文章目录[隐藏]
ZwMapViewOfSection是内核函数,它允许允许应用程序将动态链接库的输出函数映射到内存中, 创建内存映射文件,用来建立物理内存和当前进程的一段物理内存的联系,适用与内存注入,内核HOOK(内核钩子),读取物理内存,读取bios内容,驱动编制上,木马编写等,函数在ntdll.dll中
ZwMapViewOfSection function
NTSYSAPI NTSTATUS ZwMapViewOfSection( HANDLE SectionHandle, HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, SIZE_T CommitSize, PLARGE_INTEGER SectionOffset, PSIZE_T ViewSize, SECTION_INHERIT InheritDisposition, ULONG AllocationType, ULONG Win32Protect );
Parameters
SectionHandle Handle to a section object. This handle is created by a successful call to ZwCreateSection or ZwOpenSection. ProcessHandle Handle to the object that represents the process that the view should be mapped into. Use the ZwCurrentProcess macro to specify the current process. The handle must have been opened with PROCESS_VM_OPERATION access (described in the Microsoft Windows SDK documentation). BaseAddress Pointer to a variable that receives the base address of the view. If the value of this parameter is not NULL, the view is allocated starting at the specified virtual address rounded down to the next 64-kilobyte address boundary. ZeroBits Specifies the number of high-order address bits that must be zero in the base address of the section view. The value of this parameter must be less than 21 and is used only if BaseAddress is NULL—in other words, when the caller allows the system to determine where to allocate the view. CommitSize Specifies the size, in bytes, of the initially committed region of the view. CommitSize is meaningful only for page-file backed sections and is rounded up to the nearest multiple of PAGE_SIZE. (For sections that map files, both the data and the image are committed at section-creation time.) SectionOffset A pointer to a variable that receives the offset, in bytes, from the beginning of the section to the view. If this pointer is not NULL, the offset is rounded down to the next allocation-granularity size boundary. ViewSize A pointer to a SIZE_T variable. If the initial value of this variable is zero, ZwMapViewOfSection maps a view of the section that starts at SectionOffset and continues to the end of the section. Otherwise, the initial value specifies the view's size, in bytes. ZwMapViewOfSection always rounds this value up to the nearest multiple of PAGE_SIZE before mapping the view. On return, the value receives the actual size, in bytes, of the view. InheritDisposition Specifies how the view is to be shared with child processes. The possible values are: ViewShare The view will be mapped into any child processes that are created in the future. ViewUnmap The view will not be mapped into child processes. Drivers should typically specify ViewUnmap for this parameter. AllocationType Specifies a set of flags that describes the type of allocation to be performed for the specified region of pages. The valid flags are MEM_LARGE_PAGES, MEM_RESERVE, and MEM_TOP_DOWN. Although MEM_COMMIT is not allowed, it is implied unless MEM_RESERVE is specified. For more information about the MEM_XXX flags, see the description of the VirtualAlloc routine. Win32Protect Specifies the type of protection for the region of initially committed pages. Device and intermediate drivers should set this value to PAGE_READWRITE. Return Value ZwMapViewOfSection returns an NTSTATUS value. Possible return values include the following: Return code Description STATUS_SUCCESS The routine successfully performed the requested operation. STATUS_CONFLICTING_ADDRESSES The specified address range conflicts with an