驱动读写进程数据
作者:互联网
#include <ntifs.h>
#include<ntddk.h>
//进程挂靠方式实现读取数据
VOID KeReadProcessMemory(PEPROCESS Process,PVOID Address,ULONG Length,PVOID Buffer)
{
KAPC_STATE ApcState;
KeStackAttachProcess(Process,&ApcState);
if (MmIsAddressValid(Address))
{
RtlCopyMemory(Buffer, Address, Length);
}
KeUnstackDetachProcess(&ApcState);
}
PVOID GetPdt(PEPROCESS Process)
{
//PVOID 在64位系统下是8字节
if (sizeof(PVOID)==4)
{
//32位系统下(XP 和win7 32 CR3在进程结构体+0x18),
return *(PVOID*)((PCHAR)Process + 0x18);
}
else
{
//64位系统下(WIN7 64) CR3在进程结构体+0x28),
return *(PVOID*)((PCHAR)Process + 0x28);
}
}
VOID KeReadProcessMemory2(PEPROCESS Process, PVOID Address, ULONG Length, PVOID Buffer)
{
PVOID Pdt = GetPdt(Process);
PVOID OldPdt;
_disable();
OldPdt =(PVOID)__readcr3();
__writecr3(Pdt);
_enable();
if (MmIsAddressValid(Address))
{
RtlCopyMemory(Buffer, Address, Length);
}
_disable();
__writecr3(OldPdt);
_enable();
}
VOID DriverUnload(IN PDRIVER_OBJECT pDriverObject)
{
KdPrint(("驱动卸载成功\n"));
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING RegistryPath)
{
NTSTATUS status =STATUS_SUCCESS;
pDriverObject->DriverUnload=DriverUnload;
KdPrint(("驱动加载成功\n"));
return status;
}
标签:__,Process,读写,Buffer,Length,Address,进程,驱动,PVOID 来源: https://blog.csdn.net/qq_41490873/article/details/108289544