如何使用内核驱动程序读取字符串 [英] How to read a string with kernel driver
问题描述
所以我的驱动程序可以读取整数,DWORD64等但现在我想读取字符串我尝试了很多东西并且确定这个应该可以工作但是由于某种原因它会显示一些随机字符
这是我从内核读取的方式
< pre> PCHAR ReadMem_String(MEMDATA * data){
NTSTATUS ntStatus;
PEPROCESS targetProc;
char string [ 12800 ] = ;
ntStatus = PsLookupProcessByProcessId((HANDLE)(* data).proccessId,& targetProc);
if (ntStatus!= STATUS_SUCCESS ||!targetProc)
return ;
__try {
KeAttachProcess((PKPROCESS)targetProc);
if (MmIsAddressValid(( void *)(* data).address))
RtlCopyMemory(string,( const void *)data-> address,data-> Read );
KeDetachProcess();
}
__except(GetExceptionCode()){
return ;
}
return (string);
}
case (READ_chars):{
MEMDATA * userCom = pBuf;
PCHAR string = ReadMem_String(userCom);
RtlCopyMemory(pBuf,string,strlen(string));
size = strlen(string);
break ;
}
也使用方法缓冲
在我的用户模式程序中
< pre> char Readchar(UINT64 proccessId,uint64_t address){
MEMDATA dataToSend;
uint64_t readBuffer;
DWORD64 dwBytesToRead = 0 ;
dataToSend.proccessId = proccessId;
dataToSend.address = address;
dataToSend.Read = 0 ;
DeviceIoControl(hDriver,READ_INT,& dataToSend, sizeof (MEMDATA),& readBuffer, sizeof (readBuffer), 0 , 0 );
CloseHandle(hDriver);
return (( char )readBuffer);
}
我正在将字符转换成这样的字符串
< pre lang =c ++>< pre> char test = Driver.Readchar(PID,0x40E066FDB0);
const char * add = reinterpret_cast< const char *>(& test);
std :: string str = add;
printf(找到的字符串:%s \ n,str.c_str());
和我的结构是
typedef struct {
DWORD64 proccessId;
DWORD64地址;
DWORD64阅读;
} MEMDATA;
希望有人能帮助我并感谢@
Richard MacCutchan
帮助我解决这个老问题:D 如果你知道这个问题的解决方法,请不要告诉我那个或那个只是请给我或者告诉我修复它的代码
我的尝试:
< pre lang =c ++>< pre> char test = Driver.Readchar(PID,0x40E066FDB0);
const char * add = reinterpret_cast< const char *>(& test);
std :: string str = add;
printf(找到的字符串:%s \ n,str.c_str());
但它没有工作我想阅读
DefaultString
并且它读起来就像这个
@?ΘùΦ?
if (MmIsAddressValid(( void *)(* data).address))
相同昨天的问题。不要以这种方式取消引用数据变量。
可能是UNICODE和ANSI之间的字符串格式问题。
尝试使用wchar_t
而不是char
和std :: wstring
而不是std: :字符串
so my driver can read integers, DWORD64 etc but now i want to read strings i tried a lot of things and am sure this one should work but for some reason it displays some random chars
this is how am reading from kernel
<pre>PCHAR ReadMem_String(MEMDATA *data) {
NTSTATUS ntStatus;
PEPROCESS targetProc;
char string[12800] = "";
ntStatus = PsLookupProcessByProcessId((HANDLE)(*data).proccessId, &targetProc);
if (ntStatus != STATUS_SUCCESS || !targetProc)
return;
__try {
KeAttachProcess((PKPROCESS)targetProc);
if (MmIsAddressValid((void*)(*data).address))
RtlCopyMemory(string, (const void*)data->address, data->Read);
KeDetachProcess();
}
__except (GetExceptionCode()) {
return;
}
return(string);
}
case(READ_chars): {
MEMDATA *userCom = pBuf;
PCHAR string = ReadMem_String(userCom);
RtlCopyMemory(pBuf, string, strlen(string));
size = strlen(string);
break;
}
also am using method buffered
in my usermode program
<pre> char Readchar(UINT64 proccessId, uint64_t address) {
MEMDATA dataToSend;
uint64_t readBuffer;
DWORD64 dwBytesToRead = 0;
dataToSend.proccessId = proccessId;
dataToSend.address = address;
dataToSend.Read = 0;
DeviceIoControl(hDriver, READ_INT, &dataToSend, sizeof(MEMDATA), &readBuffer, sizeof(readBuffer), 0, 0);
CloseHandle(hDriver);
return((char)readBuffer);
}
and am converting chars to strings like this
<pre lang="c++"><pre> char test = Driver.Readchar(PID, 0x40E066FDB0); const char* add = reinterpret_cast<const char*>(&test); std::string str = add; printf("String found: %s\n", str.c_str());
and my struct is
typedef struct {
DWORD64 proccessId;
DWORD64 address;
DWORD64 Read;
} MEMDATA;
hope someone could help me and thanks for @
Richard MacCutchan
for helping me with the old problem :D also pls if you know the fix of this problem dont just tell me its that or that just pls give me or show me the code to fix it
What I have tried:
<pre lang="c++"><pre>char test = Driver.Readchar(PID, 0x40E066FDB0); const char* add = reinterpret_cast<const char*>(&test); std::string str = add; printf("String found: %s\n", str.c_str());
but it didn't work i want to read
DefaultString
and it reads it like this
@ΘùΦ
if (MmIsAddressValid((void*)(*data).address))
Same problem as yesterday. Do not dereference the data variable in this way.
Could be a string format issue between UNICODE and ANSI.
Try usingwchar_t
instead ofchar
andstd::wstring
instead ofstd::string
.
这篇关于如何使用内核驱动程序读取字符串的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!