NtReadVirtualMemory函数位于ntdll中,作用就是把用户态的函数调用翻译成相应的系统调用,进入内核态。内核中一般有一个相同名字的处理函数,接收到该类型的系统调用后做实际的工作。
NTSTATUS STDCALL
NtReadVirtualMemory(IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN ULONG NumberOfBytesToRead,
OUT PULONG NumberOfBytesRead)
{
NTSTATUS Status;
PMDL Mdl;
PVOID SystemAddress;
PEPROCESS Process;
DPRINT("NtReadVirtualMemory(ProcessHandle %x, BaseAddress %x, "
"Buffer %x, NumberOfBytesToRead %d)\n",ProcessHandle,BaseAddress,
Buffer,NumberOfBytesToRead);
Status = ObReferenceObjectByHandle(ProcessHandle,
PROCESS_VM_WRITE,
NULL,
UserMode,
(PVOID*)(&Process),
NULL);
if (Status != STATUS_SUCCESS)
{
return(Status);
}
}
struct _EPROCESS
{
/* Microkernel specific process state. */
KPROCESS Pcb;
}
typedef struct _KPROCESS
{
DISPATCHER_HEADER DispatcherHeader; /* 000 */
LIST_ENTRY ProfileListHead; /* 010 */
PHYSICAL_ADDRESS DirectoryTableBase; /* 018 这是cr3*/
}
Mdl = MmCreateMdl(NULL,Buffer, NumberOfBytesToRead);
MmProbeAndLockPages(Mdl,UserMode,IoWriteAccess);
KeAttachProcess(Process);
SystemAddress = MmGetSystemAddressForMdl(Mdl);
memcpy(SystemAddress, BaseAddress, NumberOfBytesToRead);
KeDetachProcess();
if (Mdl->MappedSystemVa != NULL)
{
MmUnmapLockedPages(Mdl->MappedSystemVa, Mdl);
}
MmUnlockPages(Mdl);
ExFreePool(Mdl);
ObDereferenceObject(Process);
*NumberOfBytesRead = NumberOfBytesToRead;
return(STATUS_SUCCESS);
}
memcpy(Buffer, BaseAddress, NumberOfBytesToRead);
VOID STDCALL
KeAttachProcess (PEPROCESS Process)
{
KIRQL oldlvl;
PETHREAD CurrentThread;
PULONG AttachedProcessPageDir;
ULONG PageDir;
DPRINT("KeAttachProcess(Process %x)\n",Process);
CurrentThread = PsGetCurrentThread();
if (CurrentThread->OldProcess != NULL)
{
DbgPrint("Invalid attach (thread is already attached)\n");
KEBUGCHECK(0);
}
KeRaiseIrql(DISPATCH_LEVEL, &oldlvl);
KiSwapApcEnvironment(&CurrentThread->Tcb, &Process->Pcb);
/* The stack of the current process may be located in a page which is
not present in the page directory of the process we're attaching to.
That would lead to a page fault when this function returns. However,
since the processor can't call the page fault handler 'cause it can't
push EIP on the stack, this will show up as a stack fault which will
crash the entire system.
To prevent this, make sure the page directory of the process we're
attaching to is up-to-date. */
AttachedProcessPageDir = ExAllocatePageWithPhysPage(Process->Pcb.DirectoryTableBase);
MmUpdateStackPageDir(AttachedProcessPageDir, &CurrentThread->Tcb);
ExUnmapPage(AttachedProcessPageDir);
CurrentThread->OldProcess = PsGetCurrentProcess();
CurrentThread->ThreadsProcess = Process;
PageDir = Process->Pcb.DirectoryTableBase.u.LowPart;
DPRINT("Switching process context to %x\n",PageDir);
Ke386SetPageTableDirectory(PageDir);
KeLowerIrql(oldlvl);
}
