A 
		
								
				
				
			
		Alex
I have a small piece of code which creates section for ntdll.dll and maps it
to the system addresses. But W2K and XP after running this code becomes
unable to run new processes. It looks like ntdll.dll completely unmapped
from the system.
But on Windows Server 2003 all seems work fine.
If comment out calls to MmMapViewInSystemSpace/MmUnmapViewInSystemSpace then
all is okay.
If SEC_IMAGE substitute to SEC_COMMIT then again all is okay.
What is wrong?
NTSTATUS foo( VOID )
{
UNICODE_STRING FileName;
OBJECT_ATTRIBUTES ObjectAttributes;
IO_STATUS_BLOCK IoStatusBlock;
PVOID SectionObject;
HANDLE FileHandle;
HANDLE SectionHandle;
PVOID Base;
UINT Size;
NTSTATUS Status;
RtlInitUnicodeString( &FileName, L"\\SystemRoot\\system32\\ntdll.dll" );
InitializeObjectAttributes(
&ObjectAttributes,
&FileName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL );
Status = ZwCreateFile(
&FileHandle,
GENERIC_READ,
&ObjectAttributes,
&IoStatusBlock,
NULL,
0,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
FILE_OPEN,
0,
NULL,
0 );
if( Status != STATUS_SUCCESS )
{
return Status;
}
InitializeObjectAttributes(
&ObjectAttributes,
NULL,
OBJ_KERNEL_HANDLE,
NULL,
NULL );
Status = ZwCreateSection(
&SectionHandle,
SECTION_MAP_READ,
&ObjectAttributes,
NULL,
PAGE_READONLY,
0x01000000, // SEC_IMAGE
FileHandle );
if( Status != STATUS_SUCCESS )
{
ZwClose( FileHandle );
return Status;
}
Status = ObReferenceObjectByHandle(
SectionHandle,
SECTION_MAP_READ,
NULL,
KernelMode,
&SectionObject,
NULL );
if( Status != STATUS_SUCCESS )
{
ZwClose( SectionHandle );
ZwClose( FileHandle );
return Status;
}
Base = NULL;
Size = 0;
Status = MmMapViewInSystemSpace( SectionObject, &Base, &Size );
ObDereferenceObject( SectionObject );
if( Status != STATUS_SUCCESS )
{
ZwClose( SectionHandle );
ZwClose( FileHandle );
return Status;
}
MmUnmapViewInSystemSpace( Base );
ZwClose( SectionHandle );
ZwClose( FileHandle );
return STATUS_SUCCESS;
}
				
			to the system addresses. But W2K and XP after running this code becomes
unable to run new processes. It looks like ntdll.dll completely unmapped
from the system.
But on Windows Server 2003 all seems work fine.
If comment out calls to MmMapViewInSystemSpace/MmUnmapViewInSystemSpace then
all is okay.
If SEC_IMAGE substitute to SEC_COMMIT then again all is okay.
What is wrong?
NTSTATUS foo( VOID )
{
UNICODE_STRING FileName;
OBJECT_ATTRIBUTES ObjectAttributes;
IO_STATUS_BLOCK IoStatusBlock;
PVOID SectionObject;
HANDLE FileHandle;
HANDLE SectionHandle;
PVOID Base;
UINT Size;
NTSTATUS Status;
RtlInitUnicodeString( &FileName, L"\\SystemRoot\\system32\\ntdll.dll" );
InitializeObjectAttributes(
&ObjectAttributes,
&FileName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL );
Status = ZwCreateFile(
&FileHandle,
GENERIC_READ,
&ObjectAttributes,
&IoStatusBlock,
NULL,
0,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
FILE_OPEN,
0,
NULL,
0 );
if( Status != STATUS_SUCCESS )
{
return Status;
}
InitializeObjectAttributes(
&ObjectAttributes,
NULL,
OBJ_KERNEL_HANDLE,
NULL,
NULL );
Status = ZwCreateSection(
&SectionHandle,
SECTION_MAP_READ,
&ObjectAttributes,
NULL,
PAGE_READONLY,
0x01000000, // SEC_IMAGE
FileHandle );
if( Status != STATUS_SUCCESS )
{
ZwClose( FileHandle );
return Status;
}
Status = ObReferenceObjectByHandle(
SectionHandle,
SECTION_MAP_READ,
NULL,
KernelMode,
&SectionObject,
NULL );
if( Status != STATUS_SUCCESS )
{
ZwClose( SectionHandle );
ZwClose( FileHandle );
return Status;
}
Base = NULL;
Size = 0;
Status = MmMapViewInSystemSpace( SectionObject, &Base, &Size );
ObDereferenceObject( SectionObject );
if( Status != STATUS_SUCCESS )
{
ZwClose( SectionHandle );
ZwClose( FileHandle );
return Status;
}
MmUnmapViewInSystemSpace( Base );
ZwClose( SectionHandle );
ZwClose( FileHandle );
return STATUS_SUCCESS;
}
