[C] 纯文本查看 复制代码
#pragma once
//用户层
#include <Windows.h>
#include <winioctl.h>
#include <iostream>
#define READ_WRITE_MEMERY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_OUT_DIRECT, FILE_ANY_ACCESS)
typedef struct _DATA
{
HANDLE hProcessId;
PVOID64 lpVirtualAddress;
}DATA, *PDATA;
.code
GetOwnerPid proc
sub rsp, 28h
mov rax, gs:[30h]
mov rax, qword ptr [rax+40h]
add rsp, 28h
ret
GetOwnerPid endp
end
#include "UserTest.h"
extern "C" HANDLE WINAPI GetOwnerPid();
int main(void)
{
HANDLE hDevice = NULL;
DATA data = { 0 };
DWORD dwRealBytes = 0;
DWORD64 a = 5;
LPVOID lp = &a;
HANDLE dwProcessId = GetOwnerPid();
data.hProcessId = dwProcessId;
data.lpVirtualAddress = lp;
hDevice = CreateFile(L"\\\\.\\ReadWriteMemerySymbol", GENERIC_READ | GENERIC_WRITE, 0, NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL ,
NULL);
if (hDevice == INVALID_HANDLE_VALUE)
{
printf("CreateFile %d\n", GetLastError());
system("pause");
return -1;
}
if (!DeviceIoControl(hDevice, READ_WRITE_MEMERY, &data, sizeof(data), NULL, 0, &dwRealBytes, NULL))
{
printf("DeviceIoControl\n");
system("pause");
return -2;
}
printf("a被改变:%lld\n", a);
system("pause");
return 0;
}
#pragma once
//内核层
#include <ntifs.h>
#include <ntddk.h>
#define READ_WRITE_MEMERY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_OUT_DIRECT, FILE_ANY_ACCESS)
//创建自定义设备扩展
typedef struct _DEVICE_EXTENTION
{
PDEVICE_OBJECT pDeviceObject;
UNICODE_STRING uszDeviceName;
UNICODE_STRING uszSymbolName;
}DEVICE_EXTENTION, *PDEVICE_EXTENTION;
typedef struct _DATA
{
HANDLE hProcessId;
PVOID64 lpVirtualAddress;
}DATA, *PDATA;
//驱动入口
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING puszRegPathName);
//驱动卸载
VOID MyDriverUnload(PDRIVER_OBJECT pDriverObject);
//创建设备对象 为了交互数据
NTSTATUS CreateDevice(PDRIVER_OBJECT pDriverObject);
//普通回调
NTSTATUS DispatchGeneral(PDEVICE_OBJECT pDeviceObject, PIRP pIrp);
//控制回调
NTSTATUS DispatchContrl(PDEVICE_OBJECT pDeviceObject, PIRP pIrp);
//读取进程
VOID ReadMemory(HANDLE ProcessId, PVOID64 pVirtualAddress);
#include "PlantsVsZombies.h"
//读取进程
VOID ReadMemory(HANDLE ProcessId, PVOID64 pVirtualAddress)
{
PEPROCESS pEprocess = NULL;
NTSTATUS ntStatus = STATUS_SUCCESS;
KAPC_STATE state = { 0 };
ntStatus = PsLookupProcessByProcessId(ProcessId, &pEprocess);
if (!NT_SUCCESS(ntStatus))
{
ntStatus = STATUS_INVALID_PARAMETER;
return;
}
KeStackAttachProcess(pEprocess, &state);
ULONG64 uRead = 0;
ULONG64 uWirte = 10;
PMDL pMdl = IoAllocateMdl(pVirtualAddress, 8, 0, 0, NULL);
if (pMdl == NULL)
{
return;
}
MmBuildMdlForNonPagedPool(pMdl);
PVOID lpMapVirtualAddress = NULL;
__try
{
ProbeForRead(pVirtualAddress, 8, 8);
RtlCopyMemory(&uRead, pVirtualAddress, 8);
KdPrint(("uRead:%lld\n", uRead));
lpMapVirtualAddress = MmMapLockedPages(pMdl, KernelMode);
RtlCopyMemory(lpMapVirtualAddress, &uWirte, 8);
KdPrint(("pVirtualAddress %lld\n", *(DWORD64 *)pVirtualAddress));
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
KdPrint(("异常\n"));
}
MmUnmapLockedPages(lpMapVirtualAddress, pMdl);
