1. 定义页属性数组
1 // Protection flags for memory pages (Executable, Readable, Writeable) 2 static int ProtectionFlags[2][2][2] = { 3 { 4 // not executable 5 {PAGE_NOACCESS, PAGE_WRITECOPY}, 6 {PAGE_READONLY, PAGE_READWRITE}, 7 }, { 8 // executable 9 {PAGE_EXECUTE, PAGE_EXECUTE_WRITECOPY}, 10 {PAGE_EXECUTE_READ, PAGE_EXECUTE_READWRITE}, 11 }, 12 };
2. 解析节属性,转换为页属性
1 // loop through all sections and change access flags 2 for (i=0; i < module->headers->FileHeader.NumberOfSections; i++, section++) { 3 DWORD protect, oldProtect, size; 4 int executable = (section->Characteristics & IMAGE_SCN_MEM_EXECUTE) != 0; 5 int readable = (section->Characteristics & IMAGE_SCN_MEM_READ) != 0; 6 int writeable = (section->Characteristics & IMAGE_SCN_MEM_WRITE) != 0; 7 8 // determine protection flags based on characteristics 9 protect = ProtectionFlags[executable][readable][writeable]; 10 if (section->Characteristics & IMAGE_SCN_MEM_NOT_CACHED) { 11 protect |= PAGE_NOCACHE; 12 } 13 14 // determine size of region 15 size = section->SizeOfRawData; 16 if (size > 0) { 17 // change memory access flags 18 VirtualProtect( 19 (LPVOID)((POINTER_TYPE)section->Misc.PhysicalAddress | imageOffset), 20 size, 21 protect, 22 &oldProtect); 23 } 24 }