-
-
[求助]关于ReadVirtualMemory.
-
发表于: 2011-8-27 00:20
-
先 大概说下我的流程.
__declspec(naked) void My_KiFastSystemCall(void)
{
__asm
{
mov edx, esp
__emit 0x0f
__emit 0x34
retn 0x24
}
}
__declspec(naked) void __ReadFile(void)
{
__asm
{
MOV EAX,183
CALL My_KiFastSystemCall
RETN 0x24
}
}
BOOL __stdcall MyReadProcessMemory(
HANDLE hProcess,
LPCVOID lpBaseAddress,
LPVOID lpBuffer,
DWORD nSize,
LPDWORD lpNumberOfBytesRead
)
{
BOOL rHandle;
__asm
{
Push __ReadProcessMemory
push 0
push 0
push 0
push lpNumberOfBytesRead
push nSize
push lpBuffer
push lpBaseAddress
push hProcess
CALL __NtReadFile
mov rHandle,eax
}
return 0x24;
}
R3 就直接用上面 MyReadProcessMemory;
/////////////////////////////////以下 驱动代码.
已经Inline Hook NtReadFile.
__declspec(naked) NTSTATUS __stdcall My_NtReadFile(
int a1,
int a2,
int a3,
int a4,
int a5,
int a6,
int a7,
int a8,
int a9)
{
__asm
{ // int 3
mov edi,esp;
mov eax,[edi+4]
mov a1,eax
mov eax,[edi+8]
mov a2,eax
mov eax,[edi+0xc]
mov a3,eax
mov eax,[edi+0x10]
mov a4,eax
mov eax,[edi+0x14]
mov a5,eax
mov eax,[edi+0x18]
mov a6,eax
mov eax,[edi+0x1c]
mov a7,eax
mov eax,[edi+0x20]
mov a8,eax
mov eax,[edi+0x24]
mov a9,eax
}
省略很多代码.
主要是然后再..
__asm
{
push a5
push a4
push a3
push a2
push a1
call MyReadMemory
retn 0x24
}
}
当然这样 实现自己的NTOpenProcess之类的都是成功的.
但是问题来了.
如果.
__declspec(naked) NTSTATUS __stdcall
MyNtReadMemory(IN HANDLE hProcess,OUT PVOID BaseAddress,IN PVOID Pbuff,IN ULONG BufferSize,OUT LPDWORD ByRead)
{
__asm
{
push 0x1C
push 0x804DAEF0
jmp NtReadVirtualMemory_Offset
mov eax,1
}
}
是能成功返回 数据的.
但是.
自己实现 全部NtReadVirtualMemory.
NTSTATUS __stdcall MyReadMemory(IN HANDLE hProcess,IN PVOID BaseAddress,OUT PVOID Pbuff,IN ULONG BufferSize,OUT LPDWORD byReadSize)
{
PEPROCESS EProcess;
KAPC_STATE ApcState;
PVOID readbuffer=NULL;
NTSTATUS status;
__asm
{
push 0
lea eax, EProcess
push eax
push KernelMode
push 0
push 0x0010 //push PROCESS_VM_READ
push hProcess
call ObReferenceObjectByHandle
mov status,eax
}
if(!NT_SUCCESS(status))
{
DbgPrint(("!NT_SUCCESS(status)\n"));
ObDereferenceObject(EProcess);
return STATUS_UNSUCCESSFUL;
}
readbuffer = ExAllocatePoolWithTag (NonPagedPool, BufferSize, 'Sys');
if(readbuffer==NULL)
{
ObDereferenceObject(EProcess);
ExFreePool (readbuffer);
return STATUS_UNSUCCESSFUL;
}
*(ULONG*)readbuffer=(ULONG)0x1;
KeStackAttachProcess (EProcess, &ApcState);
if (MmIsAddressValid(BaseAddress))
{
__try
{
ProbeForRead ((CONST PVOID)BaseAddress, BufferSize, sizeof(CHAR));
RtlCopyMemory (readbuffer, BaseAddress, BufferSize);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
status = STATUS_UNSUCCESSFUL;
}
}
else
{
status = STATUS_UNSUCCESSFUL;
}
KeUnstackDetachProcess (&ApcState);
if(NT_SUCCESS(status))
{
if (MmIsAddressValid(Pbuff))
{
__try
{
ProbeForWrite(Pbuff, BufferSize, sizeof(CHAR));
RtlCopyMemory (Pbuff, readbuffer, BufferSize);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
status = STATUS_UNSUCCESSFUL;
}
}
else
{
status = STATUS_UNSUCCESSFUL;
}
}
ObDereferenceObject(EProcess);
ExFreePool (readbuffer);
return status;
}
就不能返回数据.
用WinDBG 查看时. 问题是出在MmIsAddressValid 上.!!!这里直接就 else了.
