Forum Replies Created
-
Posts
-
Hi,
I found my mistake, I need to use _SEGMENT instead of _SEGMENT_OBJECT, even if it is written different while analyzing structures from kernel debugger. I found that in calls to MapViewOfSection, there are some ControlAreas that have no FileObject associated? Can someone tell me why?
Many Thx!
Hi,
I like to get the full image file name that a section is backed up by. I intercept calls to NtMapViewOfSection, and want to retrieve this information from the section handle I get here (as I read from your posts in case of process image, maybe there is even a better way to do this on 2k/XP).
I first reference the Handle with ObReferenceObjByHandle() to get a pointer to the objbody, this seems to work. Also the segment filed of section structure seems to be valid. but the Control area in the segment structure contains no valid pointer, just some small value (0x4C) in some cases.
Hope someone can help,
Thx!
