逆向 | 驱动挂靠进程直接读内存

逆向 | 驱动挂靠进程直接读内存

image
参考:https://cloud.tencent.com/developer/article/2358904
https://github.com/Whitebird0/driver_read_and_write/blob/main/04-读写内存/ReadMemory.c

代码如下:
代码不长但是有坑,比如说ExAllocatePool2的参数就跟之前不一样了,这个点我调试了好久,晕

typedef struct
{
    DWORD pid;                // 要读写的进程ID
    DWORD64 address;          // 要读写的地址
    DWORD size;               // 读写长度
    BYTE* data;               // 要读写的数据
}ReadMemoryStruct;

// MDL读内存
BOOL MDLReadMemory(ReadMemoryStruct* data)
{
    BOOL bRet = TRUE;
    PEPROCESS process = NULL;

    PsLookupProcessByProcessId((HANDLE)data->pid, &process);
    //   +0x5a8 ImageFileName    : [15] UChar
    UCHAR* imagename = ((BYTE*)process + 0x5a8);
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "> [info] ImageFileName: %s \r\n", imagename);

    if (process == NULL)
    {
        return FALSE;
    }

    BYTE* GetData;
    __try
    {
        GetData = ExAllocatePool2(POOL_FLAG_PAGED, data->size, 'qwer');
        if (GetData == NULL) {
            DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[fail] GetData ExAllocatePool2\r\n");
        }
    }
    __except (1)
    {
        DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[err] GetData ExAllocatePool2\r\n");
        return FALSE;
    }

    KAPC_STATE stack = { 0 };
    __try {
        KeStackAttachProcess(process, &stack);
    }
    __except (1) {
        DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[err] KeStackAttachProcess\r\n");
    }
    
    __try
    {
        //DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[info] MmIsAddressValid(start): %x \r\n", MmIsAddressValid((PVOID)data->address));
        //DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[info] MmIsAddressValid(end): %x \r\n", MmIsAddressValid((PVOID)(data->address+data->size)));
        //DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[info] MmIsAddressValid(start): %x \r\n", MmIsAddressValid((PVOID)GetData));
        DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[info] ProbeForRead(%I64x,%x)\r\n", data->address, data->size);
        ProbeForRead((volatile VOID*)data->address, data->size, 1);
        RtlCopyMemory(GetData, (const void*)data->address, data->size);
    }
    __except (1)
    {
        DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[err] ProbeForRead code: %x\r\n", GetExceptionCode());
        bRet = FALSE;
    }

    ObDereferenceObject(process);
    KeUnstackDetachProcess(&stack);
    RtlCopyMemory(data->data, GetData, data->size);
    ExFreePool(GetData);

    
    return bRet;
}
posted @ 2024-05-20 19:10  Mz1  阅读(32)  评论(0编辑  收藏  举报