none
ZwMapViewOfSection: error 0xc0000017 RRS feed

  • Question

  • I wants get base address (not confuse with image base) directly from one kernel module (file) and the following code works fine from Win XP to Win 7 x32.

    This error occurs when i try to map some file on Win 8.1 or Win 10.

    How fix?

    #define SEC_IMAGE 0x1000000
    
       ///////////////////////////// VARIABLES ///////////////////////////////////
    
        CHAR buf[MAXIMUM_FILENAME_LENGTH]="\\SystemRoot\\system32\\ntoskrnl.exe";
        OBJECT_ATTRIBUTES oaNtoskrnl,oa;
        IO_STATUS_BLOCK stStatusBlock;
        HANDLE hNtoskrnl=0,hSection=0;
        UNICODE_STRING us;
        PVOID pNtoskrnl=0;
        ULONG dwViewSize=0;
        STRING as;
    
       //////////////////////////////////////////////////////////////////////////
    
            RtlInitString(&as,(PCSZ)buf);
            RtlAnsiStringToUnicodeString(&us,&as,TRUE);
    
            DbgPrint("%wZ", &us);
    
            InitializeObjectAttributes(&oaNtoskrnl,&us,OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE,NULL,NULL);
    
            status=ZwCreateFile(
            &hNtoskrnl,
            FILE_READ_DATA,
            &oaNtoskrnl,
            &stStatusBlock,
            NULL,
            FILE_ATTRIBUTE_NORMAL,
            FILE_SHARE_READ|FILE_SHARE_WRITE,
            FILE_OPEN,
            NULL,
            NULL,
            NULL);
    
        RtlFreeUnicodeString(&us);
    
        if(!NT_SUCCESS(status))
        {
            DbgPrint("Failed ZwCreateFile! 0x%x \n", status);
        }
    
        InitializeObjectAttributes(&oa,NULL,OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE,NULL,NULL);
    
        status=ZwCreateSection(
            &hSection,
            SECTION_MAP_READ,
            &oa,
            NULL,
            PAGE_READONLY,
            SEC_IMAGE,
            hNtoskrnl
            );
        if(!NT_SUCCESS(status))
        {
            DbgPrint(("Failed ZwCreateSection! 0x%x \n", status));
            ZwClose(hNtoskrnl);
        }
    
        status=ZwMapViewOfSection(
            hSection,
            NtCurrentProcess(),
            &pNtoskrnl,
            16,
            NULL,
            NULL,
            &dwViewSize,
            ViewUnmap,
            NULL,
            PAGE_READWRITE
            );
    
        if(!NT_SUCCESS(status))
        {
            DbgPrint("Failed ZwMapViewOfSection! 0x%x \n", status);
            ZwClose(hSection);
            ZwClose(hNtoskrnl);
        }
    
        DbgPrint("Initialize finished! 0x%x \n", pNtoskrnl); 
    
        ZwUnmapViewOfSection(NtCurrentProcess(), pNtoskrnl);
        ZwClose(hSection);
        ZwClose(hNtoskrnl); 



    • Edited by FL4SHC0D3R Saturday, October 28, 2017 11:17 PM
    Saturday, October 28, 2017 10:51 PM

All replies

  • Why are you setting the ZeroBits parameter to 16 in the call to MapViewOfSection? What error are you getting?

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Sunday, October 29, 2017 1:47 AM
    Moderator