逆向 | 驱动挂靠进程直接读内存
参考:https://cloud.tencent.com/developer/article/2358904
https://github.com/Whitebird0/driver_read_and_write/blob/main/04-读写内存/ReadMemory.c
代码如下:
代码不长但是有坑,比如说ExAllocatePool2的参数就跟之前不一样了,这个点我调试了好久,晕
typedef struct
{
DWORD pid; // 要读写的进程ID
DWORD64 address; // 要读写的地址
DWORD size; // 读写长度
BYTE* data; // 要读写的数据
}ReadMemoryStruct;
// MDL读内存
BOOL MDLReadMemory(ReadMemoryStruct* data)
{
BOOL bRet = TRUE;
PEPROCESS process = NULL;
PsLookupProcessByProcessId((HANDLE)data->pid, &process);
// +0x5a8 ImageFileName : [15] UChar
UCHAR* imagename = ((BYTE*)process + 0x5a8);
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "> [info] ImageFileName: %s \r\n", imagename);
if (process == NULL)
{
return FALSE;
}
BYTE* GetData;
__try
{
GetData = ExAllocatePool2(POOL_FLAG_PAGED, data->size, 'qwer');
if (GetData == NULL) {
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[fail] GetData ExAllocatePool2\r\n");
}
}
__except (1)
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[err] GetData ExAllocatePool2\r\n");
return FALSE;
}
KAPC_STATE stack = { 0 };
__try {
KeStackAttachProcess(process, &stack);
}
__except (1) {
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[err] KeStackAttachProcess\r\n");
}
__try
{
//DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[info] MmIsAddressValid(start): %x \r\n", MmIsAddressValid((PVOID)data->address));
//DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[info] MmIsAddressValid(end): %x \r\n", MmIsAddressValid((PVOID)(data->address+data->size)));
//DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[info] MmIsAddressValid(start): %x \r\n", MmIsAddressValid((PVOID)GetData));
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[info] ProbeForRead(%I64x,%x)\r\n", data->address, data->size);
ProbeForRead((volatile VOID*)data->address, data->size, 1);
RtlCopyMemory(GetData, (const void*)data->address, data->size);
}
__except (1)
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[err] ProbeForRead code: %x\r\n", GetExceptionCode());
bRet = FALSE;
}
ObDereferenceObject(process);
KeUnstackDetachProcess(&stack);
RtlCopyMemory(data->data, GetData, data->size);
ExFreePool(GetData);
return bRet;
}