Driver/MMap: fixed bug in VAD memory deallocation

Rablidad · Mar 6, 2019 · bd30dd1 · bd30dd1
1 parent f0b9bc9
commit bd30dd1
Showing 1 changed file with 17 additions and 2 deletions.
diff --git a/src/BlackBoneDrv/MMap.c b/src/BlackBoneDrv/MMap.c
@@ -502,6 +502,7 @@ NTSTATUS BBFindOrMapModule(
             ALLOCATE_FREE_MEMORY request = { 0 };
             ALLOCATE_FREE_MEMORY_RESULT mapResult = { 0 };
 
+            request.pid = (ULONG)(ULONG_PTR)PsGetProcessId( pProcess );
             request.allocate = TRUE;
             request.physical = TRUE;
             request.protection = PAGE_EXECUTE_READWRITE;
@@ -649,8 +650,22 @@ NTSTATUS BBFindOrMapModule(
         // Delete remote image
         if (pLocalImage->baseAddress)
         {
-            SIZE_T tmpSize = 0;
-            ZwFreeVirtualMemory( ZwCurrentProcess(), &pLocalImage->baseAddress, &tmpSize, MEM_RELEASE );
+            if (flags & KHideVAD)
+            {
+                ALLOCATE_FREE_MEMORY request = { 0 };
+                ALLOCATE_FREE_MEMORY_RESULT mapResult = { 0 };
+
+                request.pid = (ULONG)(ULONG_PTR)PsGetProcessId( pProcess );
+                request.allocate = FALSE;
+                request.physical = TRUE;
+
+                BBAllocateFreePhysical( pProcess, &request, &mapResult );
+            } 
+            else
+            {
+                SIZE_T tmpSize = 0;
+                ZwFreeVirtualMemory( ZwCurrentProcess(), &pLocalImage->baseAddress, &tmpSize, MEM_RELEASE );
+            }
         }
 
         RtlFreeUnicodeString( &pLocalImage->fullPath );