1 stdafx.h 头文件代码 2 3 #ifndef _WIN32_WINNT // Allow use of features specific to Windows XP or later. 4 #define _WIN32_WINNT 0x0501 // Change this to the appropriate value to target other versions of Windows. 5 #endif 6 7 #ifdef __cplusplus 8 extern "C" 9 { 10 11 #endif 12 13 #include <ntddk.h> 14 #include <ntddstor.h> 15 #include <mountdev.h> 16 #include <ntddvol.h> 17 18 19 #ifdef __cplusplus 20 } 21 #endif
1 驱动读写 C++代码 2 3 #include <ntifs.h> 4 #include <ntddk.h> 5 #include "stdafx.h" 6 7 8 extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath); 9 10 11 #define arraysize(p) (sizeof(p)/sizeof((p)[0])) 12 NTSTATUS ControlCode(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp); 13 NTSTATUS CreateMyDevice(IN PDRIVER_OBJECT pDriverObject); 14 NTSTATUS NtCreateMessage(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp); 15 int ReadProcessMemory(PVOID Address, SIZE_T BYTE_size, int PID); 16 int WriteProcessMemory(VOID* Address, SIZE_T BYTE_size, VOID *VirtualAddress, int PID); 17 #define READPROCESSMEMORY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS) 18 #define WRITEPROCESSMEMORY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS) 19 #define WRITEPROCESSMEMORY_BYTE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x802, METHOD_BUFFERED, FILE_ANY_ACCESS) 20 21 //卸载回调 22 void UnloadDriver(PDRIVER_OBJECT pDriverObject) 23 { 24 //用来取得要删除设备对象 25 PDEVICE_OBJECT pDev; 26 UNICODE_STRING symLinkName; 27 pDev = pDriverObject->DeviceObject; 28 //删除设备 29 IoDeleteDevice(pDev); 30 31 //取符号链接名字 32 RtlInitUnicodeString(&symLinkName, L"\??\My_DriverLinkName"); 33 //删除符号链接 34 IoDeleteSymbolicLink(&symLinkName); 35 KdPrint(("驱动成功卸载 ")); 36 } 37 38 NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING RegistryPath) 39 { 40 //设置卸载函数 41 pDriverObject->DriverUnload = UnloadDriver; 42 //处理R3的CreateFile操作不然会失败 43 pDriverObject->MajorFunction[IRP_MJ_CREATE] = NtCreateMessage; 44 //处理R3的控制代码 45 pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ControlCode; 46 //创建相应的设备 47 CreateMyDevice(pDriverObject); 48 KdPrint(("驱动成功加载 ")); 49 return STATUS_SUCCESS; 50 } 51 //处理控制IO代码 52 NTSTATUS ControlCode(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp) 53 { 54 NTSTATUS status = STATUS_SUCCESS; 55 KdPrint(("Enter HelloDDKDeviceIOControl ")); 56 57 //得到当前堆栈 58 PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(pIrp); 59 //得到输入缓冲区大小 60 ULONG cbin = stack->Parameters.DeviceIoControl.InputBufferLength; 61 //得到输出缓冲区大小 62 ULONG cbout = stack->Parameters.DeviceIoControl.OutputBufferLength; 63 //得到IOCTL码 64 ULONG code = stack->Parameters.DeviceIoControl.IoControlCode; 65 66 ULONG info = 0; 67 68 switch (code) 69 { 70 case READPROCESSMEMORY://读4字节整数型 71 { 72 //显示输入缓冲区数据 73 int PID = 0, Address = 0, BYTE_size=0; 74 int *InputBuffer = (int*)pIrp->AssociatedIrp.SystemBuffer; 75 _asm 76 { 77 MOV EAX,InputBuffer 78 MOV EBX, DWORD PTR DS : [EAX] 79 MOV PID,EBX 80 MOV EBX, DWORD PTR DS : [EAX + 4] 81 MOV Address,EBX 82 MOV EBX,DWORD PTR DS:[EAX + 8] 83 MOV BYTE_size, EBX 84 } 85 //操作输出缓冲区 86 int *OutputBuffer = (int*)pIrp->AssociatedIrp.SystemBuffer; 87 *OutputBuffer = ReadProcessMemory((VOID*)Address, BYTE_size, PID); 88 //设置实际操作输出缓冲区长度 89 info = 4; 90 break; 91 } 92 case WRITEPROCESSMEMORY://写4字节整数型 93 { 94 //显示输入缓冲区数据 95 int PID = 0, Address = 0,buff ,BYTE_size = 0; 96 int *InputBuffer = (int*)pIrp->AssociatedIrp.SystemBuffer; 97 _asm 98 { 99 MOV EAX, InputBuffer 100 MOV EBX, DWORD