-
-
[讨论]如何获取 目标进程虚拟内存的物理地址
-
2019-2-21 13:39
2545
-
插入代码
``` KAPC_STATE APC;
PEPROCESS pEProc;
PsLookupProcessByProcessId((HANDLE)0x1B44, &pEProc);
ObDereferenceObject(pEProc);
KeStackAttachProcess(pEProc, &APC);
UINT_PTR Dllmodule = (UINT_PTR)ExAllocatePool(NonPagedPool, 0x1000);
VIRT_ADDR Addr = { (uint64_t)Dllmodule };
PTE_CR3 Cr3 = { __readcr3() };
uint64_t a = PFN_TO_PAGE(Cr3.pml4_p) + sizeof(PML4E) * Addr.pml4_index;
PHYSICAL_ADDRESS aaa = { 0 };
aaa.QuadPart = a;
PVOID MmMapptr = MmMapIoSpace(aaa, sizeof(PHYSICAL_ADDRESS), MmNonCached);
DbgPrint("pml4 %p ", a);
DbgPrint("MmMapptr %p \n", MmMapptr);
if (MmMapptr)
{
MmUnmapIoSpace(MmMapptr, sizeof(PHYSICAL_ADDRESS));
}
KeUnstackDetachProcess(&APC);
插入代码
```
#define PFN_TO_PAGE(pfn) ( pfn << 12 )
typedef union CR3_
{
uint64_t value;
struct
{
uint64_t ignored_1 : 3;
uint64_t write_through : 1;
uint64_t cache_disable : 1;
uint64_t ignored_2 : 7;
uint64_t pml4_p : 40;
uint64_t reserved : 12;
};
} PTE_CR3;
typedef union VIRTADDR
{
uint64_t value;
void *pointer;
struct
{
uint64_t offset : 12;
uint64_t pt_index : 9;
uint64_t pd_index : 9;
uint64_t pdpt_index : 9;
uint64_t pml4_index : 9;
uint64_t reserved : 16;
};
} VIRT_ADDR;
为什么我MmMapIoSpace 会返回等于0
难道uint64_t a = PFN_TO_PAGE(Cr3.pml4_p) + sizeof(PML4E) * Addr.pml4_index;
这个a不是物理内存吗
有大佬知道吗
[培训]《安卓高级研修班(网课)》月薪三万计划,掌
握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
