32位-64位WINDOWS驅(qū)動(dòng)之物理地址讀寫內(nèi)存方法4-物理內(nèi)存讀寫

32位/64位WINDOWS驅(qū)動(dòng)之物理地址讀寫內(nèi)存方法一、32位/64位WINDOWS驅(qū)動(dòng)之\h物理地址讀寫內(nèi)存方法GetPhysicalAddress;自寫函數(shù)通過PIDZwMapViewOfSection;把物理地址映射到當(dāng)前進(jìn)程不使用時(shí)需要用ZwUnmapViewOfSectionBOOLEANReadPVirtualMemory(UINT64ProcessID,INPVOIDVBaseAddress,IN\hUINT32nSize,OUTPVOIDpBuf);//BOOLEANWritePVirtualMemory(UINT64ProcessID,INPVOIDVBaseAddress,INUINT32nSize,INPVOID#include//#include//#include ArrayindexBitrange//0x80000008 0- Physicaladdress//0x80000008 8- Virtualaddress//0x80000008 16- //0x800000081- 0- UINT64g_maxPhysAddress=//利用cpuid取出物理地址UINT64if(g_maxPhysAddress==intUINT32r[4//四個(gè)整數(shù)的數(shù)組，包含在EAX、EBX、ECX和EDX中返回的有關(guān)CPUcpuid(r0x80000008//只有r[0]的前8位和8至15們有用后邊3個(gè)全保留//getmaxphysicalphysicalbits=r[0]&g_maxPhysAddress=g_maxPhysAddress=g_maxPhysAddress>>physicalbits;//ifphysicalbits==36theng_maxPhysAddress=~(g_maxPhysAddress<<physicalbits);//<<36=0xfffffff000000000.afterinverse: return30//對(duì)于分頁內(nèi)存來說，調(diào)用MmProbeAndLockPages以及MmGetSystemAddressForMdlSafe來鎖定內(nèi)存頁，以防止被pageout//對(duì)于非分頁內(nèi)存而言，調(diào)用MmBuildMdlForNonPagedPool//noop(("yjx:Toosmall//physicalBaseBOOLEANReadPhysicalMemory(char*physicalBase,UINT_PTRbytestoread,void

UNICODE_STRINGphysmemString;OBJECT_ATTRIBUTESattributes; *physmemName=L"\\device\\physicalmemory"; vaddress用于映射后的虛地址供訪問 ntStatus= outputMDL;//KdPrint(("yjx:ReadPhysicalMemory(%p,%d,%p)",physicalBase,bytestoread,if(((UINT64)physicalBase>getg_maxPhysAddress())||((UINT64)physicalBase+bytestoread>KdPrint(("yjx:SYSInvalidphysicaladdress\n"));returnntStatus==FALSE;outputMDL=IoAllocateMdl(output,(ULONG)bytestoread,FALSE,FALSE,MmProbeAndLockPages(outputMDL,KernelMode,IoWriteAccess);exceptreturnFALSE;//// pMapedAddr=MmMapLockedPagesSpecifyCache(outputMDL,KernelMode,MmCached,NULL,FALSE,//if// KdPrint(("yjx:SYS:ErrorMmMapLockedPagesSpecifyCachepMapedAdd== return////except//KdPrint(("yjx:SYS:ErrorMmMapLockedPagesSpecifyCachefail//returnRtlInitUnicodeString(&physmemString,InitializeObjectAttributes(&attributes,&physmemString,OBJ_CASE_INSENSITIVE,NULL,NULL);ntStatus=ZwOpenSection(&physmem,SECTION_ALL_ACCESS,&attributes);if(ntStatus==//heylook,itdidn'tkillSIZE_T UINT_PTRoffset;UINT_PTRviewBase.QuadPart=length=0x2000;//pinp->bytestoread;//incaseofaoverlappingtoread=bytestoread;vaddress=NULL;KdPrint(("yjx:ReadPhysicalMemory:viewBase.QuadPart=%x",//ntStatus=ZwMapViewOfSection(physmem,//sectionhandleNtCurrentProcess(),//processhandle(shouldbe-&vaddress,0L,length,//CommitSize&viewBase,//SectionOffset&length,//ViewSize

if((ntStatus==STATUS_SUCCESS)&&(vaddress!=if(toread>length)toread=ifoffset=(UINT_PTR)(physicalBase)-(UINT_PTR)viewBase.QuadPart;//0if(offset+toread>length)KdPrint(("yjx:Toosmallnoop(("yjx:ToosmallRtlCopyMemory(output,&vaddress[offset],ZwUnmapViewOfSection(NtCurrentProcess(),exceptKdPrint(("yjx:Failuremappingphysical

