Hello, I'm trying to unmap the sections of a file loaded in memory, and remap them.... but after I've unmapped these, when I try to map again the nt function returns an error (searched it on internet):
Code:ntstatus.h 0xC0000220 #define STATUS_MAPPED_ALIGNMENT {Mapped View Alignment Incorrect} An attempt was made to map a view of a file, but either the specified base address or the offset into the file were not aligned on the proper allocation granularity.
in fact I don't know really how to properly align the views with the system allocation granularity (which is 64 kb)...
I've already look on some windows related books and I understand that the size must be a multiple of the granularity, but I don't understand how to accomplish that.
I've this kind of code for creating the backend section that will contain the copied PE memory
Then I use the memcpy to copy the memory of the pe file into this new created section:Code:Code:HANDLE Sezione = NULL; LARGE_INTEGER SecSize = {}; SecSize.QuadPart = pe.optionalHeader->SizeOfImage; ntapi::NTSTATUS status = ntapi::NtCreateSection(&Sezione, SECTION_ALL_ACCESS, NULL, &SecSize, PAGE_READWRITE, SEC_COMMIT, NULL); if (status != ntapi::STATUS_SUCCESS) { printf("NtCreateSection failed: 0x%08X.\n", status); return; } PVOID copyViewBase = NULL; LARGE_INTEGER copySectionOffset = {}; SIZE_T copyViewSize = 0; status = ntapi::NtMapViewOfSection(Sezione, GetCurrentProcess(), ©ViewBase, 0, pe.optionalHeader->SizeOfImage, ©SectionOffset, ©ViewSize, ntapi::ViewUnmap, 0, PAGE_READWRITE);
Code:memcpy(copyViewBase, PVOID(pe.optionalHeader->ImageBase), pe.optionalHeader->SizeOfImage);
then after a bunch of code I unmap the PE image
but here at the end there is the error when I try to call the last 3 NtMap functions.Code:ntapi::NtUnmapViewOfSection(GetCurrentProcess(), PVOID(pe.optionalHeader->ImageBase)); and after all of these I try to map the new section that I've created before to remap the PE image:Code:auto mapPeSection = [&Sezione](SIZE_T BaseAddress, SIZE_T RegionSize, SIZE_T RegionOffset, DWORD Protection) { PVOID viewBase = PVOID(BaseAddress); LARGE_INTEGER sectionOffset = {}; sectionOffset.QuadPart = RegionOffset; SIZE_T viewSize = RegionSize; ntapi::NTSTATUS status = ntapi::NtMapViewOfSection(Sezione, GetCurrentProcess(), &viewBase, 0, viewSize, §ionOffset, &viewSize, ntapi::ViewUnmap, ntapi::SEC_NO_CHANGE,//ntapi::SEC_NO_CHANGE Protection); if (status != ntapi::STATUS_SUCCESS) printf("NtMapViewOfSection failed for view at base %p: 0x%08X.\n", BaseAddress, status); else printf("remapped %p +%016X %16X\n", viewBase, sectionOffset.QuadPart, viewSize); }; const PIMAGE_SECTION_HEADER text = GetPeSectionByName(pe, ".text"); const PIMAGE_SECTION_HEADER rdata = GetPeSectionByName(pe, ".rdata"); const PIMAGE_SECTION_HEADER data = GetPeSectionByName(pe, ".data"); if (!(text && text < rdata && rdata < data)) return; // Mapped views for the PE Sections. // ======================================================================== // Address Range (RVA) Content Protection // ------------------------------------------------------------------------ // 0x000000 - 0x0FFFFF PE Header, .text. PAGE_EXECUTE_READ // 0x100000 - 0x2FFFFF .rdata PAGE_READONLY // 0x200000 - 0x203FFF .data, .pdata, .rsrc, .reloc PAGE_READWRITE // ------------------------------------------------------------------------ mapPeSection(pe.optionalHeader->ImageBase, PE_HEADER_SIZE + text->Misc.VirtualSize, 0, PAGE_READONLY);//PAGE_EXECUTE_READWRITE mapPeSection(pe.optionalHeader->ImageBase + rdata->VirtualAddress, rdata->Misc.VirtualSize, rdata->VirtualAddress, PAGE_READONLY); mapPeSection(pe.optionalHeader->ImageBase + data->VirtualAddress, 0, data->VirtualAddress, PAGE_READONLY);
If it's needed I would post the entire code on github because it's huge and I can't post all in here.
