-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathKernelReadWriteMemory.c
71 lines (59 loc) · 2.23 KB
/
KernelReadWriteMemory.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
#include <ntdef.h>
#include <ntifs.h>
DRIVER_INITIALIZE DriverEntry;
#pragma alloc_text(INIT, DriverEntry)
// API function from ntoskrnl.exe which we use
// to copy memory to and from an user process.
NTSTATUS NTAPI MmCopyVirtualMemory
(
PEPROCESS SourceProcess,
PVOID SourceAddress,
PEPROCESS TargetProcess,
PVOID TargetAddress,
SIZE_T BufferSize,
KPROCESSOR_MODE PreviousMode,
PSIZE_T ReturnSize
);
NTKERNELAPI
NTSTATUS
PsLookupProcessByProcessId(
_In_ HANDLE ProcessId,
_Outptr_ PEPROCESS* Process
);
NTSTATUS KeReadProcessMemory(PEPROCESS Process, PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size) {
// Since the process we are reading from is the input process, we set
// the source process variable for that.
PEPROCESS SourceProcess = Process;
// Since the "process" we read the output to is this driver
// we set the target process as the current module.
PEPROCESS TargetProcess = PsGetCurrentProcess();
SIZE_T Result;
if (NT_SUCCESS(MmCopyVirtualMemory(SourceProcess, SourceAddress, TargetProcess, TargetAddress, Size, KernelMode, &Result)))
return STATUS_SUCCESS; // operation was successful
else
return STATUS_ACCESS_DENIED;
}
NTSTATUS KeWriteProcessMemory(PEPROCESS Process, PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size) {
// This write func is just like the read func, except vice versa.
// Since the process writing from is our module
// change the source process variable for that.
PEPROCESS SourceProcess = PsGetCurrentProcess();
// Since the process we write to is the input process
// we set the target process as the argument
PEPROCESS TargetProcess = Process;
SIZE_T Result;
if (NT_SUCCESS(MmCopyVirtualMemory(SourceProcess, SourceAddress, TargetProcess, TargetAddress, Size, KernelMode, &Result)))
return STATUS_SUCCESS; // operation was successful
else
return STATUS_ACCESS_DENIED;
}
NTSTATUS DriverEntry(_In_ struct _DRIVER_OBJECT* DriverObject, _In_ PUNICODE_STRING RegistryPath)
{
int Writeval = 666;
PEPROCESS Process; // our target process
// enter your process ID here.
PsLookupProcessByProcessId(4872, &Process); //lookup the process by it's id;
KeWriteProcessMemory(Process, &Writeval, 0x010F29B0, sizeof(__int32));
DbgPrint("Value of int i: %d", Writeval);
return STATUS_SUCCESS;
}