The following code, A program creates A file mapping object called SHINE, program B is vs inline asm code, call Openfilemapping function opens the file mapping object, but always fail, in assembly
Get the DOS error code is 0 x6 invalid (handle), at the same time to get to NT error code is 0 xc0000024status_object_type_mismatch (object type does not match),
A program:
Char v2 []="SHINE";

HANDLE MappingHandle=NULL;
ULONG_PTR VirtualAddress=NULL;
HANDLE v1=INVALID_HANDLE_VALUE;

V1=CreateFileMappingA (PAGE_READWRITE INVALID_HANDLE_VALUE, NULL, 0, 0 x1000, v2);
B:
VS inline ASM file,
OpenFileMappingA function addresses each are the same so write dead launched

.data

INP DB 'SHINE \ 0'

The CODE

Sub_1 PROC

; Get command line parameters are saved to [RBP + 8 h]
Gs: mov rax, qword PTR [h] 60
Mov rax, qword PTR [rax + 20 h]
Mov rax, qword PTR [rax + 78 h]
Mov qword PTR [RBP + 8 h], rax
; Open the file mapping object called "SHINE", and get the first memory address

Lea r8, INP
Xor RDX and RDX
Mov RCX, 6
Mov rax, 00007 ffb4ed0f5d0h; OpenfilemappingA first address, my computer fixed so write dead
Call rax
Gs: mov rax, qword PTR [h] 30; Get TEB address
Xor RBX, RBX
Mov ebx, dword PTR [rax + 68 h]; Offset 0 x68 obtained LastErrorValue
Mov ecx, dword PTR [rax + 1250 h]; Offset 0 x1250 obtained LastStatusValue
Ret
Sub_1 ENDP

END
The younger brother with win2k source has examined the this function invocation process, found that it can call ObReferenceObjectByHandle function, there seems to have set the NTstatus to STATUS_OBJECT_TYPE_MISMATCH process, also don't know whether I here out of wrong, confused about, still hope everybody to help solve! The younger brother very grateful!!!!!!!!!!

CodePudding user response:

Full of troubles on a 64 - bit environment calls, because OpenFileMapping will call other functions, but you didn't take the parameters according to the contract and organization in the stack, only in the register, isn't it the reason; It is assumed the call rax right,

CodePudding user response:

Memory address is in my rax GetProcAddress call, then I passed 64 and don't know if you have any questions? Very confused!

CodePudding user response:

Just watched the kernel32. DLL OpenFileMapping () code, no use to the content in the stack, so shall not the problem on the parameter passing,
Still on call rax breakpoints, see if rax to OpenFileMapping () entrance, when several parameters is expected; Or, in a separate c application under test,

CodePudding user response:

Upstairs, I gave up A series of function to switch to W series function was successful, but when I compiled into shellcode inject into another process will crash...