从内核驱动程序到达内核会话空间 [英] Reach kernel session space from kernel driver

问题描述

我正在编写一个内核驱动程序，该驱动程序应该读取（在某些情况下，还要写）内核会话空间（win32k.sys）中的某些内存地址。我读过另一个主题，例如在Windbg中，我应该将上下文更改为随机用户进程以读取内核会话空间的内存（使用.process / p）。如何在内核驱动程序中做到这一点？我应该创建一个与驱动程序通信的用户进程（这是我的主意，但我希望有一个更好的解决方案）或对此有一个更简单的解决方案？

I'm writing a kernel driver, which should read (and in some cases, also write) some memory addresses in kernel session space (win32k.sys). I've read in another topic that for example in Windbg I should change the context to a random user process to read the memory of kernel session space (with .process /p). How can I do that in a kernel driver? Should I create a user process which communicate with the driver (that's my idea now, but I hope that there is a better solution) or there is a more simple solution for this?

推荐答案

会话空间未映射到系统地址空间（驱动程序共享，如果未附加到任何进程，则驱动程序共享）。那些为什么您在访问win32k时得到BSOD。

Session space are not mapped in system address space (that drivers share, if not attached to any process). Those why you getting BSOD while accessing win32k.

您需要通过KeStackAttachProcess附加到EPROCESS才能执行此操作。您可以使用ZwQueryInformationProcess（ProcessSessionInformation）函数获取会话ID。

You need to be attached to EPROCESS via KeStackAttachProcess to perform this operation. You can get session id with ZwQueryInformationProcess(ProcessSessionInformation) function.

这篇关于从内核驱动程序到达内核会话空间的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！