32位-64位WINDOWS驱动之物理地址读写内存方法4-物理内存读写

32位/64位WINDOWS驱动之物理地址读写内存方法一、32位/64位WINDOWS驱动之\h物理地址读写内存方法GetPhysicalAddress;自写函数通过PIDZwMapViewOfSection;把物理地址映射到当前进程不使用时需要用ZwUnmapViewOfSectionBOOLEANReadPVirtualMemory(UINT64ProcessID,INPVOIDVBaseAddress,IN\hUINT32nSize,OUTPVOIDpBuf);//BOOLEANWritePVirtualMemory(UINT64ProcessID,INPVOIDVBaseAddress,INUINT32nSize,INPVOID#include//#include//#include ArrayindexBitrange//0x80000008 0- Physicaladdress//0x80000008 8- Virtualaddress//0x80000008 16- //0x800000081- 0- UINT64g_maxPhysAddress=//利用cpuid取出物理地址UINT64if(g_maxPhysAddress==intUINT32r[4//四个整数的数组，包含在EAX、EBX、ECX和EDX中返回的有关CPUcpuid(r0x80000008//只有r[0]的前8位和8至15们有用后边3个全保留//getmaxphysicalphysicalbits=r[0]&g_maxPhysAddress=g_maxPhysAddress=g_maxPhysAddress>>physicalbits;//ifphysicalbits==36theng_maxPhysAddress=~(g_maxPhysAddress<<physicalbits);//<<36=0xfffffff000000000.afterinverse: return30//对于分页内存来说，调用MmProbeAndLockPages以及MmGetSystemAddressForMdlSafe来锁定内存页，以防止被pageout//对于非分页内存而言，调用MmBuildMdlForNonPagedPool//noop(("yjx:Toosmall//physicalBaseBOOLEANReadPhysicalMemory(char*physicalBase,UINT_PTRbytestoread,void

UNICODE_STRINGphysmemString;OBJECT_ATTRIBUTESattributes; *physmemName=L"\\device\\physicalmemory"; vaddress用于映射后的虚地址供访问 ntStatus= outputMDL;//KdPrint(("yjx:ReadPhysicalMemory(%p,%d,%p)",physicalBase,bytestoread,if(((UINT64)physicalBase>getg_maxPhysAddress())||((UINT64)physicalBase+bytestoread>KdPrint(("yjx:SYSInvalidphysicaladdress\n"));returnntStatus==FALSE;outputMDL=IoAllocateMdl(output,(ULONG)bytestoread,FALSE,FALSE,MmProbeAndLockPages(outputMDL,KernelMode,IoWriteAccess);exceptreturnFALSE;//// pMapedAddr=MmMapLockedPagesSpecifyCache(outputMDL,KernelMode,MmCached,NULL,FALSE,//if// KdPrint(("yjx:SYS:ErrorMmMapLockedPagesSpecifyCachepMapedAdd== return////except//KdPrint(("yjx:SYS:ErrorMmMapLockedPagesSpecifyCachefail//returnRtlInitUnicodeString(&physmemString,InitializeObjectAttributes(&attributes,&physmemString,OBJ_CASE_INSENSITIVE,NULL,NULL);ntStatus=ZwOpenSection(&physmem,SECTION_ALL_ACCESS,&attributes);if(ntStatus==//heylook,itdidn'tkillSIZE_T UINT_PTRoffset;UINT_PTRviewBase.QuadPart=length=0x2000;//pinp->bytestoread;//incaseofaoverlappingtoread=bytestoread;vaddress=NULL;KdPrint(("yjx:ReadPhysicalMemory:viewBase.QuadPart=%x",//ntStatus=ZwMapViewOfSection(physmem,//sectionhandleNtCurrentProcess(),//processhandle(shouldbe-&vaddress,0L,length,//CommitSize&viewBase,//SectionOffset&length,//ViewSize

if((ntStatus==STATUS_SUCCESS)&&(vaddress!=if(toread>length)toread=ifoffset=(UINT_PTR)(physicalBase)-(UINT_PTR)viewBase.QuadPart;//0if(offset+toread>length)KdPrint(("yjx:Toosmallnoop(("yjx:ToosmallRtlCopyMemory(output,&vaddress[offset],ZwUnmapViewOfSection(NtCurrentProcess(),exceptKdPrint(("yjx:Failuremappingphysical

