驅動讀寫進程內存R3,R0通信

stdafx.h 頭文件代碼

#ifndef _WIN32_WINNT        // Allow use of features specific to Windows XP or later.                   
#define _WIN32_WINNT 0x0501    // Change this to the appropriate value to target other versions of Windows.
#endif                        

#ifdef __cplusplus
extern "C" 
{

#endif

#include <ntddk.h>
#include <ntddstor.h>
#include <mountdev.h>
#include <ntddvol.h>


#ifdef __cplusplus
}
#endif

驅動讀寫 C++代碼

#include <ntifs.h>
#include <ntddk.h>
#include "stdafx.h"


extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING  RegistryPath);


#define arraysize(p) (sizeof(p)/sizeof((p)[0]))
NTSTATUS ControlCode(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp);
NTSTATUS CreateMyDevice(IN PDRIVER_OBJECT pDriverObject);
NTSTATUS NtCreateMessage(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp);
int ReadProcessMemory(PVOID Address, SIZE_T BYTE_size, int PID);
int WriteProcessMemory(VOID* Address, SIZE_T BYTE_size, VOID *VirtualAddress, int PID);
#define READPROCESSMEMORY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define WRITEPROCESSMEMORY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define WRITEPROCESSMEMORY_BYTE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x802, METHOD_BUFFERED, FILE_ANY_ACCESS)

//卸載回調
void UnloadDriver(PDRIVER_OBJECT pDriverObject)
{
    //用來取得要刪除設備對象
    PDEVICE_OBJECT pDev;
    UNICODE_STRING symLinkName;
    pDev = pDriverObject->DeviceObject;
    //刪除設備
    IoDeleteDevice(pDev); 

    //取符號鏈接名字
    RtlInitUnicodeString(&symLinkName, L"\\??\\My_DriverLinkName");
    //刪除符號鏈接
    IoDeleteSymbolicLink(&symLinkName);
    KdPrint(("驅動成功卸載\n"));
}

NTSTATUS DriverEntry(PDRIVER_OBJECT  pDriverObject,PUNICODE_STRING  RegistryPath)
{
    //設置卸載函數
    pDriverObject->DriverUnload = UnloadDriver;
    //處理R3的CreateFile操作不然會失敗
    pDriverObject->MajorFunction[IRP_MJ_CREATE] = NtCreateMessage;
    //處理R3的控制代碼
    pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ControlCode;
    //創建相應的設備
    CreateMyDevice(pDriverObject);
    KdPrint(("驅動成功加載\n"));
    return STATUS_SUCCESS;
}
//處理控制IO代碼
NTSTATUS ControlCode(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp)
{
    NTSTATUS status = STATUS_SUCCESS;
    KdPrint(("Enter HelloDDKDeviceIOControl\n"));

    //得到當前堆棧
    PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(pIrp);
    //得到輸入緩沖區大小
    ULONG cbin = stack->Parameters.DeviceIoControl.InputBufferLength;
    //得到輸出緩沖區大小
    ULONG cbout = stack->Parameters.DeviceIoControl.OutputBufferLength;
    //得到IOCTL碼
    ULONG code = stack->Parameters.DeviceIoControl.IoControlCode;

    ULONG info = 0;

