1 stdafx.h 头文件代码
2
3 #ifndef _WIN32_WINNT // Allow use of features specific to Windows XP or later.
4 #define _WIN32_WINNT 0x0501 // Change this to the appropriate value to target other versions of Windows.
5 #endif
6
7 #ifdef __cplusplus
8 extern "C"
9 {
10
11 #endif
12
13 #include <ntddk.h>
14 #include <ntddstor.h>
15 #include <mountdev.h>
16 #include <ntddvol.h>
17
18
19 #ifdef __cplusplus
20 }
21 #endif
1 驱动读写 C++代码
2
3 #include <ntifs.h>
4 #include <ntddk.h>
5 #include "stdafx.h"
6
7
8 extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);
9
10
11 #define arraysize(p) (sizeof(p)/sizeof((p)[0]))
12 NTSTATUS ControlCode(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp);
13 NTSTATUS CreateMyDevice(IN PDRIVER_OBJECT pDriverObject);
14 NTSTATUS NtCreateMessage(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp);
15 int ReadProcessMemory(PVOID Address, SIZE_T BYTE_size, int PID);
16 int WriteProcessMemory(VOID* Address, SIZE_T BYTE_size, VOID *VirtualAddress, int PID);
17 #define READPROCESSMEMORY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS)
18 #define WRITEPROCESSMEMORY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS)
19 #define WRITEPROCESSMEMORY_BYTE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x802, METHOD_BUFFERED, FILE_ANY_ACCESS)
20
21 //卸载回调
22 void UnloadDriver(PDRIVER_OBJECT pDriverObject)
23 {
24 //用来取得要删除设备对象
25 PDEVICE_OBJECT pDev;
26 UNICODE_STRING symLinkName;
27 pDev = pDriverObject->DeviceObject;
28 //删除设备
29 IoDeleteDevice(pDev);
30
31 //取符号链接名字
32 RtlInitUnicodeString(&symLinkName, L"\\??\\My_DriverLinkName");
33 //删除符号链接
34 IoDeleteSymbolicLink(&symLinkName);
35 KdPrint(("驱动成功卸载\n"));
36 }
37
38 NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING RegistryPath)
39 {
40 //设置卸载函数
41 pDriverObject->DriverUnload = UnloadDriver;
42 //处理R3的CreateFile操作不然会失败
43 pDriverObject->MajorFunction[IRP_MJ_CREATE] = NtCreateMessage;
44 //处理R3的控制代码
45 pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ControlCode;
46 //创建相应的设备
47 CreateMyDevice(pDriverObject);
48 KdPrint(("驱动成功加载\n"));
49 return STATUS_SUCCESS;
50 }
51 //处理控制IO代码
52 NTSTATUS ControlCode(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp)
53 {
54 NTSTATUS status = STATUS_SUCCESS;
55 KdPrint(("Enter HelloDDKDeviceIOControl\n"));
56
57 //得到当前堆栈
58 PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(pIrp);
59 //得到输入缓冲区大小
60 ULONG cbin = stack->Parameters.DeviceIoControl.InputBufferLength;
61 //得到输出缓冲区大小
62 ULONG cbout = stack->Parameters.DeviceIoControl.OutputBufferLength;
63 //得到IOCTL码
64 ULONG code = stack->Parameters.DeviceIoControl.IoControlCode;
65
66 ULONG info = 0;
67
68 switch (code)
69 {
70 case READPROCESSMEMORY://读4字节整数型
71 {
72 //显示输入缓冲区数据
73 int PID = 0, Address = 0, BYTE_size=0;
74 int *InputBuffer = (int*)pIrp->AssociatedIrp.SystemBuffer;
75 _asm
76 {
77 MOV EAX,InputBuffer
78 MOV EBX, DWORD PTR DS : [EAX]
79 MOV PID,EBX
80 MOV EBX, DWORD PTR DS : [EAX + 4]
81 MOV Address,EBX
82 MOV EBX,DWORD PTR DS:[EAX + 8]
83 MOV BYTE_size, EBX
84 }
85 //操作输出缓冲区
86 int *OutputBuffer = (int*)pIrp->AssociatedIrp.SystemBuffer;
87 *OutputBuffer = ReadProcessMemory((VOID*)Address, BYTE_size, PID);
88 //设置实际操作输出缓冲区长度
89 info = 4;
90 break;
91 }
92 case WRITEPROCESSMEMORY://写4字节整数型
93 {
94 //显示输入缓冲区数据
95 int PID = 0, Address = 0,buff ,BYTE_size = 0;
96 int *InputBuffer = (int*)pIrp->AssociatedIrp.SystemBuffer;
97 _asm
98 {
99 MOV EAX, InputBuffer
100 MOV EBX, DWORD PTR DS : [EAX]