PTR DS : [EAX] 101 MOV PID, EBX 102 MOV EBX, DWORD PTR DS : [EAX + 4] 103 MOV Address, EBX 104 MOV EBX, DWORD PTR DS : [EAX + 8] 105 MOV buff, EBX 106 MOV EBX, DWORD PTR DS : [EAX + 0xC] 107 MOV BYTE_size, EBX 108 } 109 //操作输出缓冲区 110 int *OutputBuffer = (int*)pIrp->AssociatedIrp.SystemBuffer; 111 *OutputBuffer = WriteProcessMemory((VOID*)Address, BYTE_size, &buff, PID); 112 //设置实际操作输出缓冲区长度 113 info = 4; 114 break; 115 } 116 case WRITEPROCESSMEMORY_BYTE://写字节集 117 { 118 //显示输入缓冲区数据 119 int PID = 0, Address = 0, buff, BYTE_size = 0; 120 int *InputBuffer = (int*)pIrp->AssociatedIrp.SystemBuffer; 121 _asm 122 { 123 MOV EAX, InputBuffer 124 MOV EBX, DWORD PTR DS : [EAX] 125 MOV PID, EBX 126 MOV EBX, DWORD PTR DS : [EAX + 4] 127 MOV Address, EBX 128 MOV EBX, DWORD PTR DS : [EAX + 8] 129 MOV buff, EBX 130 MOV EBX, DWORD PTR DS : [EAX + 0xC] 131 MOV BYTE_size, EBX 132 } 133 //操作输出缓冲区 134 int *OutputBuffer = (int*)pIrp->AssociatedIrp.SystemBuffer; 135 *OutputBuffer = WriteProcessMemory((VOID*)Address, BYTE_size, (VOID*)buff, PID); 136 //设置实际操作输出缓冲区长度 137 info = 4; 138 break; 139 } 140 default: 141 status = STATUS_INVALID_VARIANT; 142 } 143 // 完成IRP 144 pIrp->IoStatus.Status = status; 145 pIrp->IoStatus.Information = info; 146 IoCompleteRequest(pIrp, IO_NO_INCREMENT); 147 return status; 148 } 149 150 typedef struct _DEVICE_EXTENSION { 151 PDEVICE_OBJECT pDevice; 152 UNICODE_STRING ustrDeviceName; //设备名称 153 UNICODE_STRING ustrSymLinkName; //符号链接名 154 155 PUCHAR buffer;//缓冲区 156 ULONG file_length;//模拟的文件长度,必须小于MAX_FILE_LENGTH 157 } DEVICE_EXTENSION, *PDEVICE_EXTENSION; 158 #pragma INITCODE /*指的代码运行后 就从内存释放掉*/ 159 //创建符号链接 160 NTSTATUS CreateMyDevice(IN PDRIVER_OBJECT pDriverObject) 161 { 162 NTSTATUS status; 163 PDEVICE_OBJECT pDevObj; 164 PDEVICE_EXTENSION pDevExt; 165 166 //创建设备名称 167 UNICODE_STRING devName; 168 RtlInitUnicodeString(&devName, L"\Device\My_DriverLinkName"); 169 170 //创建设备 171 status = IoCreateDevice(pDriverObject,sizeof(DEVICE_EXTENSION),&devName,FILE_DEVICE_UNKNOWN,0, FALSE,&pDevObj); 172 if (!NT_SUCCESS(status)) 173 return status; 174 175 pDevObj->Flags |= DO_DIRECT_IO; 176 pDevExt = (PDEVICE_EXTENSION)pDevObj->DeviceExtension; 177 pDevExt->pDevice = pDevObj; 178 pDevExt->ustrDeviceName = devName; 179 180 //申请模拟文件的缓冲区 181 pDevExt->buffer = (PUCHAR)ExAllocatePool(PagedPool, 1024); 182 //设置模拟文件大小 183 pDevExt->file_length = 0; 184 185 //创建符号链接 186 UNICODE_STRING symLinkName; 187 RtlInitUnicodeString(&symLinkName, L"\??\My_DriverLinkName"); 188 pDevExt->ustrSymLinkName = symLinkName; 189 status = IoCreateSymbolicLink(&symLinkName, &devName); 190 191 if (!NT_SUCCESS(status)) 192 { 193 IoDeleteDevice(pDevObj); 194 return status; 195 } 196 return STATUS_SUCCESS; 197 } 198 199 //处理其他IO消息直接返回成功 200 #pragma PAGEDCODE 201 NTSTATUS NtCreateMessage(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp) 202 { 203 204 NTSTATUS status = STATUS_SUCCESS; 205 // 完成IRP 206 pIrp->IoStatus.Status = status; 207 pIrp->IoStatus.Information = 0; // bytes xfered 208 IoCompleteRequest(pIrp, IO_NO_INCREMENT); 209 return status; 210 } 211 212 //读内存整数型 213 int ReadProcessMemory(VOID* Address, SIZE_T BYTE_size, int PID) 214 { 215 PEPROCESS pEProcess; 216 PVOID buff1; 217 VOID *buff2; 218 int MemoryNumerical =0; 219 KAPC_STATE KAPC = { 0 }; 220 __try 221 { 222 //得到进程EPROCESS 223 PsLookupProcessByProcessId((HANDLE)PID, &pEProcess); 224 //分配内存 225 buff1 = ExAllocatePoolWithTag((POOL_TYPE)0, BYTE_size, 