    switch (code)
    {
    case  READPROCESSMEMORY://讀4字節整數型
        {
            //顯示輸入緩沖區數據
            int PID = 0, Address = 0, BYTE_size=0;
            int *InputBuffer = (int*)pIrp->AssociatedIrp.SystemBuffer;
            _asm
            {
                MOV EAX,InputBuffer
                    MOV EBX, DWORD PTR DS : [EAX]
                MOV PID,EBX
                    MOV EBX, DWORD PTR DS : [EAX + 4]
                MOV Address,EBX
                    MOV EBX,DWORD PTR DS:[EAX + 8]
                MOV BYTE_size, EBX
            }
            //操作輸出緩沖區
            int *OutputBuffer = (int*)pIrp->AssociatedIrp.SystemBuffer;
            *OutputBuffer = ReadProcessMemory((VOID*)Address, BYTE_size, PID);
            //設置實際操作輸出緩沖區長度
            info = 4;
            break;
        }
    case  WRITEPROCESSMEMORY://寫4字節整數型
        {
            //顯示輸入緩沖區數據
            int PID = 0, Address = 0,buff ,BYTE_size = 0;
            int *InputBuffer = (int*)pIrp->AssociatedIrp.SystemBuffer;
            _asm
            {
                MOV EAX, InputBuffer
                    MOV EBX, DWORD PTR DS : [EAX]
                MOV PID, EBX
                    MOV EBX, DWORD PTR DS : [EAX + 4]
                MOV Address, EBX
                    MOV EBX, DWORD PTR DS : [EAX + 8]
                MOV buff, EBX
                    MOV EBX, DWORD PTR DS : [EAX + 0xC]
                MOV BYTE_size, EBX
            }
            //操作輸出緩沖區
            int *OutputBuffer = (int*)pIrp->AssociatedIrp.SystemBuffer;
            *OutputBuffer = WriteProcessMemory((VOID*)Address, BYTE_size, &buff, PID);
            //設置實際操作輸出緩沖區長度
            info = 4;
            break;
        }
    case  WRITEPROCESSMEMORY_BYTE://寫字節集
        {
            //顯示輸入緩沖區數據
            int PID = 0, Address = 0, buff, BYTE_size = 0;
            int *InputBuffer = (int*)pIrp->AssociatedIrp.SystemBuffer;
            _asm
            {
                MOV EAX, InputBuffer
                    MOV EBX, DWORD PTR DS : [EAX]
                MOV PID, EBX
                    MOV EBX, DWORD PTR DS : [EAX + 4]
                MOV Address, EBX
                    MOV EBX, DWORD PTR DS : [EAX + 8]
                MOV buff, EBX
                    MOV EBX, DWORD PTR DS : [EAX + 0xC]
                MOV BYTE_size, EBX
            }
            //操作輸出緩沖區
            int *OutputBuffer = (int*)pIrp->AssociatedIrp.SystemBuffer;
            *OutputBuffer = WriteProcessMemory((VOID*)Address, BYTE_size, (VOID*)buff, PID);
            //設置實際操作輸出緩沖區長度
            info = 4;
            break;
        }
    default:
        status = STATUS_INVALID_VARIANT;
    }
    // 完成IRP
    pIrp->IoStatus.Status = status;
    pIrp->IoStatus.Information = info;
    IoCompleteRequest(pIrp, IO_NO_INCREMENT);
    return status;
}

typedef struct _DEVICE_EXTENSION {
    PDEVICE_OBJECT pDevice;
    UNICODE_STRING ustrDeviceName;    //設備名稱
    UNICODE_STRING ustrSymLinkName;    //符號鏈接名

    PUCHAR buffer;//緩沖區
    ULONG file_length;//模擬的文件長度，必須小於MAX_FILE_LENGTH
} DEVICE_EXTENSION, *PDEVICE_EXTENSION;
#pragma INITCODE /*指的代碼運行后 就從內存釋放掉*/
//創建符號鏈接
NTSTATUS CreateMyDevice(IN PDRIVER_OBJECT pDriverObject)
{
    NTSTATUS status;
    PDEVICE_OBJECT pDevObj;
    PDEVICE_EXTENSION pDevExt;

    //創建設備名稱
    UNICODE_STRING devName;
    RtlInitUnicodeString(&devName, L"\\Device\\My_DriverLinkName");

    //創建設備
    status = IoCreateDevice(pDriverObject,sizeof(DEVICE_EXTENSION),&devName,FILE_DEVICE_UNKNOWN,0, FALSE,&pDevObj);
    if (!NT_SUCCESS(status))
        return status;

    pDevObj->Flags |= DO_DIRECT_IO;
    pDevExt = (PDEVICE_EXTENSION)pDevObj->DeviceExtension;
    pDevExt->pDevice = pDevObj;
    pDevExt->ustrDeviceName = devName;

    //申請模擬文件的緩沖區
    pDevExt->buffer = (PUCHAR)ExAllocatePool(PagedPool, 1024);
    //設置模擬文件大小
    pDevExt->file_length = 0;

    //創建符號鏈接
    UNICODE_STRING symLinkName;
    RtlInitUnicodeString(&symLinkName, L"\\??\\My_DriverLinkName");
    pDevExt->ustrSymLinkName = symLinkName;
    status = IoCreateSymbolicLink(&symLinkName, &devName);

    if (!NT_SUCCESS(status))
    {
        IoDeleteDevice(pDevObj);
        return status;
    }
    return STATUS_SUCCESS;
}

//處理其他IO消息直接返回成功
#pragma PAGEDCODE
NTSTATUS NtCreateMessage(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp)
{

    NTSTATUS status = STATUS_SUCCESS;
    // 完成IRP
    pIrp->IoStatus.Status = status;
    pIrp->IoStatus.Information = 0;    // bytes xfered
    IoCompleteRequest(pIrp, IO_NO_INCREMENT);
    return status;
}