address range already reserved, or the specified cache attribute type conflicts with the address range's existing cache attribute. For example, if the memory being mapped lies within a large page that is already mapped as fully cached, then it is illegal to request to map this memory as noncached or write combined. STATUS_INVALID_PAGE_PROTECTION The value specified for the Protect parameter is invalid. STATUS_SECTION_PROTECTION The value specified for the AllocationType parameter is incompatible with the protection type specified when the section was created. Remarks Several different views of a section can be concurrently mapped into the virtual address space of one or more processes. If the specified section does not exist or the access requested is not allowed, ZwMapViewOfSection returns an error. Do not use ZwMapViewOfSection to map a memory range from \Device\PhysicalMemory into user mode—unless your driver has directly allocated the memory range through MmAllocatePagesForMdl or another method guaranteeing that no other system component has mapped the same memory range with a different MEMORY_CACHING_TYPE value. User applications cannot access \Device\PhysicalMemory directly starting with Windows Server 2003 with Service Pack 1 (SP1) and can access it only if the driver passes a handle to the application. For more information about section objects, see Section Objects and Views. Note If the call to this function occurs in user mode, you should use the name "NtMapViewOfSection" instead of "ZwMapViewOfSection". For calls from kernel-mode drivers, the NtXxx and ZwXxx versions of a Windows Native System Services routine can behave differently in the way that they handle and interpret input parameters. For more information about the relationship between the NtXxx and ZwXxx versions of a routine, see Using Nt and Zw Versions of the Native System Services Routines. Requirements Minimum supported client Available starting with Windows 2000. Target Platform Universal Header wdm.h (include Wdm.h, Ntddk.h, Ntifs.h) Library NtosKrnl.lib DLL NtosKrnl.exe IRQL PASSIVE_LEVEL DDI compliance rules PowerIrpDDis, HwStorPortProhibitedDDIs
内核函数系列
ntdll.dll 中的导出函数有好几百个,了解其所在的系列。为什么这么说?因为微软已经按照函数的功能对Ntdll.dll的导出函数进行了分组,并冠以意义明确的前缀,所以根据函数系列的前缀就能明白它们的大体功能了。下面对这些函数系列进行简单的介绍:
1.KiEtw系列:本系列内核函数用于系统内核,这些函数只能从内核的内部进行调用,常用的有:KiUserCallbackDispatcher、KiRaiseUserExceptionDispatcher、KiUserApcDispatcher、KiUserExceptionDispatcher等。
2.Csr系列:此系列函数用于客户机和服务器运行时,如果您想拦截客户机/服务器方面的操作,那么就需要对Csr系列内核函数做进一步的了解。常见的有:CsrClientCallServer、CsrCaptureMessageBuffer、CsrConnectClientToServer和CrsNewThread等。
3.Ldr系列:本系列内核函数用于加载程序管理器,如果你打算拦截加载程序的话,那么请进一步考察这组以Ldr为前缀的函数,常用的有:LdrInitializeThunk、LdrLockLoaderLock、LdrUnlockLoaderLock、LdrGetDllHandle、LdrGetProcedureAddress等。
4.Dbg系列:本系列内核函数用于调试管理,如果打算拦截调试操作的话,那么请进一步考察这组以Dbg为前缀的函数,常用的函数包括:、DbgBreakPoint、DbgUserBreakPoint、DbgPrint和DbgUiConnectToDbg等。
5.Etw系列:本系列内核函数用于追踪窗口事件,如果你打算拦截追踪之类的操作的话,那么请进一步考察这组以Etw为前缀的函数。常用的函数包括:EtwTraceEvent、EtwEnableTrace、EtwGetTraceEnableLevel和EtwGetTraceEnableFlags等。
6.Rtl系列:本系列内核函数用于运行时库,以Rtl为前缀的函数可以完成多种操作,例如字符串、线程、资源、临界区、安全对象的初始化和使用,内存、进程异常和数据类型的处理,还用于完成定时器、堆、IPv4和IPv6方面的操作,以及压缩和解压缩等。
7.Pfx系列:本系列内核函数用于ANSI字符串操作,如果你打算拦截ASNI串表方面的操作的话,就需要进一步了解这些函数。常用的包括:PfxInitialize、PfxRemovePrefix、PfxInsertPrefix、PfxFindPrefix等。
8.Zw系列:本系列内核函数用于文件和注册表方面的操作,比如文件操作、注册表操作、访问进程、事件操作、令牌操作、进程操作和端口操作等。
微软链接
ZwMapViewOfSection function (wdm.h) - Windows drivers | Microsoft Docs https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-zwmapviewofsection#viewshare