如何使用内核驱动程序读取字符串 [英] How to read a string with kernel driver

问题描述

所以我的驱动程序可以读取整数，DWORD64等但现在我想读取字符串我尝试了很多东西并且确定这个应该可以工作但是由于某种原因它会显示一些随机字符



这是我从内核读取的方式

< pre> PCHAR ReadMem_String（MEMDATA * data）{ 
 NTSTATUS ntStatus; 
 PEPROCESS targetProc; 
  char  string [ 12800 ] =  ; 
 
 ntStatus = PsLookupProcessByProcessId（（HANDLE）（* data）.proccessId，& targetProc）; 
  if （ntStatus！= STATUS_SUCCESS ||！targetProc）
  return ; 
 
 __try {
 KeAttachProcess（（PKPROCESS）targetProc）; 
  if （MmIsAddressValid（（ void  *）（* data）.address））
 RtlCopyMemory（string，（ const   void  *）data-> address，data-> Read ）; 
 KeDetachProcess（）; 
} 
 __except（GetExceptionCode（））{
  return ; 
} 
 
  return （string）; 
} 

  case （READ_chars）：{
 MEMDATA * userCom = pBuf; 
 PCHAR string = ReadMem_String（userCom）; 
 RtlCopyMemory（pBuf，string，strlen（string））; 
 size = strlen（string）; 
  break ; 
} 
 

也使用方法缓冲





在我的用户模式程序中

< pre>  char  Readchar（UINT64 proccessId，uint64_t address）{
 MEMDATA dataToSend; 
 uint64_t readBuffer; 
 DWORD64 dwBytesToRead =  0 ; 
 
 dataToSend.proccessId = proccessId; 
 dataToSend.address = address; 
 dataToSend.Read =  0 ; 
 
 DeviceIoControl（hDriver，READ_INT，& dataToSend， sizeof （MEMDATA），& readBuffer， sizeof （readBuffer）， 0 ， 0 ）; 
 CloseHandle（hDriver）; 
 
  return （（ char ）readBuffer）; 
} 

我正在将字符转换成这样的字符串

< pre lang =c ++>< pre> char test = Driver.Readchar（PID，0x40E066FDB0）; 
 const char * add = reinterpret_cast< const char *>（& test）; 
 std :: string str = add; 
 printf（找到的字符串：％s \ n，str.c_str（））; 

和我的结构是

  typedef   struct  {
 DWORD64 proccessId; 
 DWORD64地址; 
 DWORD64阅读; 
} MEMDATA; 

希望有人能帮助我并感谢@

 Richard MacCutchan 

帮助我解决这个老问题：D 如果你知道这个问题的解决方法，请不要告诉我那个或那个只是请给我或者告诉我修复它的代码



我的尝试：

 < pre lang =c ++>< pre> char test = Driver.Readchar（PID，0x40E066FDB0）; 
 const char * add = reinterpret_cast< const char *>（& test）; 
 std :: string str = add; 
 printf（找到的字符串：％s \ n，str.c_str（））; 

但它没有工作我想阅读

 DefaultString 

并且它读起来就像这个

 @？ΘùΦ？ 
 

解决方案

  if （MmIsAddressValid（（ void  *）（* data）.address））
 

相同昨天的问题。不要以这种方式取消引用数据变量。

可能是UNICODE和ANSI之间的字符串格式问题。

尝试使用 wchar_t 而不是 char 和 std :: wstring 而不是 std： ：字符串

so my driver can read integers, DWORD64 etc but now i want to read strings i tried a lot of things and am sure this one should work but for some reason it displays some random chars

this is how am reading from kernel

<pre>PCHAR ReadMem_String(MEMDATA *data) {
	NTSTATUS ntStatus;
	PEPROCESS targetProc;
	char string[12800] = "";

	ntStatus = PsLookupProcessByProcessId((HANDLE)(*data).proccessId, &targetProc);
	if (ntStatus != STATUS_SUCCESS || !targetProc)
		return;

	__try {
		KeAttachProcess((PKPROCESS)targetProc);
		if (MmIsAddressValid((void*)(*data).address))
			RtlCopyMemory(string, (const void*)data->address, data->Read);
		KeDetachProcess();
	}
	__except (GetExceptionCode()) {
		return;
	}

	return(string);
}

case(READ_chars): {
    MEMDATA *userCom = pBuf;
    PCHAR string = ReadMem_String(userCom);
    RtlCopyMemory(pBuf, string, strlen(string));
    size = strlen(string);
    break;
}

also am using method buffered


in my usermode program

<pre>	char Readchar(UINT64 proccessId, uint64_t address) {
		MEMDATA dataToSend;
		uint64_t readBuffer;
		DWORD64 dwBytesToRead = 0;

		dataToSend.proccessId = proccessId;
		dataToSend.address = address;
		dataToSend.Read = 0;

		DeviceIoControl(hDriver, READ_INT, &dataToSend, sizeof(MEMDATA), &readBuffer, sizeof(readBuffer), 0, 0);
		CloseHandle(hDriver);

		return((char)readBuffer);
	}

and am converting chars to strings like this

<pre lang="c++"><pre>	char test = Driver.Readchar(PID, 0x40E066FDB0);
	const char* add = reinterpret_cast<const char*>(&test);
	std::string str = add;
	printf("String found: %s\n", str.c_str());

and my struct is

typedef struct {
	DWORD64 proccessId;
	DWORD64 address;
	DWORD64 Read;
} MEMDATA;

hope someone could help me and thanks for @

Richard MacCutchan

for helping me with the old problem :D also pls if you know the fix of this problem dont just tell me its that or that just pls give me or show me the code to fix it

What I have tried:

<pre lang="c++"><pre>char test = Driver.Readchar(PID, 0x40E066FDB0);
	const char* add = reinterpret_cast<const char*>(&test);
	std::string str = add;
	printf("String found: %s\n", str.c_str());

but it didn't work i want to read

DefaultString

and it reads it like this

@ΘùΦ

解决方案

if (MmIsAddressValid((void*)(*data).address))

Same problem as yesterday. Do not dereference the data variable in this way.

Could be a string format issue between UNICODE and ANSI.
Try using wchar_t instead of char and std::wstring instead of std::string.

这篇关于如何使用内核驱动程序读取字符串的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！