Mdl读写驱动层和应用层通信的问题
本帖最后由 Tizi 于 2020-2-20 13:14 编辑这个驱动层的代码
NTSTATUS status = STATUS_SUCCESS;
PIO_STACK_LOCATION irps = IoGetCurrentIrpStackLocation(pIrp);//获取堆栈
ULONG inlength= irps->Parameters.DeviceIoControl.InputBufferLength;//得到输入缓冲区大小
ULONG outlength = irps->Parameters.DeviceIoControl.OutputBufferLength;//得到输出缓冲区大小
ULONG CODE = irps->Parameters.DeviceIoControl.IoControlCode;
ULONG info = 0;
switch (CODE)
{
case READCODE:
{
PUCHAR pmapped = NULL;
pIrp->IoStatus.Status = STATUS_SUCCESS;
NTSTATUS status = STATUS_SUCCESS;
PEPROCESS targeprocess = NULL;
KAPC_STATE apcstack = { 0 };
PMDL tempmdl;
PVOID mappedaddr;
PVOID targeaddr;
PREADANDWRITE tempbuffer = (PREADANDWRITE)pIrp->AssociatedIrp.SystemBuffer;
DbgPrint("取到当前ID:%d地址:%x 大小:%d \n", tempbuffer->pid, tempbuffer->targeaddr, tempbuffer->size);
// 获得进程对象
status = PsLookupProcessByProcessId((HANDLE)tempbuffer->pid, &targeprocess);
if (!NT_SUCCESS(status))
{
status = STATUS_PROCESS_CLONED;
info = 0;
DbgPrint("error <%x> \n", status);
return status;
}
//让内核对象引用数-1
ObDereferenceObject(targeprocess);
KeStackAttachProcess(targeprocess, &apcstack);//附加进程
targeaddr = (PVOID)tempbuffer->targeaddr;
tempmdl = IoAllocateMdl(targeaddr, tempbuffer->size, FALSE, FALSE, NULL);
if (!tempmdl)
{
status = STATUS_MEMORY_NOT_ALLOCATED;
info = 0;
KeUnstackDetachProcess(&apcstack);
break;
}
__try
{
MmProbeAndLockPages(tempmdl, KernelMode, IoReadAccess);//尝试锁定分页
}
__except (1)
{
status = STATUS_MEMORY_NOT_ALLOCATED;
info = 0;
KeUnstackDetachProcess(&apcstack);
break;
}
//到这里开始Map
mappedaddr = MmMapLockedPages(tempmdl, KernelMode);
if (!mappedaddr)
{
IoFreeMdl(tempmdl);
status = STATUS_MEMORY_NOT_ALLOCATED;
info = 0;
KeUnstackDetachProcess(&apcstack);
break;
}
RtlCopyMemory(pIrp->AssociatedIrp.SystemBuffer, mappedaddr, tempbuffer->size);//这里传回去应用层
IoFreeMdl(tempmdl);
MmUnmapLockedPages(mappedaddr, tempmdl);
KeUnstackDetachProcess(&apcstack);
status = STATUS_SUCCESS;
info = tempbuffer->size;
pIrp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
break;
}
default:
DbgPrint("error \n");
break;
}
下面是应用层的代码
int _tmain(int argc, _TCHAR* argv[])
{
HANDLE hDevice =
CreateFile(L"\\\\.\\MyReadTest",
GENERIC_READ | GENERIC_WRITE,
0, //无共享模式
NULL, //没有安全措施
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL); //没有模板
if (hDevice == INVALID_HANDLE_VALUE)
{
printf("无法获取设备:%s 的句柄,错误码:%d\n", "MyWDMDevice", GetLastError());
getchar();
return 1;
}
BYTE outbuffer;
LONG pid = 0;
LONG address = 0;
LONG size = 0;
ULONGdwout;
BOOL bRet;
//memset(&data, 0x00, sizeof(READANDWRITE));
//memset(&outbuffer, 0x00, 40);
printf("请输入进程PID \n");
scanf("%d", &pid);
printf("请输入要操作的地址 \n");
scanf("%x", &address);
printf("请输入要操作字节大小 \n");
scanf("%d", &size);
for (int i = 0; i < 4; i++)
{
data.pid = pid;
data.targeaddr = address;
data.size = size;
bRet = DeviceIoControl(hDevice, READCODE, &data, sizeof(READANDWRITE), outbuffer, 40, &dwout, NULL);
if (!bRet)
{
printf("读失败\n");
}
else
{
for (int b = 0; b < data.size; b++)
{
printf("--%x--", *(outbuffer+b));
}
}
}
CloseHandle(hDevice);
scanf("%d", &a);
return 0;
}
驱动层把mappedaddr传到应用层 我应用层 读出来的 不是内存地址的数据是怎么个回事。。求大佬支招
PS:我驱动层 直接转BYTE类型 读出来 是可以读出来正确的内存地址数据 参考:
http://www.m5home.com/bbs/thread-3376-1-1.html
http://www.m5home.com/bbs/thread-7971-1-1.html
页:
[1]