ReadMemory Code

/***************************************************************************************
* AUTHOR :
* DATE : 2009-6-15
* MODULE : ReadMemory.C
*
* Command:
* Source of IOCTRL Sample Driver
*
* Description:
* Demonstrates communications between USER and KERNEL.
*
****************************************************************************************
* Copyright (C) 2009 .
****************************************************************************************/
//#######################################################################################
//# I N C L U D E S
//#######################################################################################
#ifndef CXX_READMEMORY_H
# include "ReadMemory.h"
#endif
#include "struct.h"
//////////////////////////////////////////////////////////////////////////
//#######################################################################################
//@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
//@@@@@@@@ D R I V E R E N T R Y P O I N T @@@@@@@@
//@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
//#######################################################################################
NTSTATUS
DriverEntry(IN PDRIVER_OBJECT pDriverObj, IN PUNICODE_STRING pRegistryString)
{
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING ustrLinkName;
UNICODE_STRING ustrDevName;
PDEVICE_OBJECT pDevObj;
int i = 0;
dprintf("[ReadMemory] EasySys Sample Driver\r\n"
"[ReadMemory] Compiled %s %s\r\n[ReadMemory] In DriverEntry : %wZ\r\n",
__DATE__, __TIME__, pRegistryString);
// Register dispatch routines
/*
for(i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
{
pDriverObj->MajorFunction[i] = DispatchCommon;
}
*/
pDriverObj->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
pDriverObj->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
// Dispatch routine for communications
pDriverObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchDeviceControl;
// Unload routine
pDriverObj->DriverUnload = DriverUnload;
// Initialize the device name.
RtlInitUnicodeString(&ustrDevName, DEVICE_NAME);
// Create the device object and device extension
status = IoCreateDevice(pDriverObj,
0,
&ustrDevName,
FILE_DEVICE_UNKNOWN,
0,
FALSE,
&pDevObj);
if(!NT_SUCCESS(status))
{
dprintf("[ReadMemory] Error, IoCreateDevice = 0x%x\r\n", status);
return status;
}
//// Get a pointer to our device extension
//deviceExtension = (PDEVICE_EXTENSION) deviceObject->DeviceExtension;
//// Save a pointer to the device object
//deviceExtension->DeviceObject = deviceObject;
if(IoIsWdmVersionAvailable(1,0x10))
{
//如果是支持符号链接用户相关性的系统
RtlInitUnicodeString(&ustrLinkName, SYMBOLIC_LINK_GLOBAL_NAME);
}
else
{
//不支持
RtlInitUnicodeString(&ustrLinkName, SYMBOLIC_LINK_NAME);
}
// Create a symbolic link to allow USER applications to access it.
status = IoCreateSymbolicLink(&ustrLinkName, &ustrDevName);
if(!NT_SUCCESS(status))
{
dprintf("[ReadMemory] Error, IoCreateSymbolicLink = 0x%x\r\n", status);
IoDeleteDevice(pDevObj);
return status;
}
//
// TODO: Add initialization code here.
//
//// Tell the I/O Manger to do BUFFERED IO
//deviceObject->Flags |= DO_BUFFERED_IO;
//// Save the DeviveObject
//deviceExtension->DeviceObject = deviceObject;
dprintf("[ReadMemory] DriverEntry Success\r\n");
return STATUS_SUCCESS;
}
VOID
DriverUnload(IN PDRIVER_OBJECT pDriverObj)
{
UNICODE_STRING strLink;
// Unloading - no resources to free so just return.
dprintf("[ReadMemory] Unloading...\r\n");;
//
// TODO: Add uninstall code here.
