address, &pVadShort);
+	if (!NT_SUCCESS(status))
+		return status;
+
+	// Erase image name
+	if (pVadShort->u.VadFlags.VadType == VadImageMap)
+	{
+		PMMVAD pVadLong = (PMMVAD)pVadShort;
+		if (pVadLong->Subsection && pVadLong->Subsection->ControlArea && pVadLong->Subsection->ControlArea->FilePointer.Object)
+		{
+			PFILE_OBJECT pFile = (PFILE_OBJECT)(pVadLong->Subsection->ControlArea->FilePointer.Value & ~0xF);
+			pFile->FileName.Buffer[0] = L'\0';
+			pFile->FileName.Length = 0;
+		}
+		else
+			return STATUS_INVALID_ADDRESS;
+	}
+	// Make NO_ACCESS
+	else if (pVadShort->u.VadFlags.VadType == VadDevicePhysicalMemory)
+	{
+		pVadShort->u.VadFlags.Protection = MM_ZERO_ACCESS;
+	}
+	// Invalid VAD type
+	else
+		status = STATUS_INVALID_PARAMETER;
+
 	return status;
 }
\ No newline at end of file
-- 
cgit v1.2.3