参考资料
https://blog.csdn.net/wdykanq/article/details/7752909
http://blog.51cto.com/laokaddk/404584
内核层创建内存映射用户层
PVOID pShareMM_SYS;
PMDL pShareMM_MDL;
PVOID pShareMM_User;
PKUANGKEEPROCESS vEProcess = KuangKeGetProcessById(3412);
KAPC_STATE vKapcState;
KeStackAttachProcess((PRKPROCESS)vEProcess, &vKapcState);
pShareMM_SYS = KuangKeAllocate(1024);//size必须是page的整数倍 也可以使用 ExAllocatePoolWithTag(NonPagedPool, _s, 'KUAN')
RtlZeroMemory(pShareMM_SYS, 1024);
pShareMM_MDL = IoAllocateMdl(pShareMM_SYS, 1024, FALSE, FALSE, NULL);
MmBuildMdlForNonPagedPool(pShareMM_MDL);
pShareMM_User = MmMapLockedPagesSpecifyCache(pShareMM_MDL, UserMode, MmCached, NULL, FALSE, NormalPagePriority);
KuangKeDebugPrint("pShareMM_SYS的地址为: 0x%p\n", (PUCHAR)pShareMM_SYS);
KuangKeDebugPrint("pShareMM_User的地址为: 0x%p\n", (PUCHAR)pShareMM_User);
//MmUnMapLockerPages(pShareMM_MDL);
MmUnmapLockedPages(pShareMM_User, pShareMM_MDL);
IoFreeMdl(pShareMM_MDL);
KuangKeFree(pShareMM_SYS);
KeUnstackDetachProcess(&vKapcState);
用户层映射内核
BaseAddr = OpenKernel32(); //映射kernel32的section到本进程的低2G空间
if (!BaseAddr)
{
KdPrint(("DriverEntry--OpenKernel32 failure!\n"));
return 0;
}
KdPrint(("BaseAddr: 0x%08x\n",BaseAddr));
//创建一个MDL
pMDL = IoAllocateMdl(BaseAddr,0x11c000,FALSE,FALSE,NULL);
if (!pMDL)
{
KdPrint(("pMDL == NULL\n"));
return 0;
}
_try
{
MmProbeAndLockPages(pMDL,UserMode,IoReadAccess);
}
_except(EXCEPTION_EXECUTE_HANDLER)
{
KdPrint(("MmProbeAndLockPages exception\n"));
}
_try
{
pMapedAddr = MmMapLockedPagesSpecifyCache(pMDL,KernelMode,MmCached,NULL,FALSE,NormalPagePriority);
if (!pMapedAddr)
{
KdPrint(("pMapedAdd == NULL\n"));
return 0;
}
}
_except(EXCEPTION_EXECUTE_HANDLER)
{
KdPrint(("MmMapLockedPagesSpecifyCache exception\n"));
}