//
// Delete the symbolic link
RtlInitUnicodeString(&strLink, SYMBOLIC_LINK_NAME);
IoDeleteSymbolicLink(&strLink);
// Delete the DeviceObject
IoDeleteDevice(pDriverObj->DeviceObject);
dprintf("[ReadMemory] Unloaded Success\r\n");
return;
}
NTSTATUS
DispatchCreate(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp)
{
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
dprintf("[ReadMemory] IRP_MJ_CREATE\r\n");
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS
DispatchClose(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp)
{
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
dprintf("[ReadMemory] IRP_MJ_CLOSE\r\n");
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
// Return success
return STATUS_SUCCESS;
}
NTSTATUS
DispatchCommon(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp)
{
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0L;
dprintf("[ReadMemory] Common Dispatch\r\n");
IoCompleteRequest( pIrp, 0 );
// Return success
return STATUS_SUCCESS;
}
NTSTATUS
DispatchDeviceControl(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp)
{
NTSTATUS status = STATUS_INVALID_DEVICE_REQUEST; // STATUS_UNSUCCESSFUL
PIO_STACK_LOCATION pIrpStack = IoGetCurrentIrpStackLocation(pIrp);
ULONG uIoControlCode = 0;
PVOID pIoBuffer = NULL;
ULONG uInSize = 0;
ULONG uOutSize = 0;
ULONG uInfoSize = 0;
// Get the IoCtrl Code
uIoControlCode = pIrpStack->Parameters.DeviceIoControl.IoControlCode;
pIoBuffer = pIrp->AssociatedIrp.SystemBuffer;
uInSize = pIrpStack->Parameters.DeviceIoControl.InputBufferLength;
uOutSize = pIrpStack->Parameters.DeviceIoControl.OutputBufferLength;
switch(uIoControlCode)
{
case IOCTL_GET_CR4:
{
//KdBreakPoint();
dprintf("[ReadMemory] IOCTL_GET_CR4!\r\n");
ULONG uCR4 = 0;
__asm
{
cli
push eax
mov eax, cr0
and eax, not 10000h
mov cr0, eax
}
// 获得CR4的值
__asm
{
_emit 0x0F
_emit 0x20
_emit 0xE0
mov uCR4, eax
}
__asm
{
mov eax, CR0
or eax, 10000h
mov cr0,eax
pop eax
sti
}
*(PULONG)pIoBuffer = uCR4;
uOutSize = sizeof(ULONG);
// Return success
status = STATUS_SUCCESS;
}
break;
case IOCTL_WRITE_MEMORY:
{
// KdBreakPoint();
dprintf("[ReadMemory] IOCTL_WRITE_MEMORY!\r\n");
_try
{
WriteMemoryInfo *pInfo =
(WriteMemoryInfo *)ExAllocatePool(PagedPool, sizeof(WriteMemoryInfo));
RtlCopyMemory(pInfo, pIoBuffer, sizeof(WriteMemoryInfo));
PVOID pWrite = ExAllocatePool(PagedPool, pInfo->nWriteSize);
RtlCopyMemory(pWrite, pInfo->pData, pInfo->nWriteSize);
//pInfo->pData = (PBYTE)ExAllocatePool(PagedPool, pInfo->nWriteSize);
ULONG uOldCr3 = 0;
ULONG uCurrentCr3 = *(PULONG)(pInfo->nEprocess + 0x18);
if (pInfo->nMemoryAddr == 0)
{
status = STATUS_UNSUCCESSFUL;
break;
}
__asm
{
mov eax, cr3
mov uOldCr3, eax
mov eax, uCurrentCr3
mov cr3, eax
}
__asm
{
cli
push eax
mov eax, cr0
and eax, not 10000h
mov cr0, eax
}
RtlCopyMemory((PVOID)pInfo->nMemoryAddr,
pWrite, pInfo->nWriteSize);
__asm
{
mov eax, CR0
or eax, 10000h
mov cr0,eax
pop eax
sti
}
__asm
{
mov eax, uOldCr3
mov cr3, eax
}
uOutSize = pInfo->nWriteSize;
if (pInfo != NULL)
{
ExFreePool(pInfo);
pInfo = NULL;