101 MOV PID, EBX
102 MOV EBX, DWORD PTR DS : [EAX + 4]
103 MOV Address, EBX
104 MOV EBX, DWORD PTR DS : [EAX + 8]
105 MOV buff, EBX
106 MOV EBX, DWORD PTR DS : [EAX + 0xC]
107 MOV BYTE_size, EBX
108 }
109 //操作输出缓冲区
110 int *OutputBuffer = (int*)pIrp->AssociatedIrp.SystemBuffer;
111 *OutputBuffer = WriteProcessMemory((VOID*)Address, BYTE_size, &buff, PID);
112 //设置实际操作输出缓冲区长度
113 info = 4;
114 break;
115 }
116 case WRITEPROCESSMEMORY_BYTE://写字节集
117 {
118 //显示输入缓冲区数据
119 int PID = 0, Address = 0, buff, BYTE_size = 0;
120 int *InputBuffer = (int*)pIrp->AssociatedIrp.SystemBuffer;
121 _asm
122 {
123 MOV EAX, InputBuffer
124 MOV EBX, DWORD PTR DS : [EAX]
125 MOV PID, EBX
126 MOV EBX, DWORD PTR DS : [EAX + 4]
127 MOV Address, EBX
128 MOV EBX, DWORD PTR DS : [EAX + 8]
129 MOV buff, EBX
130 MOV EBX, DWORD PTR DS : [EAX + 0xC]
131 MOV BYTE_size, EBX
132 }
133 //操作输出缓冲区
134 int *OutputBuffer = (int*)pIrp->AssociatedIrp.SystemBuffer;
135 *OutputBuffer = WriteProcessMemory((VOID*)Address, BYTE_size, (VOID*)buff, PID);
136 //设置实际操作输出缓冲区长度
137 info = 4;
138 break;
139 }
140 default:
141 status = STATUS_INVALID_VARIANT;
142 }
143 // 完成IRP
144 pIrp->IoStatus.Status = status;
145 pIrp->IoStatus.Information = info;
146 IoCompleteRequest(pIrp, IO_NO_INCREMENT);
147 return status;
148 }
149
150 typedef struct _DEVICE_EXTENSION {
151 PDEVICE_OBJECT pDevice;
152 UNICODE_STRING ustrDeviceName; //设备名称
153 UNICODE_STRING ustrSymLinkName; //符号链接名
154
155 PUCHAR buffer;//缓冲区
156 ULONG file_length;//模拟的文件长度,必须小于MAX_FILE_LENGTH
157 } DEVICE_EXTENSION, *PDEVICE_EXTENSION;
158 #pragma INITCODE /*指的代码运行后 就从内存释放掉*/
159 //创建符号链接
160 NTSTATUS CreateMyDevice(IN PDRIVER_OBJECT pDriverObject)
161 {
162 NTSTATUS status;
163 PDEVICE_OBJECT pDevObj;
164 PDEVICE_EXTENSION pDevExt;
165
166 //创建设备名称
167 UNICODE_STRING devName;
168 RtlInitUnicodeString(&devName, L"\\Device\\My_DriverLinkName");
169
170 //创建设备
171 status = IoCreateDevice(pDriverObject,sizeof(DEVICE_EXTENSION),&devName,FILE_DEVICE_UNKNOWN,0, FALSE,&pDevObj);
172 if (!NT_SUCCESS(status))
173 return status;
174
175 pDevObj->Flags |= DO_DIRECT_IO;
176 pDevExt = (PDEVICE_EXTENSION)pDevObj->DeviceExtension;
177 pDevExt->pDevice = pDevObj;
178 pDevExt->ustrDeviceName = devName;
179
180 //申请模拟文件的缓冲区
181 pDevExt->buffer = (PUCHAR)ExAllocatePool(PagedPool, 1024);
182 //设置模拟文件大小
183 pDevExt->file_length = 0;
184
185 //创建符号链接
186 UNICODE_STRING symLinkName;
187 RtlInitUnicodeString(&symLinkName, L"\\??\\My_DriverLinkName");
188 pDevExt->ustrSymLinkName = symLinkName;
189 status = IoCreateSymbolicLink(&symLinkName, &devName);
190
191 if (!NT_SUCCESS(status))
192 {
193 IoDeleteDevice(pDevObj);
194 return status;
195 }
196 return STATUS_SUCCESS;
197 }
198
199 //处理其他IO消息直接返回成功
200 #pragma PAGEDCODE
201 NTSTATUS NtCreateMessage(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp)
202 {
203
204 NTSTATUS status = STATUS_SUCCESS;
205 // 完成IRP
206 pIrp->IoStatus.Status = status;
207 pIrp->IoStatus.Information = 0; // bytes xfered
208 IoCompleteRequest(pIrp, IO_NO_INCREMENT);
209 return status;
210 }
211
212 //读内存整数型
213 int ReadProcessMemory(VOID* Address, SIZE_T BYTE_size, int PID)
214 {
215 PEPROCESS pEProcess;
216 PVOID buff1;
217 VOID *buff2;
218 int MemoryNumerical =0;
219 KAPC_STATE KAPC = { 0 };
220 __try
221 {
222 //得到进程EPROCESS
223 PsLookupProcessByProcessId((HANDLE)PID, &pEProcess);
224 //分配内存
225 buff1 = ExAllocatePoolWithTag((POOL_TYPE)0, BYTE_size, 1222);
