驱动读写进程内存R3,R0通信

stdafx.h 头文件代码

#ifndef _WIN32_WINNT        // Allow use of features specific to Windows XP or later.                   
#define _WIN32_WINNT 0x0501    // Change this to the appropriate value to target other versions of Windows.
#endif                        

#ifdef __cplusplus
extern "C" 
{

#endif

#include <ntddk.h>
#include <ntddstor.h>
#include <mountdev.h>
#include <ntddvol.h>


#ifdef __cplusplus
}
#endif

驱动读写 C++代码

#include <ntifs.h>
#include <ntddk.h>
#include "stdafx.h"


extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING  RegistryPath);


#define arraysize(p) (sizeof(p)/sizeof((p)[0]))
NTSTATUS ControlCode(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp);
NTSTATUS CreateMyDevice(IN PDRIVER_OBJECT pDriverObject);
NTSTATUS NtCreateMessage(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp);
int ReadProcessMemory(PVOID Address, SIZE_T BYTE_size, int PID);
int WriteProcessMemory(VOID* Address, SIZE_T BYTE_size, VOID *VirtualAddress, int PID);
#define READPROCESSMEMORY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define WRITEPROCESSMEMORY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define WRITEPROCESSMEMORY_BYTE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x802, METHOD_BUFFERED, FILE_ANY_ACCESS)

//卸载回调
void UnloadDriver(PDRIVER_OBJECT pDriverObject)
{
    //用来取得要删除设备对象
    PDEVICE_OBJECT pDev;
    UNICODE_STRING symLinkName;
    pDev = pDriverObject->DeviceObject;
    //删除设备
    IoDeleteDevice(pDev); 

    //取符号链接名字
    RtlInitUnicodeString(&symLinkName, L"\??\My_DriverLinkName");
    //删除符号链接
    IoDeleteSymbolicLink(&symLinkName);
    KdPrint(("驱动成功卸载
"));
}

NTSTATUS DriverEntry(PDRIVER_OBJECT  pDriverObject,PUNICODE_STRING  RegistryPath)
{
    //设置卸载函数
    pDriverObject->DriverUnload = UnloadDriver;
    //处理R3的CreateFile操作不然会失败
    pDriverObject->MajorFunction[IRP_MJ_CREATE] = NtCreateMessage;
    //处理R3的控制代码
    pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ControlCode;
    //创建相应的设备
    CreateMyDevice(pDriverObject);
    KdPrint(("驱动成功加载
"));
    return STATUS_SUCCESS;
}
//处理控制IO代码
NTSTATUS ControlCode(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp)
{
    NTSTATUS status = STATUS_SUCCESS;
    KdPrint(("Enter HelloDDKDeviceIOControl
"));

    //得到当前堆栈
    PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(pIrp);
    //得到输入缓冲区大小
    ULONG cbin = stack->Parameters.DeviceIoControl.InputBufferLength;
    //得到输出缓冲区大小
    ULONG cbout = stack->Parameters.DeviceIoControl.OutputBufferLength;
    //得到IOCTL码
    ULONG code = stack->Parameters.DeviceIoControl.IoControlCode;

    ULONG info = 0;