KdPrint(("yjx:ReadPhysicalMemoryerror:ntStatus=%x",exceptKdPrint(("yjx:ErrorwhilereadingphysicalreturnntStatus==STATUS_SUCCESS?TRUE:

//noop(("yjx:Toosmall//physicalBaseBOOLEANWritePhysicalMemory(char*physicalBase,INUINT_PTRnSizeWrite,INPVOID UNICODE_STRINGphysmemString;OBJECT_ATTRIBUTESattributes; physmemNameL"\\device\\physicalmemory";//VMProtectDecryptStringW vaddress=NULL;//用于映射后的虚地址供访问 ntStatus=STATUS_UNSUCCESSFUL; pInBufMDL=NULL;KdPrint(("yjx:SYS:WritePhysicalMemory(%p,%d,%p)",physicalBase,nSizeWrite,if(((UINT64)physicalBase>getg_maxPhysAddress())||((UINT64)physicalBase+nSizeWrite>KdPrint(("yjx:SYS:ErrorInvalidphysicaladdress\n"));returnntStatus==FALSE;pInBufMDL=IoAllocateMdl(InBuf,(ULONG)nSizeWrite,FALSE,FALSE,MmProbeAndLockPages(pInBufMDL,KernelMode,exceptKdPrint(("yjx:SYS:ErrorInBufMmProbeAndLockPagesfail returnFALSE; pMapedAddr=//这里没有切换需要这样映射么pMapedAddr=MmMapLockedPagesSpecifyCache(pInBufMDL,KernelMode,MmCached,NULL,FALSE,ifKdPrint(("yjx:SYS:pMapedAdd==return exceptKdPrint(("yjx:SYS:MmMapLockedPagesSpecifyCachepMapedAddr=%p\n"return RtlInitUnicodeString(&physmemString, InitializeObjectAttributes(&attributes,&physmemString,OBJ_CASE_INSENSITIVE,NULL, ntStatus=ZwOpenSection(&physmem,SECTION_ALL_ACCESS, if(ntStatus== //heylook,itdidn'tkill SIZE_T viewBase;// UINT_PTR UINT_PTR viewBase.QuadPart= length=0x2000;//pinp->nSizeWrite;//incaseofaoverlapping toWriteSize= vaddress= KdPrint(("yjx:SYS:ReadPhysicalMemory:地址=%x",//ntStatus=physmem,NtCurrentProcess(),//processhandle(shouldbe-&vaddress,0L,length,&viewBase,&length,PAGE_READWRITE//if((ntStatus==STATUS_SUCCESS)&&(vaddress!=if(toWriteSize>toWriteSize=if offset=(UINT_PTR)(physicalBase)- if(offset+toWriteSize> KdPrint(("yjx:SYS:Toosmall noop(("yjx:SYS:Toosmallmap")); KdPrint(("yjx:SYS RtlCopyMemory(&vaddress[offsetInBuftoWriteSize//

