sysmain.c
#pragma warning(disable: 4100 4047 4024)
#pragma once
#include <ntifs.h>
#include <ntddk.h>
NTKERNELAPI
NTSTATUS
MmCopyVirtualMemory(
// 从哪里copy
_In_ PEPROCESS srcProcess,
_In_ PVOID srcAddr,
// copy到哪里去
_In_ PEPROCESS dstProcess,
_In_ PVOID dstAddr,
// 资源(数据)的大小
_In_ SIZE_T DataSize,
// KernelModel
_In_ KPROCESSOR_MODE PreviousMode,
_Out_ PSIZE_T RetureSize
);
NTSTATUS kReadProcessMemory(PEPROCESS Process, PVOID lpBaseAddress, PVOID lpBuffer, size_t nSize)
{
PSIZE_T rSize;
return MmCopyVirtualMemory(Process, lpBaseAddress, PsGetCurrentProcess(), lpBuffer, nSize, KernelMode, &rSize);
}
NTSTATUS kWriteProcessMemory(PEPROCESS Process, PVOID lpBaseAddress, PVOID lpBuffer, size_t nSize)
{
PSIZE_T rSize;
return MmCopyVirtualMemory(PsGetCurrentProcess(), lpBuffer, Process, lpBaseAddress, nSize, KernelMode, &rSize);
}
NTSTATUS DriverUnload(PDRIVER_OBJECT pDriverObject)
{
DbgPrintEx(0, 0, "stop hsys.
");
return STATUS_SUCCESS;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegister)
{
pDriverObject->DriverUnload = DriverUnload;
PEPROCESS Process;
size_t pid = 2572;
PsLookupProcessByProcessId((HANDLE)pid, &Process);
PVOID addr = 0x00007FF72BB8C178;
int newValue = 100;
kWriteProcessMemory(Process, addr, &newValue, sizeof(int));
int readValue = 0;
kReadProcessMemory(Process, addr, &readValue, sizeof(int));
DbgPrintEx(0, 0, "change value: %d
", readValue);
return STATUS_SUCCESS;
}