226 buff2 = buff1;
227 *(int*)buff1 = 1;
228 //附加到要读写的进程
229 KeStackAttachProcess((PRKPROCESS)pEProcess, &KAPC);
230 // 判断内存是否可读
231 ProbeForRead(Address, BYTE_size, 1);
232 //复制内存
233 memcpy(buff2, Address, BYTE_size);
234 // 剥离附加的进程
235 KeUnstackDetachProcess(&KAPC);
236 //读内存
237 MemoryNumerical = *(int*)buff2;
238 // 释放申请的内存
239 ExFreePoolWithTag(buff2, 1222);
240 }
241 __except (EXCEPTION_EXECUTE_HANDLER)
242 {
243 KdPrint(("错误\n"));
244 }
245 return MemoryNumerical;
246
247 }
248 //写内存整数型
249 int WriteProcessMemory(VOID* Address, SIZE_T BYTE_size, VOID *VirtualAddress,int PID)
250 {
251 PEPROCESS pEProcess;
252 PVOID buff1;
253 VOID *buff2;
254 int MemoryNumerical = 0;
255 KAPC_STATE KAPC = { 0 };
256 __try
257 {
258 //得到进程EPROCESS
259 PsLookupProcessByProcessId((HANDLE)PID, &pEProcess);
260 //分配内存
261 buff1 = ExAllocatePoolWithTag((POOL_TYPE)0, BYTE_size, 1111);
262 buff2 = buff1;
263 *(int*)buff1 = 1;
264 if (MmIsAddressValid((PVOID)VirtualAddress))
265 {
266 //复制内存
267 memcpy(buff2, VirtualAddress, BYTE_size);
268 }
269 else
270 {
271 return 0;
272 }
273 //附加到要读写的进程
274 KeStackAttachProcess((PRKPROCESS)pEProcess, &KAPC);
275 if (MmIsAddressValid((PVOID)Address))
276 {
277 //判断地址是否可写
278 ProbeForWrite(Address, BYTE_size, 1);
279 //复制内存
280 memcpy(Address, buff2, BYTE_size);
281 }
282 else
283 {
284 return 0;
285 }
286 // 剥离附加的进程
287 KeUnstackDetachProcess(&KAPC);
288 ExFreePoolWithTag(buff2, 1111);
289 }
290 __except (EXCEPTION_EXECUTE_HANDLER)
291 {
292 KdPrint(("错误\n"));
293 }
294 return 1;
295 }
1 R3通信代码
2
3 #include <stdio.h>
4 #include <windows.h>
5 #include<winioctl.h>
6 #define READPROCESSMEMORY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS)
7 #define WRITEPROCESSMEMORY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS)
8 #define WRITEPROCESSMEMORY_BYTE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x802, METHOD_BUFFERED, FILE_ANY_ACCESS)
9 int ReadMemory(HANDLE hDevice, int PID,int Address,int size)//读内存
10 {
11
12 int port[3];
13 int bufret;
14 DWORD dwWrite;
15 port[0]=PID;
16 port[1]=Address;
17 port[2]=size;
18 DeviceIoControl(hDevice,READPROCESSMEMORY, &port, 12, &bufret, 4, &dwWrite, NULL);
19 return bufret;
20
21 }
22
23 int WriteMemory_int(HANDLE hDevice, int PID,int Address,int buff,int size)//写内存整数型
24 {
25
26 int port[4];
27 int bufret;
28 DWORD dwWrite;
29 port[0]=PID;
30 port[1]=Address;
31 port[2]=buff;
32 port[3]=size;
33 DeviceIoControl(hDevice,WRITEPROCESSMEMORY, &port, 16, &bufret, 4, &dwWrite, NULL);
34 return bufret;
35
36 }
37
38 int WriteMemory_byte(HANDLE hDevice, int PID,int Address,BYTE *buff,int size)//写内存字节集
39 {
40 int port[4];
41 int bufret;
42 DWORD dwWrite;
43 port[0]=PID;
44 port[1]=Address;
45 port[2]=(int)buff;
46 port[3]=size;
47 DeviceIoControl(hDevice,WRITEPROCESSMEMORY_BYTE, &port, 16, &bufret, 4, &dwWrite, NULL);
48 return bufret;
49
50 }
51 int main(int argc, char* argv[])
52 {
53 HANDLE hDevice = CreateFileW(L"\\\\.\\My_DriverLinkName", GENERIC_READ | GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL );
54 if (hDevice == INVALID_HANDLE_VALUE)
55 {
56 printf("获取驱动失败: %s with Win32 error code: %d\n","MyDriver", GetLastError() );
57 getchar();
58 return -1;
59 }
60 int PID=0;
61 printf("输入进程ID!\n");
62 scanf("%d",&PID);
63 BYTE a[]={0x01,0x02,0x03,0x04,0x05};
64 int r=WriteMemory_byte(hDevice,PID,9165792,a,5);//写内存字节集
65 printf("0x8BDBE0=%d\n",r);
66 getchar();
67 getchar();
68 return 0;
69 }
