zildjohn01
July 11th, 2008, 06:17 PM
Is there any way to unmap ntdll from a process's address space? I'm trying to create a custom execution environment for EXE's, supplying my own system DLLs. Here's the code:
__try {
UnmapViewOfFile(GetModuleHandle(L"kernel32.dll"));
} __except(1) {}
// ... unload more modules ...
__try { // lastly,
UnmapViewOfFile(GetModuleHandle(L"ntdll.dll"));
} __except(1) {
// AV not caught
}
I'm able to recover from the AV during the unload of kernel32 with SEH (which is safe, because UnmapViewOfFile is only a ntdll wrapper), but the AV during the ntdll unmap isn't caught with either variation of try (or any /EH switches), instead the debugger gives me a message, probably because EH is so closely tied to the system and ntdll is involved somehow. If I run outside the debugger the process exits silently.
I'd love to do it remotely, ie UnmapProcess'sViewOfFile(hProcess, lpBase), while making sure the process is running user code at the time, but I didn't see a way to do this remotely in MSDN. Maybe one of the Nt* native functions?
Any ideas?
__try {
UnmapViewOfFile(GetModuleHandle(L"kernel32.dll"));
} __except(1) {}
// ... unload more modules ...
__try { // lastly,
UnmapViewOfFile(GetModuleHandle(L"ntdll.dll"));
} __except(1) {
// AV not caught
}
I'm able to recover from the AV during the unload of kernel32 with SEH (which is safe, because UnmapViewOfFile is only a ntdll wrapper), but the AV during the ntdll unmap isn't caught with either variation of try (or any /EH switches), instead the debugger gives me a message, probably because EH is so closely tied to the system and ntdll is involved somehow. If I run outside the debugger the process exits silently.
I'd love to do it remotely, ie UnmapProcess'sViewOfFile(hProcess, lpBase), while making sure the process is running user code at the time, but I didn't see a way to do this remotely in MSDN. Maybe one of the Nt* native functions?
Any ideas?