系统相关
首页 > 系统相关> > 驱动读写进程数据

驱动读写进程数据

作者:互联网

#include <ntifs.h>
#include<ntddk.h>

//进程挂靠方式实现读取数据
VOID KeReadProcessMemory(PEPROCESS Process,PVOID Address,ULONG Length,PVOID Buffer)
{
	KAPC_STATE ApcState;
	KeStackAttachProcess(Process,&ApcState);

	if (MmIsAddressValid(Address))
	{
		RtlCopyMemory(Buffer, Address, Length);
	}
	KeUnstackDetachProcess(&ApcState);
}

PVOID GetPdt(PEPROCESS Process)
{
	//PVOID 在64位系统下是8字节
	if (sizeof(PVOID)==4)
	{
		//32位系统下(XP 和win7 32 CR3在进程结构体+0x18),
		return *(PVOID*)((PCHAR)Process + 0x18);
	}

	else
	{
		//64位系统下(WIN7 64) CR3在进程结构体+0x28),
		return *(PVOID*)((PCHAR)Process + 0x28);
	}
}


VOID KeReadProcessMemory2(PEPROCESS Process, PVOID Address, ULONG Length, PVOID Buffer)
{
	PVOID Pdt = GetPdt(Process);
	PVOID OldPdt;

	_disable();
	OldPdt =(PVOID)__readcr3();
	__writecr3(Pdt);
	_enable();

	if (MmIsAddressValid(Address))
	{
		RtlCopyMemory(Buffer, Address, Length);
	}

	_disable();
	__writecr3(OldPdt);
	_enable();
}

VOID DriverUnload(IN PDRIVER_OBJECT pDriverObject)
{

	KdPrint(("驱动卸载成功\n"));
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING RegistryPath)
{
	NTSTATUS status =STATUS_SUCCESS;
	pDriverObject->DriverUnload=DriverUnload;
	KdPrint(("驱动加载成功\n"));
	return status;

}

标签:__,Process,读写,Buffer,Length,Address,进程,驱动,PVOID
来源: https://blog.csdn.net/qq_41490873/article/details/108289544