诚心求解答 .谢谢大家.
__declspec(naked) void My_KiFastSystemCall(void)
{
__asm
{
mov edx, esp
__emit 0x0f
__emit 0x34
retn 0x24
}
}
__declspec(naked) void __ReadFile(void)
{
__asm
{
MOV EAX,183
CALL My_KiFastSystemCall
RETN 0x24
}
}
BOOL __stdcall MyReadProcessMemory(
HANDLE hProcess,
LPCVOID lpBaseAddress,
LPVOID lpBuffer,
DWORD nSize,
LPDWORD lpNumberOfBytesRead
)
{
BOOL rHandle;
__asm
{
Push __ReadProcessMemory
push 0
push 0
push 0
push lpNumberOfBytesRead
push nSize
push lpBuffer
push lpBaseAddress
push hProcess
CALL __NtReadFile
mov rHandle,eax
}
return 0x24;
}
R3 就直接用上面 MyReadProcessMemory;
/////////////////////////////////以下 驱动代码.
已经Inline Hook NtReadFile.
__declspec(naked) NTSTATUS __stdcall My_NtReadFile(
int a1,
int a2,
int a3,
int a4,
int a5,
int a6,
int a7,
int a8,
int a9)
{
__asm
{ // int 3
mov edi,esp;
mov eax,[edi+4]
mov a1,eax
mov eax,[edi+8]
mov a2,eax
mov eax,[edi+0xc]
mov a3,eax
mov eax,[edi+0x10]
mov a4,eax
mov eax,[edi+0x14]
mov a5,eax
mov eax,[edi+0x18]
mov a6,eax
mov eax,[edi+0x1c]
mov a7,eax
mov eax,[edi+0x20]
mov a8,eax
mov eax,[edi+0x24]
mov a9,eax
}
省略很多代码.
主要是然后再..
__asm
{
push a5
push a4
push a3
push a2
push a1
call MyReadMemory
retn 0x24
}
}
当然这样 实现自己的NTOpenProcess之类的都是成功的.
但是问题来了.
如果.
__declspec(naked) NTSTATUS __stdcall
MyNtReadMemory(IN HANDLE hProcess,OUT PVOID BaseAddress,IN PVOID Pbuff,IN ULONG BufferSize,OUT LPDWORD ByRead)
{
__asm
{
push 0x1C
push 0x804DAEF0
jmp NtReadVirtualMemory_Offset
mov eax,1
}
}
是能成功返回 数据的.
但是.
自己实现 全部NtReadVirtualMemory.
NTSTATUS __stdcall MyReadMemory(IN HANDLE hProcess,IN PVOID BaseAddress,OUT PVOID Pbuff,IN ULONG BufferSize,OUT LPDWORD byReadSize)
{
PEPROCESS EProcess;
KAPC_STATE ApcState;
PVOID readbuffer=NULL;
NTSTATUS status;
__asm
{
push 0
lea eax, EProcess
push eax
push KernelMode
push 0
push 0x0010 //push PROCESS_VM_READ
push hProcess
call ObReferenceObjectByHandle
mov status,eax
}
if(!NT_SUCCESS(status))
{
DbgPrint(("!NT_SUCCESS(status)\n"));
ObDereferenceObject(EProcess);
return STATUS_UNSUCCESSFUL;
}
readbuffer = ExAllocatePoolWithTag (NonPagedPool, BufferSize, 'Sys');
if(readbuffer==NULL)
{
ObDereferenceObject(EProcess);
ExFreePool (readbuffer);
return STATUS_UNSUCCESSFUL;
}
*(ULONG*)readbuffer=(ULONG)0x1;
KeStackAttachProcess (EProcess, &ApcState);
if (MmIsAddressValid(BaseAddress))
{
__try
{
ProbeForRead ((CONST PVOID)BaseAddress, BufferSize, sizeof(CHAR));
RtlCopyMemory (readbuffer, BaseAddress, BufferSize);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
status = STATUS_UNSUCCESSFUL;
}
}
else
{
status = STATUS_UNSUCCESSFUL;
}
KeUnstackDetachProcess (&ApcState);
if(NT_SUCCESS(status))
{
if (MmIsAddressValid(Pbuff))
{
__try
{
ProbeForWrite(Pbuff, BufferSize, sizeof(CHAR));
RtlCopyMemory (Pbuff, readbuffer, BufferSize);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
status = STATUS_UNSUCCESSFUL;
}
}
else
{
status = STATUS_UNSUCCESSFUL;
}
}
ObDereferenceObject(EProcess);
ExFreePool (readbuffer);
return status;
}
就不能返回数据.
用WinDBG 查看时. 问题是出在MmIsAddressValid 上.!!!这里直接就 else了.
诚心求解答 .谢谢大家.
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
