内核驱动程序读取内存 [英] Kernel driver to read memory
问题描述
所以我无法从我的用户模式idk中读取一个整数为什么我会分享代码因为我发现它并且公众希望有人可以帮我这个:D
$ b内核空间$ b
so i cant read an integer from my usermode idk why i will share the code cuz i found it and its public hope that someone could help me with this :D
in kernel space
<pre>typedef struct {
DWORD64 proccessId;
DWORD64 address;
DWORD64 Read;
} MEMDATA;
UINT64 ReadMem(MEMDATA *data) {
NTSTATUS ntStatus;
PEPROCESS targetProc;
UINT64 readBuff;
ntStatus = PsLookupProcessByProcessId((HANDLE)(*data).proccessId, &targetProc);
if (ntStatus != STATUS_SUCCESS || !targetProc)
return;
__try {
KeAttachProcess((PKPROCESS)targetProc);
if (MmIsAddressValid((void*)(*data).address))
RtlCopyMemory(&readBuff, (const void*)(*data).address, sizeof(readBuff));
KeDetachProcess();
}
__except (GetExceptionCode()) {
return;
}
return(readBuff);
}
<pre> case(READ): {
MEMDATA *userCom = pBuf;
DWORD64 retVal = ReadMem(userCom);
RtlCopyMemory(pBuf, &retVal, sizeof(retVal));
size = sizeof(retVal);
break;
}
也使用方法缓冲
also am using method buffered
#define READ CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0701 /* Our Custom Code */, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
和这里是我读取整数的模板
and here is my template for reading an integer
<pre> int Readint(DWORD64 pid, DWORD64 addr, DWORD64 len) {
MEMDATA toSend;
DWORD64 dwBytesRead = 0;
DWORD64 readBuffer;
toSend.proccessId = pid;
toSend.address = addr;
toSend.Read = len;
DeviceIoControl(hDriver, READ, &toSend, sizeof(MEMDATA), &readBuffer, len, 0, 0);
CloseHandle(hDriver);
return(readBuffer);
}
但是我正在努力阅读(
but its not working am trying to read (
123456)但是这样读它(
-1676839616)我想那个驱动程序正在读取它,但它的缓冲区idk有问题。
我尝试过的事情:
i试过这个想念
) i guess that driver is reading it but its a problem with the buffer idk .
What I have tried:
i have tried this to read
<pre> int PID;
cout << "give PID" << endl;
cin >> PID;
int test;
test = Driver.Readint(PID, 0xB33B92FD88,sizeof(test));
if (test) {
cout <<"working boi" << test <<endl;
}
else
{
cout << "nope not working" << endl;
}
但它不起作用,如果你知道这个问题的解决方法,请不要告诉我它或者只是请给我或给我一些修复它的代码,如果我看起来像一个菜鸟但我们每天都在学习,那么我也很新闻内核抱歉!
but its not working and also pls if you know the fix of this problem dont just tell me its that or that just pls give me or show me the code to fix it and also am new to kernel sorry if i look like a noob but we are learning every day !
推荐答案
此行看起来不正确:
This line does not look correct:
RtlCopyMemory(&readBuff, (const void*)(*data).address, sizeof(readBuff));
变量 data 被定义为指向 MEMDATA 结构的指针,因此取消引用运算符不应该是必要的。试一试:
The variable data is defined as a pointer to a MEMDATA structure, so the dereference operator should not be necessary here. Try it as:
RtlCopyMemory(&readBuff, (const void*)data.address, sizeof(readBuff));
这篇关于内核驱动程序读取内存的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