1222); 226 buff2 = buff1; 227 *(int*)buff1 = 1; 228 //附加到要读写的进程 229 KeStackAttachProcess((PRKPROCESS)pEProcess, &KAPC); 230 // 判断内存是否可读 231 ProbeForRead(Address, BYTE_size, 1); 232 //复制内存 233 memcpy(buff2, Address, BYTE_size); 234 // 剥离附加的进程 235 KeUnstackDetachProcess(&KAPC); 236 //读内存 237 MemoryNumerical = *(int*)buff2; 238 // 释放申请的内存 239 ExFreePoolWithTag(buff2, 1222); 240 } 241 __except (EXCEPTION_EXECUTE_HANDLER) 242 { 243 KdPrint(("错误 ")); 244 } 245 return MemoryNumerical; 246 247 } 248 //写内存整数型 249 int WriteProcessMemory(VOID* Address, SIZE_T BYTE_size, VOID *VirtualAddress,int PID) 250 { 251 PEPROCESS pEProcess; 252 PVOID buff1; 253 VOID *buff2; 254 int MemoryNumerical = 0; 255 KAPC_STATE KAPC = { 0 }; 256 __try 257 { 258 //得到进程EPROCESS 259 PsLookupProcessByProcessId((HANDLE)PID, &pEProcess); 260 //分配内存 261 buff1 = ExAllocatePoolWithTag((POOL_TYPE)0, BYTE_size, 1111); 262 buff2 = buff1; 263 *(int*)buff1 = 1; 264 if (MmIsAddressValid((PVOID)VirtualAddress)) 265 { 266 //复制内存 267 memcpy(buff2, VirtualAddress, BYTE_size); 268 } 269 else 270 { 271 return 0; 272 } 273 //附加到要读写的进程 274 KeStackAttachProcess((PRKPROCESS)pEProcess, &KAPC); 275 if (MmIsAddressValid((PVOID)Address)) 276 { 277 //判断地址是否可写 278 ProbeForWrite(Address, BYTE_size, 1); 279 //复制内存 280 memcpy(Address, buff2, BYTE_size); 281 } 282 else 283 { 284 return 0; 285 } 286 // 剥离附加的进程 287 KeUnstackDetachProcess(&KAPC); 288 ExFreePoolWithTag(buff2, 1111); 289 } 290 __except (EXCEPTION_EXECUTE_HANDLER) 291 { 292 KdPrint(("错误 ")); 293 } 294 return 1; 295 }
1 R3通信代码 2 3 #include <stdio.h> 4 #include <windows.h> 5 #include<winioctl.h> 6 #define READPROCESSMEMORY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS) 7 #define WRITEPROCESSMEMORY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS) 8 #define WRITEPROCESSMEMORY_BYTE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x802, METHOD_BUFFERED, FILE_ANY_ACCESS) 9 int ReadMemory(HANDLE hDevice, int PID,int Address,int size)//读内存 10 { 11 12 int port[3]; 13 int bufret; 14 DWORD dwWrite; 15 port[0]=PID; 16 port[1]=Address; 17 port[2]=size; 18 DeviceIoControl(hDevice,READPROCESSMEMORY, &port, 12, &bufret, 4, &dwWrite, NULL); 19 return bufret; 20 21 } 22 23 int WriteMemory_int(HANDLE hDevice, int PID,int Address,int buff,int size)//写内存整数型 24 { 25 26 int port[4]; 27 int bufret; 28 DWORD dwWrite; 29 port[0]=PID; 30 port[1]=Address; 31 port[2]=buff; 32 port[3]=size; 33 DeviceIoControl(hDevice,WRITEPROCESSMEMORY, &port, 16, &bufret, 4, &dwWrite, NULL); 34 return bufret; 35 36 } 37 38 int WriteMemory_byte(HANDLE hDevice, int PID,int Address,BYTE *buff,int size)//写内存字节集 39 { 40 int port[4]; 41 int bufret; 42 DWORD dwWrite; 43 port[0]=PID; 44 port[1]=Address; 45 port[2]=(int)buff; 46 port[3]=size; 47 DeviceIoControl(hDevice,WRITEPROCESSMEMORY_BYTE, &port, 16, &bufret, 4, &dwWrite, NULL); 48 return bufret; 49 50 } 51 int main(int argc, char* argv[]) 52 { 53 HANDLE hDevice = CreateFileW(L"\\.\My_DriverLinkName", GENERIC_READ | GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL ); 54 if (hDevice == INVALID_HANDLE_VALUE) 55 { 56 printf("获取驱动失败: %s with Win32 error code: %d ","MyDriver", GetLastError() ); 57 getchar(); 58 return -1; 59 } 60 int PID=0; 61 printf("输入进程ID! "); 62 scanf("%d",&PID); 63 BYTE a[]={0x01,0x02,0x03,0x04,0x05}; 64 int r=WriteMemory_byte(hDevice,PID,9165792,a,5);//写内存字节集 65 printf("0x8BDBE0=%d ",r); 66 getchar(); 67 getchar(); 68 return 0; 69 }