//讀內存整數型
int ReadProcessMemory(VOID* Address, SIZE_T BYTE_size, int PID)
{
    PEPROCESS pEProcess;
    PVOID buff1;
    VOID *buff2;
    int MemoryNumerical =0;
    KAPC_STATE   KAPC = { 0 };
    __try
    {
        //得到進程EPROCESS
        PsLookupProcessByProcessId((HANDLE)PID, &pEProcess);
        //分配內存
        buff1 = ExAllocatePoolWithTag((POOL_TYPE)0, BYTE_size, 1222);
        buff2 = buff1;
        *(int*)buff1 = 1;
        //附加到要讀寫的進程
        KeStackAttachProcess((PRKPROCESS)pEProcess, &KAPC);
        // 判斷內存是否可讀
        ProbeForRead(Address, BYTE_size, 1);
        //復制內存
        memcpy(buff2, Address, BYTE_size);
        // 剝離附加的進程
        KeUnstackDetachProcess(&KAPC);
        //讀內存
        MemoryNumerical = *(int*)buff2;
        // 釋放申請的內存
        ExFreePoolWithTag(buff2, 1222);
    }
    __except (EXCEPTION_EXECUTE_HANDLER)
    {
        KdPrint(("錯誤\n"));
    }
    return MemoryNumerical;

}
//寫內存整數型
int WriteProcessMemory(VOID* Address, SIZE_T BYTE_size, VOID *VirtualAddress,int PID)
{
    PEPROCESS pEProcess;
    PVOID buff1;
    VOID *buff2;
    int MemoryNumerical = 0;
    KAPC_STATE   KAPC = { 0 };
    __try
    {
        //得到進程EPROCESS
        PsLookupProcessByProcessId((HANDLE)PID, &pEProcess);
        //分配內存
        buff1 = ExAllocatePoolWithTag((POOL_TYPE)0, BYTE_size, 1111);
        buff2 = buff1;
        *(int*)buff1 = 1;
        if (MmIsAddressValid((PVOID)VirtualAddress))
        {
            //復制內存
            memcpy(buff2, VirtualAddress, BYTE_size);
        }
        else
        {
            return 0;
        }
        //附加到要讀寫的進程
        KeStackAttachProcess((PRKPROCESS)pEProcess, &KAPC);
        if (MmIsAddressValid((PVOID)Address))
        {
            //判斷地址是否可寫
            ProbeForWrite(Address, BYTE_size, 1);
            //復制內存
            memcpy(Address, buff2, BYTE_size);
        }
        else
        {
            return 0;
        }
        // 剝離附加的進程
        KeUnstackDetachProcess(&KAPC);
        ExFreePoolWithTag(buff2, 1111);
    }
    __except (EXCEPTION_EXECUTE_HANDLER)
    {
        KdPrint(("錯誤\n"));
    }
    return 1;
}

R3通信代碼

#include <stdio.h>
#include <windows.h>
#include<winioctl.h> 
#define READPROCESSMEMORY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define WRITEPROCESSMEMORY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define WRITEPROCESSMEMORY_BYTE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x802, METHOD_BUFFERED, FILE_ANY_ACCESS)
int ReadMemory(HANDLE hDevice, int PID,int Address,int size)//讀內存
{
    
    int port[3];
    int bufret;
    DWORD dwWrite;
    port[0]=PID;
    port[1]=Address;
    port[2]=size;
    DeviceIoControl(hDevice,READPROCESSMEMORY, &port, 12, &bufret, 4, &dwWrite, NULL);
    return bufret;

}

int WriteMemory_int(HANDLE hDevice, int PID,int Address,int buff,int size)//寫內存整數型
{
    
    int port[4];
    int bufret;
    DWORD dwWrite;
    port[0]=PID;
    port[1]=Address;
    port[2]=buff;
    port[3]=size;
    DeviceIoControl(hDevice,WRITEPROCESSMEMORY, &port, 16, &bufret, 4, &dwWrite, NULL);
    return bufret;

}

int WriteMemory_byte(HANDLE hDevice, int PID,int Address,BYTE *buff,int size)//寫內存字節集
{
    int port[4];
    int bufret;
    DWORD dwWrite;
    port[0]=PID;
    port[1]=Address;
    port[2]=(int)buff;
    port[3]=size;
    DeviceIoControl(hDevice,WRITEPROCESSMEMORY_BYTE, &port, 16, &bufret, 4, &dwWrite, NULL);
    return bufret;

}
int main(int argc, char* argv[])
{
    HANDLE hDevice = CreateFileW(L"\\\\.\\My_DriverLinkName", GENERIC_READ | GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL );    
    if (hDevice == INVALID_HANDLE_VALUE)
    {
        printf("獲取驅動失敗: %s with Win32 error code: %d\n","MyDriver", GetLastError() );
        getchar();
        return -1;
    }
    int PID=0;
    printf("輸入進程ID！\n");
    scanf("%d",&PID);
    BYTE a[]={0x01,0x02,0x03,0x04,0x05};
  int r=WriteMemory_byte(hDevice,PID,9165792,a,5);//寫內存字節集
  printf("0x8BDBE0=%d\n",r);
   getchar();
   getchar();
    return 0;
}