    switch (code)
    {
    case  READPROCESSMEMORY://读4字节整数型
        {
            //显示输入缓冲区数据
            int PID = 0, Address = 0, BYTE_size=0;
            int *InputBuffer = (int*)pIrp->AssociatedIrp.SystemBuffer;
            _asm
            {
                MOV EAX,InputBuffer
                    MOV EBX, DWORD PTR DS : [EAX]
                MOV PID,EBX
                    MOV EBX, DWORD PTR DS : [EAX + 4]
                MOV Address,EBX
                    MOV EBX,DWORD PTR DS:[EAX + 8]
                MOV BYTE_size, EBX
            }
            //操作输出缓冲区
            int *OutputBuffer = (int*)pIrp->AssociatedIrp.SystemBuffer;
            *OutputBuffer = ReadProcessMemory((VOID*)Address, BYTE_size, PID);
            //设置实际操作输出缓冲区长度
            info = 4;
            break;
        }
    case  WRITEPROCESSMEMORY://写4字节整数型
        {
            //显示输入缓冲区数据
            int PID = 0, Address = 0,buff ,BYTE_size = 0;
            int *InputBuffer = (int*)pIrp->AssociatedIrp.SystemBuffer;
            _asm
            {
                MOV EAX, InputBuffer
                    MOV EBX, DWORD PTR DS : [EAX]
                MOV PID, EBX
                    MOV EBX, DWORD PTR DS : [EAX + 4]
                MOV Address, EBX
                    MOV EBX, DWORD PTR DS : [EAX + 8]
                MOV buff, EBX
                    MOV EBX, DWORD PTR DS : [EAX + 0xC]
                MOV BYTE_size, EBX
            }
            //操作输出缓冲区
            int *OutputBuffer = (int*)pIrp->AssociatedIrp.SystemBuffer;
            *OutputBuffer = WriteProcessMemory((VOID*)Address, BYTE_size, &buff, PID);
            //设置实际操作输出缓冲区长度
            info = 4;
            break;
        }
    case  WRITEPROCESSMEMORY_BYTE://写字节集
        {
            //显示输入缓冲区数据
            int PID = 0, Address = 0, buff, BYTE_size = 0;
            int *InputBuffer = (int*)pIrp->AssociatedIrp.SystemBuffer;
            _asm
            {
                MOV EAX, InputBuffer
                    MOV EBX, DWORD PTR DS : [EAX]
                MOV PID, EBX
                    MOV EBX, DWORD PTR DS : [EAX + 4]
                MOV Address, EBX
                    MOV EBX, DWORD PTR DS : [EAX + 8]
                MOV buff, EBX
                    MOV EBX, DWORD PTR DS : [EAX + 0xC]
                MOV BYTE_size, EBX
            }
            //操作输出缓冲区
            int *OutputBuffer = (int*)pIrp->AssociatedIrp.SystemBuffer;
            *OutputBuffer = WriteProcessMemory((VOID*)Address, BYTE_size, (VOID*)buff, PID);
            //设置实际操作输出缓冲区长度
            info = 4;
            break;
        }
    default:
        status = STATUS_INVALID_VARIANT;
    }
    // 完成IRP
    pIrp->IoStatus.Status = status;
    pIrp->IoStatus.Information = info;
    IoCompleteRequest(pIrp, IO_NO_INCREMENT);
    return status;
}

typedef struct _DEVICE_EXTENSION {
    PDEVICE_OBJECT pDevice;
    UNICODE_STRING ustrDeviceName;    //设备名称
    UNICODE_STRING ustrSymLinkName;    //符号链接名

    PUCHAR buffer;//缓冲区
    ULONG file_length;//模拟的文件长度，必须小于MAX_FILE_LENGTH
} DEVICE_EXTENSION, *PDEVICE_EXTENSION;
#pragma INITCODE /*指的代码运行后 就从内存释放掉*/
//创建符号链接
NTSTATUS CreateMyDevice(IN PDRIVER_OBJECT pDriverObject)
{
    NTSTATUS status;
    PDEVICE_OBJECT pDevObj;
    PDEVICE_EXTENSION pDevExt;

    //创建设备名称
    UNICODE_STRING devName;
    RtlInitUnicodeString(&devName, L"\Device\My_DriverLinkName");

    //创建设备
    status = IoCreateDevice(pDriverObject,sizeof(DEVICE_EXTENSION),&devName,FILE_DEVICE_UNKNOWN,0, FALSE,&pDevObj);
    if (!NT_SUCCESS(status))
        return status;

    pDevObj->Flags |= DO_DIRECT_IO;
    pDevExt = (PDEVICE_EXTENSION)pDevObj->DeviceExtension;
    pDevExt->pDevice = pDevObj;
    pDevExt->ustrDeviceName = devName;

    //申请模拟文件的缓冲区
    pDevExt->buffer = (PUCHAR)ExAllocatePool(PagedPool, 1024);
    //设置模拟文件大小
    pDevExt->file_length = 0;

    //创建符号链接
    UNICODE_STRING symLinkName;
    RtlInitUnicodeString(&symLinkName, L"\??\My_DriverLinkName");
    pDevExt->ustrSymLinkName = symLinkName;
    status = IoCreateSymbolicLink(&symLinkName, &devName);

    if (!NT_SUCCESS(status))
    {
        IoDeleteDevice(pDevObj);
        return status;
    }
    return STATUS_SUCCESS;
}

//处理其他IO消息直接返回成功
#pragma PAGEDCODE
NTSTATUS NtCreateMessage(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp)
{

    NTSTATUS status = STATUS_SUCCESS;
    // 完成IRP
    pIrp->IoStatus.Status = status;
    pIrp->IoStatus.Information = 0;    // bytes xfered
    IoCompleteRequest(pIrp, IO_NO_INCREMENT);
    return status;
}

