【轉】本身讀取進程空間數據

 

  這裏只是簡單的實現下讀取進程空間的數據...寫操作也是同樣的....比較簡單...

    這樣你就能夠在內核讀用戶空間了....哈哈

    你們都知道在用戶態咱們經常使用 kernel32.dll中的ReadProcessMemory來讀取進程...這個函數只是簡單地對傳入的參數進行處理而後調用了 ntdll.dll中的NtReadVirtualMemory/ZwReadVirtualMemory....ntdll中這倆個函數並無什麼區別...不過在內核就不同了.....ntdll.dll中的NtReadVirtualMemory簡單的把系統服務號放進EAX..而後調用某個地址的處理程序...處理程序實現用戶和內核的切換...接着內核調用了內核態的NtReadVirtualMemory......NtReadVirtualMemory中又掉用了MmCopyVirtualMemory...接着不免少不了函數KeStackAttachProcess..這裏咱們用它來實現本身的NtReadVirtualMemory...只是簡單的...我也沒對一些錯誤進行處理.... --by Sysnap

                                           --http://hi.baidu.com/sysnap

   ULONG MyReadMemory(IN PVOID BaseAddress,IN SIZE_T BufferSize,IN HANDLE pid)

    BaseAddress---------->>>>你想讀進程開始的地址
   BufferSize ---------->>>>你想讀取多少個字節的數據
   pid------------------>>>>你想讀取的進程的PID值

   注:通常PID比進程名好..雖然進程名能夠從EPROCESS中獲得..但PID老是惟一的.因此這個參數我用 PID而不是進程名  

    ULONG MyReadMemory(IN PVOID BaseAddress,IN SIZE_T BufferSize,IN HANDLE pid)
{
PEPROCESS EProcess;
KAPC_STATE ApcState;
PVOID readbuffer;
NTSTATUS status;

status = PsLookupProcessByProcessId((HANDLE)pid,&EProcess);
if(!NT_SUCCESS(status))
{
   DbgPrint("failed to get the EPROCESS!!/n");
   return 0;
}


readbuffer = ExAllocatePoolWithTag (NonPagedPool, BufferSize, 'Sys');
if(readbuffer==NULL)
{
   DbgPrint("failed to alloc memory!/n");
   return 0;
}

*(ULONG*)readbuffer=(ULONG)0x1;

KeStackAttachProcess (EProcess, &ApcState);

       __try 
    {
     ProbeForRead ((CONST PVOID)BaseAddress, BufferSize, sizeof(CHAR));
           RtlCopyMemory (readbuffer, BaseAddress, BufferSize);
     KeUnstackDetachProcess (&ApcState);
    
    } __except(EXCEPTION_EXECUTE_HANDLER)
    {
     KeUnstackDetachProcess (&ApcState);
    }
    
    DbgPrint("%x/n",*(ULONG*)readbuffer);
    ExFreePool (readbuffer);
    return 1;
    
}

實例:   MyReadMemory((PVOID)0x7c944000,0x4,(HANDLE)904);