|
|
本帖最后由 Tizi 于 2020-2-20 13:14 编辑
这个驱动层的代码
- NTSTATUS status = STATUS_SUCCESS;
- PIO_STACK_LOCATION irps = IoGetCurrentIrpStackLocation(pIrp);//获取堆栈
- ULONG inlength = irps->Parameters.DeviceIoControl.InputBufferLength;//得到输入缓冲区大小
- ULONG outlength = irps->Parameters.DeviceIoControl.OutputBufferLength;//得到输出缓冲区大小
- ULONG CODE = irps->Parameters.DeviceIoControl.IoControlCode;
- ULONG info = 0;
- switch (CODE)
- {
- case READCODE:
- {
- PUCHAR pmapped = NULL;
- pIrp->IoStatus.Status = STATUS_SUCCESS;
- NTSTATUS status = STATUS_SUCCESS;
- PEPROCESS targeprocess = NULL;
- KAPC_STATE apcstack = { 0 };
- PMDL tempmdl;
- PVOID mappedaddr;
- PVOID targeaddr;
- PREADANDWRITE tempbuffer = (PREADANDWRITE)pIrp->AssociatedIrp.SystemBuffer;
- DbgPrint("取到当前ID:%d 地址:%x 大小:%d \n", tempbuffer->pid, tempbuffer->targeaddr, tempbuffer->size);
- // 获得进程对象
- status = PsLookupProcessByProcessId((HANDLE)tempbuffer->pid, &targeprocess);
- if (!NT_SUCCESS(status))
- {
- status = STATUS_PROCESS_CLONED;
- info = 0;
- DbgPrint("error <%x> \n", status);
- return status;
- }
- //让内核对象引用数-1
- ObDereferenceObject(targeprocess);
- KeStackAttachProcess(targeprocess, &apcstack);//附加进程
- targeaddr = (PVOID)tempbuffer->targeaddr;
- tempmdl = IoAllocateMdl(targeaddr, tempbuffer->size, FALSE, FALSE, NULL);
- if (!tempmdl)
- {
- status = STATUS_MEMORY_NOT_ALLOCATED;
- info = 0;
- KeUnstackDetachProcess(&apcstack);
- break;
- }
- __try
- {
- MmProbeAndLockPages(tempmdl, KernelMode, IoReadAccess);//尝试锁定分页
- }
- __except (1)
- {
- status = STATUS_MEMORY_NOT_ALLOCATED;
- info = 0;
- KeUnstackDetachProcess(&apcstack);
- break;
- }
- //到这里开始Map
- mappedaddr = MmMapLockedPages(tempmdl, KernelMode);
- if (!mappedaddr)
- {
- IoFreeMdl(tempmdl);
- status = STATUS_MEMORY_NOT_ALLOCATED;
- info = 0;
- KeUnstackDetachProcess(&apcstack);
- break;
- }
- RtlCopyMemory(pIrp->AssociatedIrp.SystemBuffer, mappedaddr, tempbuffer->size);//这里传回去应用层
- IoFreeMdl(tempmdl);
- MmUnmapLockedPages(mappedaddr, tempmdl);
- KeUnstackDetachProcess(&apcstack);
- status = STATUS_SUCCESS;
- info = tempbuffer->size;
- pIrp->IoStatus.Status = STATUS_SUCCESS;
- IoCompleteRequest(pIrp, IO_NO_INCREMENT);
- break;
- }
- default:
- DbgPrint("error \n");
- break;
- }
下面是应用层的代码
- int _tmain(int argc, _TCHAR* argv[])
- {
- HANDLE hDevice =
- CreateFile(L"\\\\.\\MyReadTest",
- GENERIC_READ | GENERIC_WRITE,
- 0, //无共享模式
- NULL, //没有安全措施
- OPEN_EXISTING,
- FILE_ATTRIBUTE_NORMAL,
- NULL); //没有模板
- if (hDevice == INVALID_HANDLE_VALUE)
- {
- printf("无法获取设备:%s 的句柄,错误码:%d\n", "MyWDMDevice", GetLastError());
- getchar();
- return 1;
- }
- BYTE outbuffer[40];
- LONG pid = 0;
- LONG address = 0;
- LONG size = 0;
- ULONG dwout;
- BOOL bRet;
-
- //memset(&data, 0x00, sizeof(READANDWRITE));
- //memset(&outbuffer, 0x00, 40);
- printf("请输入进程PID \n");
- scanf("%d", &pid);
- printf("请输入要操作的地址 \n");
- scanf("%x", &address);
- printf("请输入要操作字节大小 \n");
- scanf("%d", &size);
- for (int i = 0; i < 4; i++)
- {
- data.pid = pid;
- data.targeaddr = address;
- data.size = size;
- bRet = DeviceIoControl(hDevice, READCODE, &data, sizeof(READANDWRITE), outbuffer, 40, &dwout, NULL);
- if (!bRet)
- {
- printf("读失败\n");
- }
- else
- {
- for (int b = 0; b < data.size; b++)
- {
- printf("--%x--", *(outbuffer+b));
- }
- }
- }
- CloseHandle(hDevice);
- scanf("%d", &a);
- return 0;
- }
驱动层把mappedaddr传到应用层 我应用层 读出来的 不是内存地址的数据是怎么个回事。。求大佬支招
PS:我驱动层 直接转BYTE类型 读出来 是可以读出来正确的内存地址数据 |
|
发表于 2020-2-20 00:49:48
发表于 2020-3-6 18:10:58