ZwUnmapViewOfSection(NtCurrentProcess(),exceptKdPrint(("yjx:SYS:FailuremappingphysicalKdPrint(("yjx:SYS:ReadPhysicalMemoryerror:ntStatus=%x",exceptKdPrint(("yjx:SYS:ErrorwhilereadingphysicalreturnntStatus==STATUS_SUCCESS?TRUE://BOOLReadPhysicalMemory(PVOIDbuffer,UINT32address,UINT32//UINT32 ////PVOID //NTSTATUS NTDLL//LARGE_INTEGER //vaddress=//outlen=//base.QuadPart=//////status= (HANDLE)- (PVOID //if(status<// return////////memmove(buffer,vaddress,//////status=ZwUnmapViewOfSection((HANDLE)-1,//return(status>=////case//vBaseAddress//返回为物理地址PVOIDGetPhysicalAddress(UINT64ProcessID,PVOID//struct//UINT64ProcessID;//UINT64BaseAddress;//要转换的虚拟地址//}//pinp=Irp-PEPROCESSselectedprocess;//存放指定ProcessID所在PHYSICAL_ADDRESSphysical;//返回物理地址physical.QuadPart0//PHYSICAL_ADDRESS实际上就是INT648 ntStatus=//KdPrint(("yjx:GETPHYSICALADDRESS.ProcessID(%p)=%xBaseAddress(%p)=%x\n",&pinp->ProcessID,pinp->ProcessID,&pinp->BaseAddress,pinp-//switchtotheselectedif(PsLookupProcessByProcessId((PVOID)(UINT_PTR)(ProcessID),&selectedprocess)==KAPC_STATERtlZeroMemory(&apc_state,KeStackAttachProcess((PVOID)selectedprocess&apc_state//关键地方附加到指定进程KeStackAttachProcessphysical=MmGetPhysicalAddress((PVOID)vBaseAddress);//pinp->BaseAddress);//exceptntStatus=if(ntStatus==//RtlCopyMemory(Irp->AssociatedIrp.SystemBuffer,&physical.QuadPart,return(PVOID)physical.QuadPart;//return402//BOOLEANKReadProcessMemory(INPEPROCESSProcess,INPVOIDAddress,INUINT32Length,OUTPVOID

BOOLEANReadPVirtualMemory(UINT64ProcessID,INPVOIDVBaseAddress,INUINT32nSize,OUTPVOIDPVOIDphyBase=GetPhysicalAddress(ProcessID,VBaseAddress);if(phyBase)returnReadPhysicalMemory(phyBase,nSize, returnreturn//BOOLEANKReadProcessMemory(INPEPROCESSProcess,INPVOIDAddress,INUINT32Length,OUTPVOIDBOOLEANWritePVirtualMemory(UINT64ProcessID,INPVOIDVBaseAddress,INUINT32nSize,INPVOIDPVOIDphyBase=GetPhysicalAddress(ProcessID,VBaseAddress);if(phyBase)returnWritePhysicalMemory(phyBase,nSize, return441

return

//BOOLEANReadPVirtualMemory(UINT64ProcessID,INPVOIDVBaseAddress,INUINT32nSize,OUTPVOIDNTSTATUSIRP_ReadPVirtualMemory(PIRP//UNREFERENCED_PARAMETER(device_Object);未使用的参数DbgPrint("yjx:sys64%s行号=%d%s"FUNCDNAMELINE);NTSTATUSntStatus=STATUS_SUCCESS; irpStack=irpStack=#pragmapack(push)#pragmapack(8)typedefstructUINT64ProcessID;//目标进程PIDPVOIDVBaseAddress//目标进程地址UINT64nSize;//要读取的长度UINT64pBuf;//要写入数据的地址//#pragma//PVOIDBaseAddressNULL//PEPROCESSselectedprocessNULL;//目标进程SIZE_TRegionSize=0;//分配大小TINPUT_BUF*bufInput(TINPUT_BUF*)(pirp->AssociatedIrp.SystemBuffer//输入输出缓冲区ReadPVirtualMemory(bufInput->ProcessID,bufInput->VBaseAddress,bufInput->nSize,bufInput);//bufInput-//pirp->IoStatus.Status=pirp->IoStatus.Information4;//返回给DeviceIoControl中的倒数第二个参数//IoCompleteRequest(pirp,IO_NO_INCREMENT);//调用方已完成所有I/O请求处理操作并且不增加优先级if(irpStack)if(ntStatus==//成功则返回缓冲区大小pirp->IoStatus.Information=irpStack-//pirp->IoStatus.Information=//IoCompleteRequest(pirp,pirp->IoStatus.Status=ntStatus;returnntStatus;//ProcessID目标进程的//VBaseAddress//nSize//pBufBOOLEANReadPVirtualMemory(UINT64ProcessID,INPVOIDVBaseAddress,INUINT32nSize,OUTPVOID//ProcessID目标进程的//VBaseAddress//nSize//pBufBOOLEANWritePVirtualMemory(UINT64ProcessID,INPVOIDVBaseAddress,INUINT32nSize,INPVOID#defineCTL_IO_