KdPrint(("yjx:ReadPhysicalMemoryerror:ntStatus=%x",exceptKdPrint(("yjx:ErrorwhilereadingphysicalreturnntStatus==STATUS_SUCCESS?TRUE:

//noop(("yjx:Toosmall//physicalBaseBOOLEANWritePhysicalMemory(char*physicalBase,INUINT_PTRnSizeWrite,INPVOID UNICODE_STRINGphysmemString;OBJECT_ATTRIBUTESattributes; physmemNameL"\\device\\physicalmemory";//VMProtectDecryptStringW vaddress=NULL;//用于映射后的虛地址供訪問 ntStatus=STATUS_UNSUCCESSFUL; pInBufMDL=NULL;KdPrint(("yjx:SYS:WritePhysicalMemory(%p,%d,%p)",physicalBase,nSizeWrite,if(((UINT64)physicalBase>getg_maxPhysAddress())||((UINT64)physicalBase+nSizeWrite>KdPrint(("yjx:SYS:ErrorInvalidphysicaladdress\n"));returnntStatus==FALSE;pInBufMDL=IoAllocateMdl(InBuf,(ULONG)nSizeWrite,FALSE,FALSE,MmProbeAndLockPages(pInBufMDL,KernelMode,exceptKdPrint(("yjx:SYS:ErrorInBufMmProbeAndLockPagesfail returnFALSE; pMapedAddr=//這里沒有切換需要這樣映射么pMapedAddr=MmMapLockedPagesSpecifyCache(pInBufMDL,KernelMode,MmCached,NULL,FALSE,ifKdPrint(("yjx:SYS:pMapedAdd==return exceptKdPrint(("yjx:SYS:MmMapLockedPagesSpecifyCachepMapedAddr=%p\n"return RtlInitUnicodeString(&physmemString, InitializeObjectAttributes(&attributes,&physmemString,OBJ_CASE_INSENSITIVE,NULL, ntStatus=ZwOpenSection(&physmem,SECTION_ALL_ACCESS, if(ntStatus== //heylook,itdidn'tkill SIZE_T viewBase;// UINT_PTR UINT_PTR viewBase.QuadPart= length=0x2000;//pinp->nSizeWrite;//incaseofaoverlapping toWriteSize= vaddress= KdPrint(("yjx:SYS:ReadPhysicalMemory:地址=%x",//ntStatus=physmem,NtCurrentProcess(),//processhandle(shouldbe-&vaddress,0L,length,&viewBase,&length,PAGE_READWRITE//if((ntStatus==STATUS_SUCCESS)&&(vaddress!=if(toWriteSize>toWriteSize=if offset=(UINT_PTR)(physicalBase)- if(offset+toWriteSize> KdPrint(("yjx:SYS:Toosmall noop(("yjx:SYS:Toosmallmap")); KdPrint(("yjx:SYS RtlCopyMemory(&vaddress[offsetInBuftoWriteSize//

