请问如何从NtMapViewOfSection的HANDLE SectionHandle参数获取被映射的文件名呢？

Fly_1101 2007-12-29 09:29:08

我在文件过滤驱动中hook了NtMapViewOfSection，目的是为了处理有文件头时，改变映射的偏移地址，现在需要在hook函数中，获取被映射的文件名。
我想到一种办法，就是也hook NtCreateSection，并通过NtCreateSection维护一个包括SectionHandle和文件名对应关系的表，在NtMapViewOfSection中通过这个表来获取文件名。
但不知道有没有在NtMapViewOfSection中直接从SectionHandle获取被映射的文件的方法呢？

...全文

561 4 打赏收藏转发到动态举报

写回复

用AI写文章

4 条回复

切换为时间正序

请发表友善的回复…

发表回复

UltraBejing 2008-04-30

打赏
举报

接分是王道！

yangtengfei 2008-02-17

打赏
举报

//根据 SECTION_OBJECT 获取全路径.

#define SEGMENT_OFFSET 0x0014
#define CTLAREA_OFFSET 0x0000
#define FILE_OBJ_OFFSET 0x0024

BOOLEAN GetFullPathBySection(PVOID SectionObject,PCHAR szOutPutPath)
{

ULONG ProcObj = 0;
ULONG pOffset = 0;
PFILE_OBJECT pFile = NULL;
/* BOOLEAN bRel = FALSE;*/
WCHAR wszDrvSym[MAX_PATH];
ULONG nLen = 0;
UNICODE_STRING VolName;
NTSTATUS nStatus;

if (!SectionObject)
return FALSE;
else if (!szOutPutPath)
return FALSE;

pOffset = (ULONG)SectionObject;

pOffset = *(PULONG)(pOffset + SEGMENT_OFFSET); // Segment Offset
if (!pOffset)
return FALSE;

pOffset = *(PULONG)(pOffset + CTLAREA_OFFSET); // ControlArea Offset
if (!pOffset)
return FALSE;

pOffset = *(PULONG)(pOffset + FILE_OBJ_OFFSET); // File Object Offset
if (!pOffset)
return FALSE;

pFile = (PFILE_OBJECT)pOffset;

/* __asm int 3*/

nLen = pFile->FileName.Length;
nLen >>= 1;
nLen += 2;

if (nLen >= MAX_PATH)
nLen = MAX_PATH - 1;

RtlInitUnicodeString(&VolName,wszDrvSym);
nStatus = RtlVolumeDeviceToDosName (pFile->DeviceObject,&VolName);
VolName.MaximumLength = MAX_PATH*sizeof(WCHAR);

/* bRel = GetObjectName((PVOID)pFile->DeviceObject,szDrvSym);*/

if (NT_SUCCESS(nStatus))
{

RtlUnicodeStringCatUnicodeString(&VolName,&pFile->FileName);
nLen = VolName.Length;
nLen >>= 1;
if (nLen >= MAX_PATH)
nLen = MAX_PATH -1;

wcstombs(szOutPutPath,VolName.Buffer,nLen);
szOutPutPath[nLen] = 0;

}
else
{

wcstombs(szOutPutPath,pFile->FileName.Buffer,nLen);
szOutPutPath[nLen] = 0;

}
return TRUE;

}

siLence_Again 2008-01-25

打赏
举报

御魔的hips.sys中逆向出来的：

引用

[font=宋体]NTSTATUS GetProcessImageName(HANDLE SectionHandle, PCHAR ProcessImageName)
{
PVOID SectionObject;
PFILE_OBJECT FileObject;
UNICODE_STRING FilePath;
NTSTATUS Status;
UNICODE_STRING DosName;
STRING AnsiString;

SectionObject = NULL;
FileObject = NULL;
FilePath.Buffer = 0;
FilePath.Length = 0;
*ProcessImageName = 0;
Status = ObReferenceObjectByHandle(SectionHandle, 0, NULL, KernelMode, &SectionObject, NULL);
if ( NT_SUCCESS(Status) )
{
FilePath.Buffer = (PWSTR)ExAllocatePoolWithTag(PagedPool, 0x200u, ' kdD');
FilePath.MaximumLength = 512;
FileObject = *((_DWORD *)SectionObject + 5);
FileObject = *(_DWORD *)FileObject;
FileObject = *(_DWORD *)(FileObject + 36);
ObReferenceObjectByPointer((PVOID)FileObject, 0, NULL, KernelMode);
RtlVolumeDeviceToDosName(FileObject->DeviceObject, &DosName);
RtlCopyUnicodeString(&FilePath, &DosName);
RtlAppendUnicodeStringToString(&FilePath, FileObject->FileName);
ObfDereferenceObject(FileObject);
ObfDereferenceObject(SectionObject);
RtlUnicodeStringToAnsiString(&AnsiString, &FilePath, TRUE);
if ( AnsiString.Length >= 256 )
{
memcpy(ProcessImageName, AnsiString.Buffer, 0x100u);
*(ProcessImageName + 255) = 0;
}
else
{
memcpy(ProcessImageName, AnsiString.Buffer, AnsiString.Length);
ProcessImageName[AnsiString.Length] = 0;
}
RtlFreeAnsiString(&AnsiString);
ExFreePoolWithTag(DosName.Buffer, 0);
ExFreePoolWithTag(FilePath.Buffer, 0);
Status = STATUS_SUCCESS;
}

return Status;
}
[/font]