首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 社区
  2. 编程技术
    3. 发新帖
[求助] 内核驱动写入内存蓝屏
发表于: 2018-4-14 13:34 3115

[求助] 内核驱动写入内存蓝屏

老坛酸菜TM 活跃值
2018-4-14 13:34
3115

我要实现的目的,就是写入一段字节集数据到目标内存地址,但是这段代码蓝屏,就算不蓝屏也没法写入字节集。

HMODULE Address = 0x00000000; //  被写入的内存地址(一个跨进程模块地址)
BYTE Buffer [] =  { 255,200,163,0,0,0,0,0,0,0,0,144,144,144 };  //  需要写入到内存的字节集数据(10进制)
WriteProcessByte( Address , Buffer , sizeof( Buffer ));


---------------------------方便大神观看的函数分割线---------------------------
NTSTATUS WriteProcessByte(PVOID Address, PVOID Buffer, ULONG BufferSize)
{
PAGED_CODE();
NTSTATUS Status = 0;

KIRQL irql = WPOFFx64();
PVOID HookCode = ExAllocatePool(NonPagedPool, 0x200);
RtlFillMemory(HookCode, 0x200, 0x90);
_try
{
    RtlMoveMemory(HookCode, Buffer, BufferSize);
    RtlMoveMemory(Address, HookCode, BufferSize);
}
_except(EXCEPTION_EXECUTE_HANDLER)
{
Status = GetExceptionCode();
}
if(Status != 0){
_try
{
    RtlMoveMemory(HookCode, Buffer, BufferSize);
    SafeCopyMemory(Address, HookCode, BufferSize);
}
_except(EXCEPTION_EXECUTE_HANDLER)
{
Status = GetExceptionCode();
}
}

WPONx64(irql);
return STATUS_SUCCESS;
}


---------------------------方便大神观看的函数分割线---------------------------
KIRQL WPOFFx64() {
KIRQL irql = KeRaiseIrqlToDpcLevel();
UINT64 cr0 = __readcr0();
cr0 &= 0xfffffffffffeffff;
__writecr0(cr0);
_disable();
return irql;
}


---------------------------方便大神观看的函数分割线---------------------------
void WPONx64(KIRQL irql) {
UINT64 cr0 = __readcr0();
cr0 |= 0x10000;
_enable();
__writecr0(cr0);
KeLowerIrql(irql);
}


---------------------------方便大神观看的函数分割线---------------------------
BOOLEAN SafeCopyMemory(PVOID pDestination, PVOID pSourceAddress, SIZE_T SizeOfCopy)
{
PMDL pMdl = NULL;
PVOID pSafeAddress = NULL;
if (!MmIsAddressValid(pDestination) || !MmIsAddressValid(pSourceAddress))
return FALSE;
pMdl = IoAllocateMdl(pDestination, (ULONG)SizeOfCopy, FALSE, FALSE, NULL);
if (!pMdl)
return FALSE;
__try
{
MmProbeAndLockPages(pMdl, KernelMode, IoReadAccess);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
IoFreeMdl(pMdl);
return FALSE;
}
pSafeAddress = MmGetSystemAddressForMdlSafe(pMdl, NormalPagePriority);
if (!pSafeAddress)
return FALSE;
__try
{
RtlMoveMemory(pSafeAddress, pSourceAddress, SizeOfCopy);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
;
}
MmUnlockPages(pMdl);
IoFreeMdl(pMdl);
return TRUE;
}

[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法

最后于 2018-4-14 13:40 被老坛酸菜TM编辑 ,原因:
收藏
免费 0
支持
分享
最新回复 (1)
sxpp
雪    币: 231
活跃值: (2631)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
私信
2
mdl只能读取用,写应用层肯定蓝
2018-4-14 18:14
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//