|
马上注册,结交更多好友,享用更多功能^_^
您需要 登录 才可以下载或查看,没有账号?立即注册
x
本帖最后由 msgbox 于 2016-4-1 09:40 编辑
- NTSTATUS MyReadMemory(IN HANDLE hProcess,IN PVOID BaseAddress,OUT PVOID Pbuff,IN ULONG BufferSize)
- {
- PEPROCESS EProcess;
- KAPC_STATE ApcState;
- PVOID readbuffer=NULL;
- NTSTATUS status;
- status = ObReferenceObjectByHandle(
- hProcess,
- PROCESS_VM_WRITE|PROCESS_VM_READ,
- NULL,
- KernelMode,
- &EProcess,
- NULL
- );
- if(!NT_SUCCESS(status))
- {
- ObDereferenceObject(EProcess);
- return STATUS_UNSUCCESSFUL;
- }
- readbuffer = ExAllocatePoolWithTag (NonPagedPool, BufferSize, 'Sys');
- if(readbuffer==NULL)
- {
- ObDereferenceObject(EProcess);
- ExFreePool (readbuffer);
- return STATUS_UNSUCCESSFUL;
- }
- *(ULONG*)readbuffer=(ULONG)0x1;
- MyKeStackAttachProcess(EProcess, &ApcState);
- //KeStackAttachProcess(EProcess, &ApcState);
- if (MmIsAddressValid(BaseAddress))
- {
- __try
- {
- ProbeForRead ((CONST PVOID)BaseAddress, BufferSize, sizeof(CHAR));
- RtlCopyMemory (readbuffer, BaseAddress, BufferSize);
- }
- __except(EXCEPTION_EXECUTE_HANDLER)
- {
- status = STATUS_UNSUCCESSFUL;
- }
- }
- else
- {
- status = STATUS_UNSUCCESSFUL;
- }
- KeUnstackDetachProcess (&ApcState);
- if(NT_SUCCESS(status))
- {
- if (MmIsAddressValid(Pbuff))
- {
- __try
- {
- ProbeForWrite(Pbuff, BufferSize, sizeof(CHAR));
- RtlCopyMemory (Pbuff, readbuffer, BufferSize);
- }
- __except(EXCEPTION_EXECUTE_HANDLER)
- {
- status = STATUS_UNSUCCESSFUL;
- }
- }
- else
- {
- status = STATUS_UNSUCCESSFUL;
- }
- }
- ObDereferenceObject(EProcess);
- ExFreePool (readbuffer);
- return status;
- }
复制代码
应该还需要恢复什么吗?
|
|