-
-
[分享]驱动下的查找进程以及LoadImage下ZwProtectVirtualMemory死锁处理办法.
-
发表于: 2018-11-11 19:15
-
先贴个查找进程:
ULONG dv_FindEProcess(PUCHAR ProcessName, PEPROCESS *pEprocess)
{
PLIST_ENTRY ActiveProcessLinks;
ANSI_STRING tarName, curName;
RtlInitAnsiString(&tarName, ProcessName);
PUCHAR pName = NULL;
ULONG uPid = 0,uRetPid=0;
PCHAR FirstEProcess,NextEprocess;
FirstEProcess = NextEprocess = PsGetCurrentProcess();
__try
{
do
{
pName = PsGetProcessImageFileName(NextEprocess);
uPid = *(PLONG32)(NextEprocess + dynData.EPROCESS_UniqueProcessId);
if (pName && uPid)
{
RtlInitAnsiString(&curName, pName);
DbgPrint("di-%Z(%d)", curName, uPid);
if (RtlEqualString(&tarName, &curName, TRUE))
{
if (pEprocess)
{
*pEprocess = NextEprocess;
}
uRetPid = uPid;
break;
}
}
ActiveProcessLinks = NextEprocess + dynData.EPROCESS_ActiveProcessLinks;
if (ActiveProcessLinks->Flink == NULL)
{
break;
}
NextEprocess = (PCHAR)ActiveProcessLinks->Flink - dynData.EPROCESS_ActiveProcessLinks;
} while (NextEprocess!= FirstEProcess);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
}
return uRetPid;
}PsSetLoadImageNotifyRoutine下调用ZwProtectVirtualMemory卡死,原因就是AddressCreationLock.
我处理的办法不是是解锁,而是直接把AddressCreationLock清零,这样调用
ZwProtectVirtualMemory的时候就会跳过检测,不卡死了.
如下处理:
WIN10下LoadImage好像没有
AddressCreationLock 锁死的问题,至少我没发现过,WIN7下,一大堆Zw死锁.
刚遇到的时候纠结了很久才解决,希望对你们有所帮助.
.
hzqst
