驱动开发：通过内存拷贝读写内存

发表于 2021-07-12 更新于 2022-12-16 分类于内核安全开发本文字数： 2.9k

内核中读写内存的方式有很多，典型的读写方式有CR3读写，MDL读写，以及今天要给大家分享的内存拷贝实现读写，拷贝读写的核心是使用`MmCopyVirtualMemory`这个内核API函数实现，通过调用该函数即可很容易的实现内存的拷贝读写。

内核中读写内存的方式有很多，典型的读写方式有CR3读写，MDL读写，以及今天要给大家分享的内存拷贝实现读写，拷贝读写的核心是使用MmCopyVirtualMemory这个内核API函数实现，通过调用该函数即可很容易的实现内存的拷贝读写。

封装KeReadProcessMemory()内存读取。

#include <ntifs.h>
#include <windef.h>
#include <stdlib.h>

NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(HANDLE ProcessId, PEPROCESS *Process);
NTKERNELAPI CHAR* PsGetProcessImageFileName(PEPROCESS Process);
NTSTATUS NTAPI MmCopyVirtualMemory(PEPROCESS SourceProcess, PVOID SourceAddress, PEPROCESS TargetProcess, PVOID TargetAddress, SIZE_T BufferSize, KPROCESSOR_MODE PreviousMode, PSIZE_T ReturnSize);

// 定义全局EProcess结构
PEPROCESS Global_Peprocess = NULL;

// 普通Ke内存读取
NTSTATUS KeReadProcessMemory(PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size)
{
	__try
	{
		PEPROCESS TargetProcess = PsGetCurrentProcess();
		SIZE_T Result;
		if (NT_SUCCESS(MmCopyVirtualMemory(Global_Peprocess, SourceAddress, TargetProcess, TargetAddress, Size, KernelMode, &Result)))
			return STATUS_SUCCESS;
		else
			return STATUS_ACCESS_DENIED;
	}
	__except (EXCEPTION_EXECUTE_HANDLER)
	{
		return STATUS_ACCESS_DENIED;
	}
	return STATUS_ACCESS_DENIED;
}

VOID UnDriver(PDRIVER_OBJECT driver)
{
	DbgPrint("Uninstall Driver Is OK \n");
}

// By:lyshark.cnblogs.com
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath)
{
	DbgPrint("hello lyshark \n");

	// 根据PID打开进程
	DWORD PID = 6672;
	NTSTATUS nt = PsLookupProcessByProcessId((HANDLE)PID, &Global_Peprocess);

	DWORD ref_value = 0;

	// 将地址处读取4字节到ref_value中
	NTSTATUS read_nt = KeReadProcessMemory((PVOID)0x0009EDC8, &ref_value, 4);

	DbgPrint("读出数据: %d \n", ref_value);

	Driver->DriverUnload = UnDriver;
	return STATUS_SUCCESS;
}

读取效果如下：

封装KeWriteProcessMemory()内存读取。

#include <ntifs.h>
#include <windef.h>
#include <stdlib.h>

NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(HANDLE ProcessId, PEPROCESS *Process);
NTKERNELAPI CHAR* PsGetProcessImageFileName(PEPROCESS Process);
NTSTATUS NTAPI MmCopyVirtualMemory(PEPROCESS SourceProcess, PVOID SourceAddress, PEPROCESS TargetProcess, PVOID TargetAddress, SIZE_T BufferSize, KPROCESSOR_MODE PreviousMode, PSIZE_T ReturnSize);

// 定义全局EProcess结构
PEPROCESS Global_Peprocess = NULL;


// 普通Ke内存写入
NTSTATUS KeWriteProcessMemory(PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size)
{
	PEPROCESS SourceProcess = PsGetCurrentProcess();
	PEPROCESS TargetProcess = Global_Peprocess;
	SIZE_T Result;

	if (NT_SUCCESS(MmCopyVirtualMemory(SourceProcess, SourceAddress, TargetProcess, TargetAddress, Size, KernelMode, &Result)))
		return STATUS_SUCCESS;
	else
		return STATUS_ACCESS_DENIED;
}

VOID UnDriver(PDRIVER_OBJECT driver)
{
	DbgPrint("Uninstall Driver Is OK \n");
}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath)
{
	DbgPrint("hello lyshark \n");

	// 根据PID打开进程
	DWORD PID = 6672;
	NTSTATUS nt = PsLookupProcessByProcessId((HANDLE)PID, &Global_Peprocess);

	DWORD ref_value = 10;

	// 将地址处写出4字节
	NTSTATUS read_nt = KeWriteProcessMemory((PVOID)0x0009EDC8, &ref_value, 4);

	DbgPrint("写入数据: %d \n", ref_value);

	Driver->DriverUnload = UnDriver;
	return STATUS_SUCCESS;
}

写出内存效果：