}
// Return success
status = STATUS_SUCCESS;
}
__except(1)
{
status = STATUS_UNSUCCESSFUL;
}
}
break;
case IOCTL_READ_MEMORY:
{
// KdBreakPoint();
dprintf("[ReadMemory] IOCTL_READ_MEMORY!\r\n");
__try
{
ReadMemoryInfo *pInfo =
(ReadMemoryInfo *)ExAllocatePool(PagedPool, sizeof(ReadMemoryInfo));
RtlCopyMemory(pInfo, pIoBuffer, sizeof(ReadMemoryInfo));
ULONG uOldCr3 = 0;
ULONG uCurrentCr3 = *(PULONG)(pInfo->nEprocess + 0x18);
if (pInfo->nMemoryAddr == 0)
{
status = STATUS_UNSUCCESSFUL;
break;
}
__asm
{
mov eax, cr3
mov uOldCr3, eax
mov eax, uCurrentCr3
mov cr3, eax
}
RtlCopyMemory(pIoBuffer,
(PVOID)pInfo->nMemoryAddr ,pInfo->nReadSize);
uOutSize = pInfo->nReadSize;
__asm
{
mov eax, uOldCr3
mov cr3, eax
}
if (pInfo != NULL)
{
ExFreePool(pInfo);
pInfo = NULL;
}
// Return success
status = STATUS_SUCCESS;
}
__except(1)
{
status = STATUS_UNSUCCESSFUL;
}
}
break;
case IOCTL_GET_PROCESS:
{
// KdBreakPoint();
dprintf("[ReadMemory] IOCTL_GET_PROCESS!\r\n");
ULONG uSize = *(PULONG)pIoBuffer;
RtlCopyMemory(pIoBuffer, g_pInfo, uSize);
uOutSize = uSize;
if (g_pInfo != NULL)
{
ExFreePool(g_pInfo);
g_pInfo;
}
// Return success
status = STATUS_SUCCESS;
}
break;
case IOCTL_SET_PROCESS:
{
// KdBreakPoint();
dprintf("[ReadMemory] IOCTL_SET_PROCESS\r\n");
// 获得当前进程EPROCESS信息
ULONG uEprocess = 0;
__asm
{
mov eax, fs:[0x124] // _ethread
mov eax, [eax+0x44] // _kprocess
mov uEprocess, eax
}
KdPrint(("EPROCESS: 0x%08x\n", uEprocess));
LIST_ENTRY ListHead;
InitializeListHead(&ListHead);
ULONG uFirstEprocess = uEprocess;
ULONG uCount = 0;
PLIST_ENTRY pActiveProcessLinks;
ProcessInfoList *pProcssList = NULL;
ULONG uNameOffset = GetPlantformDependentInfo(FILE_NAME_OFFSET);
ULONG uPidOffset = GetPlantformDependentInfo(PROCESS_ID_OFFSET);
ULONG uLinkOffset = GetPlantformDependentInfo(PROCESS_LINK_OFFSET);
ULONG uExitTime = GetPlantformDependentInfo(EXIT_TIME_OFFSET);
// 遍历链表获得进程信息
do
{
pProcssList=
(ProcessInfoList *)ExAllocatePool(PagedPool, sizeof(ProcessInfoList));
if (pProcssList == NULL)
{
status = STATUS_INSUFFICIENT_RESOURCES;
break;
}
PLARGE_INTEGER ExitTime;
ExitTime = (PLARGE_INTEGER)(uEprocess + uExitTime);
if (ExitTime->QuadPart == 0)
{
if (*(int *)(uEprocess + uPidOffset) <= 0)
{
pProcssList->ProcInfo.uProcessId = 0;
pProcssList->ProcInfo.uEprocess = uEprocess;
pProcssList->ProcInfo.uCR3 = *(PULONG)(uEprocess + 0x18);
RtlCopyMemory(pProcssList->ProcInfo.pszImageFileName, "Idle", 16);
InsertHeadList(&ListHead, &pProcssList->ListEntry);
KdPrint(("PID: %d, EPROCESS: 0x%08x, FileName: %s, CR3: 0x%08x\n",
pProcssList->ProcInfo.uProcessId,
pProcssList->ProcInfo.uEprocess,
pProcssList->ProcInfo.pszImageFileName,
pProcssList->ProcInfo.uCR3));
}
else
{
pProcssList->ProcInfo.uEprocess = uEprocess;
pProcssList->ProcInfo.uCR3 = *(PULONG)(uEprocess + 0x18);
pProcssList->ProcInfo.uProcessId = *(PULONG)(uEprocess + uPidOffset);
RtlCopyMemory(pProcssList->ProcInfo.pszImageFileName,
(PVOID)(uEprocess + uNameOffset),
16);
InsertHeadList(&ListHead, &pProcssList->ListEntry);
