在I/O管理最后阶段，就是加载系统所有动态连接库，比如加载NTDLL动态连接库，具体实现代码如下：

#001 NTSTATUS

#002 NTAPI

#003 PsLocateSystemDll(VOID)

#004 {

#005 OBJECT_ATTRIBUTES ObjectAttributes;

#006 IO_STATUS_BLOCK IoStatusBlock;

#007 HANDLE FileHandle,SectionHandle;

#008 NTSTATUS Status;

#009 ULONG_PTR HardErrorParameters;

#010 ULONG HardErrorResponse;

#011

加载NTDLL动态连接库。

#012 /* Locate and open NTDLL to determine ImageBase and LdrStartup */

#013 InitializeObjectAttributes(&ObjectAttributes,

#014 &PsNtDllPathName,

#015 0,

#016 NULL,

#017 NULL);

打开NTDLL动态连接库文件。

#018 Status = ZwOpenFile(&FileHandle,

#019 FILE_READ_ACCESS,

#020 &ObjectAttributes,

#021 &IoStatusBlock,

#022 FILE_SHARE_READ,

#023 0);

#024 if (!NT_SUCCESS(Status))

#025 {

#026 /* Failed,bugcheck */

#027 KeBugCheckEx(PROCESS1_INITIALIZATION_Failed,Status,2,0);

#028 }

#029

检查这个文件映射是否有效。

#030 /* Check if the image is valid */

#031 Status = MmCheckSystemImage(FileHandle,TRUE);

#032 if (Status == STATUS_IMAGE_CHECKSUM_MISMATCH)

#033 {

#034 /* Raise a hard error */

#035 HardErrorParameters = (ULONG_PTR)&PsNtDllPathName;

#036 NtRaiseHardError(Status,

#037 1,

#038 1,

#039 &HardErrorParameters,

#040 OptionOk,

#041 &HardErrorResponse);

#042 return Status;

#043 }

#044

为NTDLL创建一段空间。

#045 /* Create a section for NTDLL */

#046 Status = ZwCreateSection(&SectionHandle,

#047 SECTION_ALL_ACCESS,

#048 NULL,

#049 NULL,

#050 PAGE_EXECUTE,

#051 SEC_IMAGE,

#052 FileHandle);

#053 ZwClose(FileHandle);

#054 if (!NT_SUCCESS(Status))

#055 {

#056 /* Failed,bugcheck */

#057 KeBugCheckEx(PROCESS1_INITIALIZATION_Failed,3,0);

#058 }

#059

增加这个段引用。

#060 /* Reference the Section */

#061 Status = ObReferenceObjectByHandle(SectionHandle,

#062 SECTION_ALL_ACCESS,

#063 MmSectionObjectType,

#064 KernelMode,

#065 (PVOID*)&PspSystemDllSection,

#066 NULL);

#067 ZwClose(SectionHandle);

#068 if (!NT_SUCCESS(Status))

#069 {

#070 /* Failed,bugcheck */

#071 KeBugCheckEx(PROCESS1_INITIALIZATION_Failed,4,0);

#072 }

#073

调用函数PspMapSystemDll来映射这个DLL到内核里。

#074 /* Map it */

#075 Status = PspMapSystemDll(PsGetCurrentProcess(),&PspSystemDllBase,FALSE);

#076 if (!NT_SUCCESS(Status))

#077 {

#078 /* Failed,bugcheck */

#079 KeBugCheckEx(PROCESS1_INITIALIZATION_Failed,5,0);

#080 }

#081

#082 /* Return status */

#083 return Status;

#084}

原文链接：https://www.f2er.com/react/308448.html