KeUnstackDetachProcess(&state);
ObDereferenceObject(pEprocess);
}
//驱动入口
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING puszRegPathName)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
HANDLE hProcessId = NULL;
pDriverObject->DriverUnload = MyDriverUnload;
CreateDevice(pDriverObject);
for (ULONG64 uCount = 0; uCount < IRP_MJ_MAXIMUM_FUNCTION; uCount++)
{
pDriverObject->MajorFunction[uCount] = DispatchGeneral;
}
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchContrl;
return ntStatus;
}
//驱动卸载
VOID MyDriverUnload(PDRIVER_OBJECT pDriverObject)
{
PDEVICE_EXTENTION pDeviceExtention = NULL;
PDEVICE_OBJECT pFirstDeviceObject = NULL;
pFirstDeviceObject = pDriverObject->DeviceObject;
ASSERT(pFirstDeviceObject != NULL);
pDeviceExtention = (PDEVICE_EXTENTION)pFirstDeviceObject->DeviceExtension;
IoDeleteSymbolicLink(&pDeviceExtention->uszSymbolName);
IoDeleteDevice(pDeviceExtention->pDeviceObject);
}
//创建设备对象 为了交互数据
NTSTATUS CreateDevice(PDRIVER_OBJECT pDriverObject)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
UNICODE_STRING uszDeviceName = RTL_CONSTANT_STRING(L"\\Device\\ReadWriteMemery");
UNICODE_STRING uszSymbolName = RTL_CONSTANT_STRING(L"\\??\\ReadWriteMemerySymbol");
PDEVICE_OBJECT pDeviceObject = NULL;
PDEVICE_EXTENTION pDeviceExtention = NULL;
ntStatus = IoCreateDevice(pDriverObject, sizeof(DEVICE_EXTENTION), &uszDeviceName,
FILE_DEVICE_UNKNOWN, 0, TRUE, &pDeviceObject);
if (!NT_SUCCESS(ntStatus))
{
KdPrint(("IoCreateDevice 错误:%x\n", ntStatus));
return ntStatus;
}
ntStatus = IoCreateSymbolicLink(&uszSymbolName, &uszDeviceName);
if (!NT_SUCCESS(ntStatus))
{
KdPrint(("IoCreateSymbolicLink 错误:%x\n", ntStatus));
return ntStatus;
}
pDeviceExtention = (PDEVICE_EXTENTION)(pDeviceObject->DeviceExtension);
pDeviceExtention->pDeviceObject = pDeviceObject;
pDeviceExtention->uszDeviceName = uszDeviceName;
pDeviceExtention->uszSymbolName = uszSymbolName;
pDeviceObject->Flags |= DO_DIRECT_IO;
return ntStatus;
}
//普通回调
NTSTATUS DispatchGeneral(PDEVICE_OBJECT pDeviceObject, PIRP pIrp)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
pIrp->IoStatus.Status = ntStatus;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return ntStatus;
}
//控制回调
NTSTATUS DispatchContrl(PDEVICE_OBJECT pDeviceObject, PIRP pIrp)
{
PIO_STACK_LOCATION pIoStack = NULL;
NTSTATUS ntStatus = STATUS_SUCCESS;
PDATA pData = NULL;
pIoStack = IoGetCurrentIrpStackLocation(pIrp);
ULONG uInLen = pIoStack->Parameters.DeviceIoControl.InputBufferLength;
ULONG uCode = pIoStack->Parameters.DeviceIoControl.IoControlCode;
switch (uCode)
{
case READ_WRITE_MEMERY:
{
PDATA pData = (PDATA)pIrp->AssociatedIrp.SystemBuffer;
KdPrint(("%lld\n", pData->hProcessId));
KdPrint(("%lld\n", *((DWORD64 *)pData->lpVirtualAddress)));
ReadMemory(pData->hProcessId, pData->lpVirtualAddress);
break;
}
default:
{
break;
}
}
pIrp->IoStatus.Information = 0;
pIrp->IoStatus.Status = ntStatus;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return ntStatus;
}
发表于 2019-12-23 11:11