KdPrint(("PID: %d, EPROCESS: 0x%08x, FileName: %s, CR3: 0x%08x\n",
pProcssList->ProcInfo.uProcessId,
pProcssList->ProcInfo.uEprocess,
pProcssList->ProcInfo.pszImageFileName,
pProcssList->ProcInfo.uCR3));
}
uCount++;
}
pActiveProcessLinks = (PLIST_ENTRY)(uEprocess + uLinkOffset);
uEprocess = (ULONG)pActiveProcessLinks->Blink - uLinkOffset;
if (uEprocess == uFirstEprocess)
{
break;
}
} while (uEprocess != 0);
KdPrint(("%d\n", uCount));
uInfoSize = sizeof(ProcessInfo) * uCount;
g_pInfo = ExAllocatePool(
PagedPool,
uInfoSize);
ProcessInfo *pTemp = NULL;
if (g_pInfo == NULL)
{
status = STATUS_UNSUCCESSFUL;
break;
}
RtlZeroMemory(g_pInfo, uInfoSize);
pTemp = (ProcessInfo *)g_pInfo;
while (!IsListEmpty(&ListHead))
{
PLIST_ENTRY pEntry = RemoveTailList(&ListHead);
pProcssList = CONTAINING_RECORD(pEntry, ProcessInfoList, ListEntry);
RtlCopyMemory(pTemp->pszImageFileName,
pProcssList->ProcInfo.pszImageFileName,
16);
pTemp->uEprocess = pProcssList->ProcInfo.uEprocess;
pTemp->uProcessId = pProcssList->ProcInfo.uProcessId;
pTemp->uCR3 = pProcssList->ProcInfo.uCR3;
// 释放节点内存
if (pProcssList != NULL)
{
ExFreePool(pProcssList);
}
if (!IsListEmpty(&ListHead))
{
pTemp =
(ProcessInfo *)((DWORD)pTemp + sizeof(ProcessInfo));
}
}
*(PULONG)pIoBuffer = uInfoSize;
uOutSize = sizeof(ULONG);
// Return success
status = STATUS_SUCCESS;
}
break;
default:
{
// Invalid code sent
dprintf("[ReadMemory] Unknown IOCTL: 0x%X (%04X,%04X)\r\n",
uIoControlCode,
DEVICE_TYPE_FROM_CTL_CODE(uIoControlCode),
IoGetFunctionCodeFromCtlCode(uIoControlCode));
status = STATUS_INVALID_PARAMETER;
}
break;
}
if(status == STATUS_SUCCESS)
{
pIrp->IoStatus.Information = uOutSize;
}
else
{
pIrp->IoStatus.Information = 0;
}
// Complete the I/O Request
pIrp->IoStatus.Status = status;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return status;
}
//
// TODO: Add your module definitions here.
//
ULONG GetPlantformDependentInfo(ULONG dwFlag)
{
ULONG current_build;
ULONG ans = 0;
PsGetVersion(NULL, NULL, ¤t_build, NULL);
switch ( dwFlag )
{
case EPROCESS_SIZE:
if (current_build == 2195) ans = 0 ; // 2000，当前不支持2000，下同
if (current_build == 2600) ans = 0x25C; // xp
if (current_build == 3790) ans = 0x270; // 2003
break;
case PEB_OFFSET:
if (current_build == 2195) ans = 0;
if (current_build == 2600) ans = 0x1b0;
if (current_build == 3790) ans = 0x1a0;
break;
case FILE_NAME_OFFSET:
if (current_build == 2195) ans = 0;
if (current_build == 2600) ans = 0x174;
if (current_build == 3790) ans = 0x164;
break;
case PROCESS_LINK_OFFSET:
if (current_build == 2195) ans = 0;
if (current_build == 2600) ans = 0x088;
if (current_build == 3790) ans = 0x098;
break;
case PROCESS_ID_OFFSET:
if (current_build == 2195) ans = 0;
if (current_build == 2600) ans = 0x084;
if (current_build == 3790) ans = 0x094;
break;
case EXIT_TIME_OFFSET:
if (current_build == 2195) ans = 0;
if (current_build == 2600) ans = 0x078;
if (current_build == 3790) ans = 0x088;
break;
}
return ans;
}

posted on 2010-12-31 09:12 ZUDN 阅读(804) 评论(2) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

ZUDN

公告