马上注册,结交更多好友,享用更多功能^_^
您需要 登录 才可以下载或查看,没有账号?立即注册
x
本帖最后由 msgbox 于 2016-4-1 09:40 编辑 NTSTATUS MyReadMemory(IN HANDLE hProcess,IN PVOID BaseAddress,OUT PVOID Pbuff,IN ULONG BufferSize)
{
PEPROCESS EProcess;
KAPC_STATE ApcState;
PVOID readbuffer=NULL;
NTSTATUS status;
status = ObReferenceObjectByHandle(
hProcess,
PROCESS_VM_WRITE|PROCESS_VM_READ,
NULL,
KernelMode,
&EProcess,
NULL
);
if(!NT_SUCCESS(status))
{
ObDereferenceObject(EProcess);
return STATUS_UNSUCCESSFUL;
}
readbuffer = ExAllocatePoolWithTag (NonPagedPool, BufferSize, 'Sys');
if(readbuffer==NULL)
{
ObDereferenceObject(EProcess);
ExFreePool (readbuffer);
return STATUS_UNSUCCESSFUL;
}
*(ULONG*)readbuffer=(ULONG)0x1;
MyKeStackAttachProcess(EProcess, &ApcState);
//KeStackAttachProcess(EProcess, &ApcState);
if (MmIsAddressValid(BaseAddress))
{
__try
{
ProbeForRead ((CONST PVOID)BaseAddress, BufferSize, sizeof(CHAR));
RtlCopyMemory (readbuffer, BaseAddress, BufferSize);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
status = STATUS_UNSUCCESSFUL;
}
}
else
{
status = STATUS_UNSUCCESSFUL;
}
KeUnstackDetachProcess (&ApcState);
if(NT_SUCCESS(status))
{
if (MmIsAddressValid(Pbuff))
{
__try
{
ProbeForWrite(Pbuff, BufferSize, sizeof(CHAR));
RtlCopyMemory (Pbuff, readbuffer, BufferSize);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
status = STATUS_UNSUCCESSFUL;
}
}
else
{
status = STATUS_UNSUCCESSFUL;
}
}
ObDereferenceObject(EProcess);
ExFreePool (readbuffer);
return status;
}
应该还需要恢复什么吗?
| 
( 粤ICP备18085999号-1 | 粤公网安备 44051102000585号)
狗仔卡
发表于 2016-3-31 10:34:24
置顶卡
千斤顶
显身卡
楼主