VC驱动读内存代码

雨过天晴

1. ULONG MyReadMemory(IN PVOID BaseAddress,IN SIZE_T BufferSize,IN HANDLE pid)
   
2. {
   
3. PEPROCESS EProcess;
   
4. KAPC_STATE ApcState;
   
5. PVOID readbuffer;
   
6. NTSTATUS status;
   
7. 
   
8. status = PsLookupProcessByProcessId((HANDLE)pid,&EProcess);
   
9. if(!NT_SUCCESS(status))
   
10. {
    
11.    DbgPrint("failed to get the EPROCESS!!/n");
    
12.    return 0;
    
13. }
    
14. 
    
15. 
    
16. readbuffer = ExAllocatePoolWithTag (NonPagedPool, BufferSize, 'Sys');
    
17. if(readbuffer==NULL)
    
18. {
    
19.    DbgPrint("failed to alloc memory!/n");
    
20.    return 0;
    
21. }
    
22. 
    
23. *(ULONG*)readbuffer=(ULONG)0x1;
    
24. 
    
25. KeStackAttachProcess (EProcess, &ApcState);
    
26. 
    
27.        __try
    
28.     {
    
29.      ProbeForRead ((CONST PVOID)BaseAddress, BufferSize, sizeof(CHAR));
    
30.            RtlCopyMemory (readbuffer, BaseAddress, BufferSize);
    
31.      KeUnstackDetachProcess (&ApcState);
    
32.    
    
33.     } __except(EXCEPTION_EXECUTE_HANDLER)
    
34.     {
    
35.      KeUnstackDetachProcess (&ApcState);
    
36.     }
    
37.    
    
38.     DbgPrint("%x/n",*(ULONG*)readbuffer);
    
39.     ExFreePool (readbuffer);
    
40.     return 1;
    
41.    
    
42. }

复制代码

zylyy12358

如果你读成功了，可能你用的是XP。反正win 7下内核模式直接访问用户模式代码是不可能的。rtlcopymemory会抛出异常。所以我们必须采取其他更有效的方法。