逆向 | 驱动挂靠进程直接读内存

逆向 | 驱动挂靠进程直接读内存

参考：https://cloud.tencent.com/developer/article/2358904
https://github.com/Whitebird0/driver_read_and_write/blob/main/04-读写内存/ReadMemory.c

代码如下：
代码不长但是有坑，比如说ExAllocatePool2的参数就跟之前不一样了，这个点我调试了好久，晕

typedef struct
{DWORD pid;                // 要读写的进程IDDWORD64 address;          // 要读写的地址DWORD size;               // 读写长度BYTE* data;               // 要读写的数据
}ReadMemoryStruct;// MDL读内存
BOOL MDLReadMemory(ReadMemoryStruct* data)
{BOOL bRet = TRUE;PEPROCESS process = NULL;PsLookupProcessByProcessId((HANDLE)data->pid, &process);//   +0x5a8 ImageFileName    : [15] UCharUCHAR* imagename = ((BYTE*)process + 0x5a8);DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "> [info] ImageFileName: %s \r\n", imagename);if (process == NULL){return FALSE;}BYTE* GetData;__try{GetData = ExAllocatePool2(POOL_FLAG_PAGED, data->size, 'qwer');if (GetData == NULL) {DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[fail] GetData ExAllocatePool2\r\n");}}__except (1){DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[err] GetData ExAllocatePool2\r\n");return FALSE;}KAPC_STATE stack = { 0 };__try {KeStackAttachProcess(process, &stack);}__except (1) {DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[err] KeStackAttachProcess\r\n");}__try{//DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[info] MmIsAddressValid(start): %x \r\n", MmIsAddressValid((PVOID)data->address));//DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[info] MmIsAddressValid(end): %x \r\n", MmIsAddressValid((PVOID)(data->address+data->size)));//DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[info] MmIsAddressValid(start): %x \r\n", MmIsAddressValid((PVOID)GetData));DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[info] ProbeForRead(%I64x,%x)\r\n", data->address, data->size);ProbeForRead((volatile VOID*)data->address, data->size, 1);RtlCopyMemory(GetData, (const void*)data->address, data->size);}__except (1){DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[err] ProbeForRead code: %x\r\n", GetExceptionCode());bRet = FALSE;}ObDereferenceObject(process);KeUnstackDetachProcess(&stack);RtlCopyMemory(data->data, GetData, data->size);ExFreePool(GetData);return bRet;
}