用驱动实现自己的 ZwOpenProcess ZwReadVirtualMemory ZwWriteVirtualMemory

最新推荐文章于 2026-05-09 10:54:53 发布

转载最新推荐文章于 2026-05-09 10:54:53 发布 · 5.8k 阅读

标签

#extension #object #exception #null #string

Windows 驱动编程专栏收录该内容

29 篇文章

订阅专栏

本文介绍了一个通过自制驱动实现的ZwOpenProcess、ZwReadVirtualMemory和ZwWriteVirtualMemory功能。该驱动允许用户态程序直接进行进程内核态读写操作，通过设备控制码来调用内核函数，实现跨进程内存读写。

开发板推荐：天空星STM32F407VET6开发板

超高性价比 STM32主控 | 超高主频 | 一板兼容百芯 | 比赛神器 | 沉金彩色丝印

点击查看

懒得自己写了，就转一个帖子吧。

用驱动实现自己的 ZwOpenProcess ZwReadVirtualMemory ZwWriteVirtualMemory /* jhxxs.C Author: <your name> Last Updated: 2006-03-23 This framework is generated by EasySYS 0.3.0 This template file is copying from QuickSYS 0.3.0 written by Chunhua Liu */ #include "dbghelp.h" #include "jhxxs.h" #include <stdio.h> #include <ntdef.h> #include <ntstatus.h> #include <ntddk.h> // // A structure representing the instance information associated with // a particular device // typedef struct _DEVICE_EXTENSION { ULONG StateVariable; } DEVICE_EXTENSION, *PDEVICE_EXTENSION; typedef struct _KAPC_STATE{ LIST_ENTRY ApcListHead[2]; PEPROCESS Process; UCHAR KernelApcInProgress; UCHAR KernelApcPending; UCHAR UserApcPending; }KAPC_STATE,*PKAPC_STATE; NTKERNELAPI void KeStackAttachProcess(IN PEPROCESS Process, OUT PKAPC_STATE ApcState); NTKERNELAPI void KeUnstackDetachProcess(IN PKAPC_STATE ApcState); NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(IN ULONG ulProcId,OUT PEPROCESS * pEProcess); NTKERNELAPI NTSTATUS ObOpenObjectByPointer( IN PVOID Object, IN ULONG HandleAttributes, IN PACCESS_STATE PassedAccessState OPTIONAL, IN ACCESS_MASK DesiredAccess OPTIONAL, IN POBJECT_TYPE ObjectType OPTIONAL, IN KPROCESSOR_MODE AccessMode, OUT PHANDLE Handle ); // // Device driver routine declarations. // NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ); NTSTATUS JhxxsDispatchCreate( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ); NTSTATUS JhxxsDispatchClose( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ); NTSTATUS JhxxsDispatchDeviceControl( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ); VOID JhxxsUnload( IN PDRIVER_OBJECT DriverObject ); #ifdef ALLOC_PRAGMA #pragma alloc_text(INIT, DriverEntry) #pragma alloc_text(PAGE, JhxxsDispatchCreate) #pragma alloc_text(PAGE, JhxxsDispatchClose) #pragma alloc_text(PAGE, JhxxsDispatchDeviceControl) #pragma alloc_text(PAGE, JhxxsUnload) #endif // ALLOC_PRAGMA NTSTATUS MyWriteMemory(IN HANDLE hProcess,OUT PVOID BaseAddress,IN PVOID Pbuff,IN ULONG BufferSize) { PEPROCESS EProcess; KAPC_STATE ApcState; PVOID writebuffer=NULL; NTSTATUS status; status = ObReferenceObjectByHandle( hProcess, PROCESS_VM_WRITE|PROCESS_VM_READ, NULL, KernelMode, &EProcess, NULL ); if(!NT_SUCCESS(status)) { ObDereferenceObject(EProcess); return STATUS_UNSUCCESSFUL; } writebuffer = ExAllocatePoolWithTag (NonPagedPool, BufferSize, 'Sys'); if(writebuffer==NULL) { ObDereferenceObject(EProcess); ExFreePool (writebuffer); return STATUS_UNSUCCESSFUL; } *(ULONG*)writebuffer=(ULONG)0x1; if (MmIsAddressValid(Pbuff)) { __try { ProbeForRead ((CONST PVOID)Pbuff, BufferSize, sizeof(CHAR)); RtlCopyMemory (writebuffer, Pbuff, BufferSize); } __except(EXCEPTION_EXECUTE_HANDLER) { status = STATUS_UNSUCCESSFUL; } } else { status = STATUS_UNSUCCESSFUL; } if (NT_SUCCESS(status)) { KeStackAttachProcess (EProcess, &ApcState); if (MmIsAddressValid(BaseAddress)) { __try { ProbeForWrite ((CONST PVOID)BaseAddress, BufferSize, sizeof(CHAR)); RtlCopyMemory (BaseAddress,writebuffer, BufferSize); } __except(EXCEPTION_EXECUTE_HANDLER) { status = STATUS_UNSUCCESSFUL; } } else { status = STATUS_UNSUCCESSFUL; } KeUnstackDetachProcess (&ApcState); } ObDereferenceObject(EProcess); ExFreePool (writebuffer); return status; } NTSTATUS MyReadMemory(IN HANDLE hProcess,IN PVOID BaseAddress,OUT PVOID Pbuff,IN ULONG BufferSize) { PEPROCESS EProcess; KAPC_STATE ApcState; PVOID readbuffer=NULL; NTSTATUS status; status = ObReferenceObjectByHandle( hProcess, PROCESS_VM_WRITE|PROCESS_VM_READ, NULL, KernelMode, &EProcess, NULL ); if(!NT_SUCCESS(status)) { ObDereferenceObject(EProcess); return STATUS_UNSUCCESSFUL; } readbuffer = ExAllocatePoolWithTag (NonPagedPool, BufferSize, 'Sys'); if(readbuffer==NULL) { ObDereferenceObject(EProcess); ExFreePool (readbuffer); return STATUS_UNSUCCESSFUL; } *(ULONG*)readbuffer=(ULONG)0x1; KeStackAttachProcess (EProcess, &ApcState); if (MmIsAddressValid(BaseAddress)) { __try { ProbeForRead ((CONST PVOID)BaseAddress, BufferSize, sizeof(CHAR)); RtlCopyMemory (readbuffer, BaseAddress, BufferSize); } __except(EXCEPTION_EXECUTE_HANDLER) { status = STATUS_UNSUCCESSFUL; } } else { status = STATUS_UNSUCCESSFUL; } KeUnstackDetachProcess (&ApcState); if(NT_SUCCESS(status)) { if (MmIsAddressValid(Pbuff)) { __try { ProbeForWrite(Pbuff, BufferSize, sizeof(CHAR)); RtlCopyMemory (Pbuff, readbuffer, BufferSize); } __except(EXCEPTION_EXECUTE_HANDLER) { status = STATUS_UNSUCCESSFUL; } } else { status = STATUS_UNSUCCESSFUL; } } ObDereferenceObject(EProcess); ExFreePool (readbuffer); return status; } NTSTATUS MyOpenProcess(ULONG PID, PHANDLE pHandle) { NTSTATUS status; PEPROCESS EProcess = NULL; HANDLE handle = NULL; UNICODE_STRING y; PULONG PsProcessType; status = PsLookupProcessByProcessId(PID, &EProcess); if (NT_SUCCESS(status)) { handle = 0; RtlInitUnicodeString(&y, L"PsProcessType"); PsProcessType = MmGetSystemRoutineAddress(&y); if (PsProcessType) { status = ObOpenObjectByPointer(EProcess, 0, 0, PROCESS_ALL_ACCESS, (PVOID)*PsProcessType, UserMode, &handle); if (NT_SUCCESS(status)) { *pHandle = handle; } } ObfDereferenceObject(EProcess); } return status; } NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ) { NTSTATUS status = STATUS_SUCCESS; UNICODE_STRING ntDeviceName; UNICODE_STRING dosDeviceName; PDEVICE_EXTENSION deviceExtension; PDEVICE_OBJECT deviceObject = NULL; BOOLEAN fSymbolicLink = FALSE; KdBreakPoint(); RtlInitUnicodeString(&ntDeviceName, JHXXS_DEVICE_NAME_W); status = IoCreateDevice( DriverObject, sizeof(DEVICE_EXTENSION), &ntDeviceName, FILE_DEVICE_JHXXS, 0, TRUE, &deviceObject ); if (!NT_SUCCESS(status)) { goto __failed; } deviceExtension = (PDEVICE_EXTENSION)deviceObject->DeviceExtension; RtlInitUnicodeString(&dosDeviceName, JHXXS_DOS_DEVICE_NAME_W); status = IoCreateSymbolicLink(&dosDeviceName, &ntDeviceName); if (!NT_SUCCESS(status)) { goto __failed; } fSymbolicLink = TRUE; DriverObject->MajorFunction[IRP_MJ_CREATE] = JhxxsDispatchCreate; DriverObject->MajorFunction[IRP_MJ_CLOSE] = JhxxsDispatchClose; DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = JhxxsDispatchDeviceControl; DriverObject->DriverUnload = JhxxsUnload; if (NT_SUCCESS(status)) return status; __failed: if (fSymbolicLink) IoDeleteSymbolicLink(&dosDeviceName); if (deviceObject) IoDeleteDevice(deviceObject); return status; } NTSTATUS JhxxsDispatchCreate( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { NTSTATUS status = STATUS_SUCCESS; Irp->IoStatus.Information = 0; Irp->IoStatus.Status = status; IoCompleteRequest(Irp, IO_NO_INCREMENT); return status; } NTSTATUS JhxxsDispatchClose( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { NTSTATUS status = STATUS_SUCCESS; Irp->IoStatus.Information = 0; Irp->IoStatus.Status = status; IoCompleteRequest(Irp, IO_NO_INCREMENT); return status; } NTSTATUS JhxxsDispatchDeviceControl( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { NTSTATUS status = STATUS_SUCCESS; PIO_STACK_LOCATION irpStack; PDEVICE_EXTENSION deviceExtension; PVOID ioBuf; ULONG inBufLength, outBufLength; ULONG ioControlCode; UCHAR *buff =0; ULONG OutByteCount =0; HANDLE Writehandel; PVOID WriteDstAddr; PVOID WriteSrcAddr; ULONG WriteSize; NTSTATUS WriteReturn; HANDLE Readhandel; PVOID ReadBaseAddr; PVOID ReadBuffer; ULONG ReadSize; NTSTATUS ReadReturn; ULONG OpenPid; PHANDLE PProcessHandle; NTSTATUS OpenReturn; irpStack = IoGetCurrentIrpStackLocation(Irp); deviceExtension = (PDEVICE_EXTENSION)DeviceObject->DeviceExtension; Irp->IoStatus.Information = 0; ioBuf = Irp->AssociatedIrp.SystemBuffer; inBufLength = irpStack->Parameters.DeviceIoControl.InputBufferLength; outBufLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength; ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode; switch (ioControlCode) { case 0X0022E004: { buff=(UCHAR *)Irp->AssociatedIrp.SystemBuffer ; memmove(&Writehandel,&buff[0],4); memmove(&WriteDstAddr,&buff[4],4); memmove(&WriteSrcAddr,&buff[8],4); memmove(&WriteSize,&buff[12],4); WriteReturn=MyWriteMemory(Writehandel,WriteDstAddr,WriteSrcAddr,WriteSize); memmove(Irp->AssociatedIrp.SystemBuffer,&WriteReturn,4); OutByteCount=4; break; } case 0X0022E008: { buff=(UCHAR *)Irp->AssociatedIrp.SystemBuffer ; memmove(&Readhandel,&buff[0],4); memmove(&ReadBaseAddr,&buff[4],4); memmove(&ReadBuffer,&buff[8],4); memmove(&ReadSize,&buff[12],4); ReadReturn=MyReadMemory(Readhandel,ReadBaseAddr,ReadBuffer,ReadSize); memmove(&buff[0],&ReadReturn,4); OutByteCount=4; break; } case 0X0022E000: { OpenReturn = MyOpenProcess(*(PULONG)ioBuf,ioBuf); buff=(UCHAR *)Irp->AssociatedIrp.SystemBuffer ; memmove(&buff[4],&OpenReturn,4); OutByteCount=8; break; } case IOCTL_JHXXS_HELLO: { break; } default: status = STATUS_INVALID_PARAMETER; break; } Irp->IoStatus.Status = status; Irp->IoStatus.Information = OutByteCount; IoCompleteRequest(Irp, IO_NO_INCREMENT); return status; } VOID JhxxsUnload( IN PDRIVER_OBJECT DriverObject ) { UNICODE_STRING dosDeviceName; RtlInitUnicodeString(&dosDeviceName, JHXXS_DOS_DEVICE_NAME_W); IoDeleteSymbolicLink(&dosDeviceName); IoDeleteDevice(DriverObject->DeviceObject); }

开发板推荐：天空星STM32F407VET6开发板

超高性价比 STM32主控 | 超高主频 | 一板兼容百芯 | 比赛神器 | 沉金彩色丝印

点击查看