读取任意物理地址内容
今天碰到个问题,需要读取一块物理内存验证就写了这个小工具,有需要的自取一下```c
//R0
#include <ntifs.h>
#include <ntddk.h>
#include <wdmsec.h>
#define_DEVICE_NAME L"\\device\\mydevice"
#define_SYB_NAME L"\\??\\sysmblicname"
#define CTL_CODE_BASE 0x8000
#define CTL_ALLCODE(i) CTL_CODE(FILE_DEVICE_UNKNOWN,CTL_CODE_BASE+i,METHOD_BUFFERED,FILE_ANY_ACCESS)
#defineCTL_TALK CTL_ALLCODE(1)
NTSTATUS DisPatchCreate(PDEVICE_OBJECT pDevice, PIRP pIrp)
{
DbgPrint("创建成功\n");
IoCompleteRequest(pIrp, 0);
return STATUS_SUCCESS;
}
NTSTATUS ReadPhysicalMemory(PVOID addres)
{
PHYSICAL_ADDRESS physicalAddress;
PVOID mappedMemory;
ULONG_PTR physicalMemoryOffset = addres;
SIZE_T numberOfBytes = sizeof(ULONG);
physicalAddress.QuadPart = physicalMemoryOffset;
mappedMemory = MmMapIoSpace(physicalAddress, numberOfBytes, MmNonCached);
if (mappedMemory == NULL) {
return STATUS_UNSUCCESSFUL;
}
ULONG value = *(PUCHAR)mappedMemory;
for (size_t i = 0; i < 4; i++)
{
DbgPrint("Value at physical address 0x%llx: %x\n", physicalAddress.QuadPart, *((PUCHAR)mappedMemory+i));
}
MmUnmapIoSpace(mappedMemory, numberOfBytes);
return STATUS_SUCCESS;
}
NTSTATUS DispatchControl(PDEVICE_OBJECT pDevice, PIRP pIrp)
{
PVOID pBuff = pIrp->AssociatedIrp.SystemBuffer;
PIO_STACK_LOCATION pStack = IoGetCurrentIrpStackLocation(pIrp);
ULONG CtlCode = pStack->Parameters.DeviceIoControl.IoControlCode;
ULONG uLen = { 0 };
uLen = strlen(pBuff);
int addresss = *((int*)pBuff);
switch (CtlCode)
{
case CTL_TALK:
{
DbgPrint("had connect\n");
ReadPhysicalMemory(addresss);
break;
}
default:
break;
}
pIrp->IoStatus.Information = 0;
pIrp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
VOIDUnloadDriver(PDRIVER_OBJECT pDriver)
{
DbgPrint("卸载成功\n");
if (pDriver->DeviceObject)
{
UNICODE_STRING uSymblicLinkname;
RtlInitUnicodeString(&uSymblicLinkname, _SYB_NAME);
IoDeleteSymbolicLink(&uSymblicLinkname);
IoDeleteDevice(pDriver->DeviceObject);
}
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pRegpath)
{
DbgPrint("加载成功\n");
pDriver->DriverUnload = UnloadDriver;
UNICODE_STRING uDeviceName;
UNICODE_STRING uSymbliclinkname;
PDEVICE_OBJECT pDevice;
RtlInitUnicodeString(&uDeviceName, _DEVICE_NAME);
RtlInitUnicodeString(&uSymbliclinkname, _SYB_NAME);
//IoCreateDevice(pDriver, 0, &uDeviceName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pDevice);
UNICODE_STRING sddl = RTL_CONSTANT_STRING(L"D:P(A;;GA;;;SY)(A;;GA;;;BA)");
const GUID guidClassNPF = { 0x26e0d1e0L, 0x8189, 0x12e0, { 0x99, 0x14, 0x08, 0x00, 0x22, 0x30, 0x19, 0x04 } };
NTSTATUS st =IoCreateDeviceSecure(pDriver, 0, &uDeviceName, FILE_DEVICE_TRANSPORT,
FILE_DEVICE_SECURE_OPEN, FALSE, &sddl, (LPCGUID)&guidClassNPF, &pDevice);
if (!NT_SUCCESS(st))
{
DbgPrint("nonono\n");
}
else {
DbgPrint("okokok\n");
}
IoCreateSymbolicLink(&uSymbliclinkname, &uDeviceName);
pDevice->Flags &= ~DO_DEVICE_INITIALIZING;
pDevice->Flags |= DO_BUFFERED_IO;
pDriver->MajorFunction = DisPatchCreate;
pDriver->MajorFunction = DispatchControl;
return STATUS_SUCCESS;
}
```
```C
//R3
#include <stdio.h>
#include <windows.h>
#define_SYB_NAME L"\\\\.\\sysmblicname"
#define CTL_CODE_BASE 0x8000
#define CTL_ALLCODE(i) CTL_CODE(FILE_DEVICE_UNKNOWN,CTL_CODE_BASE+i,METHOD_BUFFERED,FILE_ANY_ACCESS)
#defineCTL_TALK CTL_ALLCODE(1)
int main()
{
HANDLE hDevice = CreateFile(_SYB_NAME, FILE_ALL_ACCESS, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (!hDevice)
{
printf("%x", GetLastError());
}
else
{
do
{
char inbuf = { 0 };
char outbuf = { 0 };
DWORD retlen = 0;
printf("创建成功\n");
printf("input:");
scanf_s("%d", outbuf);
int flag = DeviceIoControl(hDevice, CTL_TALK, outbuf, sizeof(outbuf), inbuf, 1, &retlen, NULL);
if (!flag)
{
printf("控制码通信失败");
printf("%d\n", GetLastError());
getchar();
}
} while (1);
}
getchar();
}
```
谢谢@Thanks! 感谢分享 C玩的好啊,我就学不会 需要配合r0驱动,难编译 Light紫星 发表于 2024-2-27 10:46
需要配合r0驱动,难编译
驱动层代码你得下载个VS的开发包,然后才能编译,直接编译肯定是不行的 感谢分享,谢谢 非常有用 非常有用 感谢分享
页:
[1]
2