//读内存整数型
int ReadProcessMemory(VOID* Address, SIZE_T BYTE_size, int PID)
{
    PEPROCESS pEProcess;
    PVOID buff1;
    VOID *buff2;
    int MemoryNumerical =0;
    KAPC_STATE   KAPC = { 0 };
    __try
    {
        //得到进程EPROCESS
        PsLookupProcessByProcessId((HANDLE)PID, &pEProcess);
        //分配内存
        buff1 = ExAllocatePoolWithTag((POOL_TYPE)0, BYTE_size, 1222);
        buff2 = buff1;
        *(int*)buff1 = 1;
        //附加到要读写的进程
        KeStackAttachProcess((PRKPROCESS)pEProcess, &KAPC);
        // 判断内存是否可读
        ProbeForRead(Address, BYTE_size, 1);
        //复制内存
        memcpy(buff2, Address, BYTE_size);
        // 剥离附加的进程
        KeUnstackDetachProcess(&KAPC);
        //读内存
        MemoryNumerical = *(int*)buff2;
        // 释放申请的内存
        ExFreePoolWithTag(buff2, 1222);
    }
    __except (EXCEPTION_EXECUTE_HANDLER)
    {
        KdPrint(("错误
"));
    }
    return MemoryNumerical;

}
//写内存整数型
int WriteProcessMemory(VOID* Address, SIZE_T BYTE_size, VOID *VirtualAddress,int PID)
{
    PEPROCESS pEProcess;
    PVOID buff1;
    VOID *buff2;
    int MemoryNumerical = 0;
    KAPC_STATE   KAPC = { 0 };
    __try
    {
        //得到进程EPROCESS
        PsLookupProcessByProcessId((HANDLE)PID, &pEProcess);
        //分配内存
        buff1 = ExAllocatePoolWithTag((POOL_TYPE)0, BYTE_size, 1111);
        buff2 = buff1;
        *(int*)buff1 = 1;
        if (MmIsAddressValid((PVOID)VirtualAddress))
        {
            //复制内存
            memcpy(buff2, VirtualAddress, BYTE_size);
        }
        else
        {
            return 0;
        }
        //附加到要读写的进程
        KeStackAttachProcess((PRKPROCESS)pEProcess, &KAPC);
        if (MmIsAddressValid((PVOID)Address))
        {
            //判断地址是否可写
            ProbeForWrite(Address, BYTE_size, 1);
            //复制内存
            memcpy(Address, buff2, BYTE_size);
        }
        else
        {
            return 0;
        }
        // 剥离附加的进程
        KeUnstackDetachProcess(&KAPC);
        ExFreePoolWithTag(buff2, 1111);
    }
    __except (EXCEPTION_EXECUTE_HANDLER)
    {
        KdPrint(("错误
"));
    }
    return 1;
}

R3通信代码

#include <stdio.h>
#include <windows.h>
#include<winioctl.h> 
#define READPROCESSMEMORY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define WRITEPROCESSMEMORY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define WRITEPROCESSMEMORY_BYTE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x802, METHOD_BUFFERED, FILE_ANY_ACCESS)
int ReadMemory(HANDLE hDevice, int PID,int Address,int size)//读内存
{
    
    int port[3];
    int bufret;
    DWORD dwWrite;
    port[0]=PID;
    port[1]=Address;
    port[2]=size;
    DeviceIoControl(hDevice,READPROCESSMEMORY, &port, 12, &bufret, 4, &dwWrite, NULL);
    return bufret;

}

int WriteMemory_int(HANDLE hDevice, int PID,int Address,int buff,int size)//写内存整数型
{
    
    int port[4];
    int bufret;
    DWORD dwWrite;
    port[0]=PID;
    port[1]=Address;
    port[2]=buff;
    port[3]=size;
    DeviceIoControl(hDevice,WRITEPROCESSMEMORY, &port, 16, &bufret, 4, &dwWrite, NULL);
    return bufret;

}

int WriteMemory_byte(HANDLE hDevice, int PID,int Address,BYTE *buff,int size)//写内存字节集
{
    int port[4];
    int bufret;
    DWORD dwWrite;
    port[0]=PID;
    port[1]=Address;
    port[2]=(int)buff;
    port[3]=size;
    DeviceIoControl(hDevice,WRITEPROCESSMEMORY_BYTE, &port, 16, &bufret, 4, &dwWrite, NULL);
    return bufret;

}
int main(int argc, char* argv[])
{
    HANDLE hDevice = CreateFileW(L"\\.\My_DriverLinkName", GENERIC_READ | GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL );    
    if (hDevice == INVALID_HANDLE_VALUE)
    {
        printf("获取驱动失败: %s with Win32 error code: %d
","MyDriver", GetLastError() );
        getchar();
        return -1;
    }
    int PID=0;
    printf("输入进程ID！
");
    scanf("%d",&PID);
    BYTE a[]={0x01,0x02,0x03,0x04,0x05};
  int r=WriteMemory_byte(hDevice,PID,9165792,a,5);//写内存字节集
  printf("0x8BDBE0=%d
",r);
   getchar();
   getchar();
    return 0;
}