ZwUnmapViewOfSection(NtCurrentProcess(),exceptKdPrint(("yjx:SYS:FailuremappingphysicalKdPrint(("yjx:SYS:ReadPhysicalMemoryerror:ntStatus=%x",exceptKdPrint(("yjx:SYS:ErrorwhilereadingphysicalreturnntStatus==STATUS_SUCCESS?TRUE://BOOLReadPhysicalMemory(PVOIDbuffer,UINT32address,UINT32//UINT32 ////PVOID //NTSTATUS NTDLL//LARGE_INTEGER //vaddress=//outlen=//base.QuadPart=//////status= (HANDLE)- (PVOID //if(status<// return////////memmove(buffer,vaddress,//////status=ZwUnmapViewOfSection((HANDLE)-1,//return(status>=////case//vBaseAddress//返回為物理地址PVOIDGetPhysicalAddress(UINT64ProcessID,PVOID//struct//UINT64ProcessID;//UINT64BaseAddress;//要轉(zhuǎn)換的虛擬地址//}//pinp=Irp-PEPROCESSselectedprocess;//存放指定ProcessID所在PHYSICAL_ADDRESSphysical;//返回物理地址physical.QuadPart0//PHYSICAL_ADDRESS實(shí)際上就是INT648 ntStatus=//KdPrint(("yjx:GETPHYSICALADDRESS.ProcessID(%p)=%xBaseAddress(%p)=%x\n",&pinp->ProcessID,pinp->ProcessID,&pinp->BaseAddress,pinp-//switchtotheselectedif(PsLookupProcessByProcessId((PVOID)(UINT_PTR)(ProcessID),&selectedprocess)==KAPC_STATERtlZeroMemory(&apc_state,KeStackAttachProcess((PVOID)selectedprocess&apc_state//關(guān)鍵地方附加到指定進(jìn)程KeStackAttachProcessphysical=MmGetPhysicalAddress((PVOID)vBaseAddress);//pinp->BaseAddress);//exceptntStatus=if(ntStatus==//RtlCopyMemory(Irp->AssociatedIrp.SystemBuffer,&physical.QuadPart,return(PVOID)physical.QuadPart;//return402//BOOLEANKReadProcessMemory(INPEPROCESSProcess,INPVOIDAddress,INUINT32Length,OUTPVOID

BOOLEANReadPVirtualMemory(UINT64ProcessID,INPVOIDVBaseAddress,INUINT32nSize,OUTPVOIDPVOIDphyBase=GetPhysicalAddress(ProcessID,VBaseAddress);if(phyBase)returnReadPhysicalMemory(phyBase,nSize, returnreturn//BOOLEANKReadProcessMemory(INPEPROCESSProcess,INPVOIDAddress,INUINT32Length,OUTPVOIDBOOLEANWritePVirtualMemory(UINT64ProcessID,INPVOIDVBaseAddress,INUINT32nSize,INPVOIDPVOIDphyBase=GetPhysicalAddress(ProcessID,VBaseAddress);if(phyBase)returnWritePhysicalMemory(phyBase,nSize, return441

return

//BOOLEANReadPVirtualMemory(UINT64ProcessID,INPVOIDVBaseAddress,INUINT32nSize,OUTPVOIDNTSTATUSIRP_ReadPVirtualMemory(PIRP//UNREFERENCED_PARAMETER(device_Object);未使用的參數(shù)DbgPrint("yjx:sys64%s行號(hào)=%d%s"FUNCDNAMELINE);NTSTATUSntStatus=STATUS_SUCCESS; irpStack=irpStack=#pragmapack(push)#pragmapack(8)typedefstructUINT64ProcessID;//目標(biāo)進(jìn)程PIDPVOIDVBaseAddress//目標(biāo)進(jìn)程地址UINT64nSize;//要讀取的長(zhǎng)度UINT64pBuf;//要寫入數(shù)據(jù)的地址//#pragma//PVOIDBaseAddressNULL//PEPROCESSselectedprocessNULL;//目標(biāo)進(jìn)程SIZE_TRegionSize=0;//分配大小TINPUT_BUF*bufInput(TINPUT_BUF*)(pirp->AssociatedIrp.SystemBuffer//輸入輸出緩沖區(qū)ReadPVirtualMemory(bufInput->ProcessID,bufInput->VBaseAddress,bufInput->nSize,bufInput);//bufInput-//pirp->IoStatus.Status=pirp->IoStatus.Information4;//返回給DeviceIoControl中的倒數(shù)第二個(gè)參數(shù)//IoCompleteRequest(pirp,IO_NO_INCREMENT);//調(diào)用方已完成所有I/O請(qǐng)求處理操作并且不增加優(yōu)先級(jí)if(irpStack)if(ntStatus==//成功則返回緩沖區(qū)大小pirp->IoStatus.Information=irpStack-//pirp->IoStatus.Information=//IoCompleteRequest(pirp,pirp->IoStatus.Status=ntStatus;returnntStatus;//ProcessID目標(biāo)進(jìn)程的//VBaseAddress//nSize//pBufBOOLEANReadPVirtualMemory(UINT64ProcessID,INPVOIDVBaseAddress,INUINT32nSize,OUTPVOID//ProcessID目標(biāo)進(jìn)程的//VBaseAddress//nSize//pBufBOOLEANWritePVirtualMemory(UINT64ProcessID,INPVOIDVBaseAddress,INUINT32nSize,INPVOID#defineCTL_IO_