1 stdafx.h 头文件代码
2
3 #ifndef _WIN32_WINNT
// Allow use of features specific to Windows XP or later.
4 #define _WIN32_WINNT 0x0501
// Change this to the appropriate value to target other versions of Windows.
5 #endif
6
7 #ifdef __cplusplus
8 extern "C"
9 {
10
11 #endif
12
13 #include <ntddk.h>
14 #include <ntddstor.h>
15 #include <mountdev.h>
16 #include <ntddvol.h>
17
18
19 #ifdef __cplusplus
20 }
21 #endif
1 驱动读写 C++
代码
2
3 #include <ntifs.h>
4 #include <ntddk.h>
5 #include
"stdafx.h"
6
7
8 extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);
9
10
11 #define arraysize(p) (sizeof(p)/sizeof((p)[0]))
12 NTSTATUS ControlCode(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp);
13 NTSTATUS CreateMyDevice(IN PDRIVER_OBJECT pDriverObject);
14 NTSTATUS NtCreateMessage(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp);
15 int ReadProcessMemory(PVOID Address, SIZE_T BYTE_size,
int PID);
16 int WriteProcessMemory(VOID* Address, SIZE_T BYTE_size, VOID *VirtualAddress,
int PID);
17 #define READPROCESSMEMORY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS)
18 #define WRITEPROCESSMEMORY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS)
19 #define WRITEPROCESSMEMORY_BYTE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x802, METHOD_BUFFERED, FILE_ANY_ACCESS)
20
21 //卸载回调
22 void UnloadDriver(PDRIVER_OBJECT pDriverObject)
23 {
24 //用来取得要删除设备对象
25 PDEVICE_OBJECT pDev;
26 UNICODE_STRING symLinkName;
27 pDev = pDriverObject->
DeviceObject;
28 //删除设备
29 IoDeleteDevice(pDev);
30
31 //取符号链接名字
32 RtlInitUnicodeString(&symLinkName, L
"\\??\\My_DriverLinkName");
33 //删除符号链接
34 IoDeleteSymbolicLink(&
symLinkName);
35 KdPrint((
"驱动成功卸载\n"));
36 }
37
38 NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING RegistryPath)
39 {
40 //设置卸载函数
41 pDriverObject->DriverUnload =
UnloadDriver;
42 //处理R3的CreateFile操作不然会失败
43 pDriverObject->MajorFunction[IRP_MJ_CREATE] =
NtCreateMessage;
44 //处理R3的控制代码
45 pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] =
ControlCode;
46 //创建相应的设备
47 CreateMyDevice(pDriverObject);
48 KdPrint((
"驱动成功加载\n"));
49 return STATUS_SUCCESS;
50 }
51 //处理控制IO代码
52 NTSTATUS ControlCode(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp)
53 {
54 NTSTATUS status =
STATUS_SUCCESS;
55 KdPrint((
"Enter HelloDDKDeviceIOControl\n"));
56
57 //得到当前堆栈
58 PIO_STACK_LOCATION stack =
IoGetCurrentIrpStackLocation(pIrp);
59 //得到输入缓冲区大小
60 ULONG cbin = stack->
Parameters.DeviceIoControl.InputBufferLength;
61 //得到输出缓冲区大小
62 ULONG cbout = stack->
Parameters.DeviceIoControl.OutputBufferLength;
63 //得到IOCTL码
64 ULONG code = stack->
Parameters.DeviceIoControl.IoControlCode;
65
66 ULONG info =
0;
67
68 switch (code)
69 {
70 case READPROCESSMEMORY:
//读4字节整数型
71 {
72 //显示输入缓冲区数据
73 int PID =
0, Address =
0, BYTE_size=
0;
74 int *InputBuffer = (
int*)pIrp->
AssociatedIrp.SystemBuffer;
75 _asm
76 {
77 MOV EAX,InputBuffer
78 MOV EBX, DWORD PTR DS : [EAX]
79 MOV PID,EBX
80 MOV EBX, DWORD PTR DS : [EAX +
4]
81 MOV Address,EBX
82 MOV EBX,DWORD PTR DS:[EAX +
8]
83 MOV BYTE_size, EBX
84 }
85 //操作输出缓冲区
86 int *OutputBuffer = (
int*)pIrp->
AssociatedIrp.SystemBuffer;
87 *OutputBuffer = ReadProcessMemory((VOID*
)Address, BYTE_size, PID);
88 //设置实际操作输出缓冲区长度
89 info =
4;
90 break;
91 }
92 case WRITEPROCESSMEMORY:
//写4字节整数型
93 {
94 //显示输入缓冲区数据
95 int PID =
0, Address =
0,buff ,BYTE_size =
0;
96 int *InputBuffer = (
int*)pIrp->
AssociatedIrp.SystemBuffer;
97 _asm
98 {
99 MOV EAX, InputBuffer
100 MOV EBX, DWORD PTR DS : [EAX]
101 MOV PID, EBX
102 MOV EBX, DWORD PTR DS : [EAX +
4]
103 MOV Address, EBX
104 MOV EBX, DWORD PTR DS : [EAX +
8]
105 MOV buff, EBX
106 MOV EBX, DWORD PTR DS : [EAX +
0xC]
107 MOV BYTE_size, EBX
108 }
109 //操作输出缓冲区
110 int *OutputBuffer = (
int*)pIrp->
AssociatedIrp.SystemBuffer;
111 *OutputBuffer = WriteProcessMemory((VOID*)Address, BYTE_size, &
buff, PID);
112 //设置实际操作输出缓冲区长度
113 info =
4;
114 break;
115 }
116 case WRITEPROCESSMEMORY_BYTE:
//写字节集
117 {
118 //显示输入缓冲区数据
119 int PID =
0, Address =
0, buff, BYTE_size =
0;
120 int *InputBuffer = (
int*)pIrp->
AssociatedIrp.SystemBuffer;
121 _asm
122 {
123 MOV EAX, InputBuffer
124 MOV EBX, DWORD PTR DS : [EAX]
125 MOV PID, EBX
126 MOV EBX, DWORD PTR DS : [EAX +
4]
127 MOV Address, EBX
128 MOV EBX, DWORD PTR DS : [EAX +
8]
129 MOV buff, EBX
130 MOV EBX, DWORD PTR DS : [EAX +
0xC]
131 MOV BYTE_size, EBX
132 }
133 //操作输出缓冲区
134 int *OutputBuffer = (
int*)pIrp->
AssociatedIrp.SystemBuffer;
135 *OutputBuffer = WriteProcessMemory((VOID*)Address, BYTE_size, (VOID*
)buff, PID);
136 //设置实际操作输出缓冲区长度
137 info =
4;
138 break;
139 }
140 default:
141 status =
STATUS_INVALID_VARIANT;
142 }
143 // 完成IRP
144 pIrp->IoStatus.Status =
status;
145 pIrp->IoStatus.Information =
info;
146 IoCompleteRequest(pIrp, IO_NO_INCREMENT);
147 return status;
148 }
149
150 typedef
struct _DEVICE_EXTENSION {
151 PDEVICE_OBJECT pDevice;
152 UNICODE_STRING ustrDeviceName;
//设备名称
153 UNICODE_STRING ustrSymLinkName;
//符号链接名
154
155 PUCHAR buffer;
//缓冲区
156 ULONG file_length;
//模拟的文件长度,必须小于MAX_FILE_LENGTH
157 } DEVICE_EXTENSION, *
PDEVICE_EXTENSION;
158 #pragma INITCODE /*指的代码运行后 就从内存释放掉*/
159 //创建符号链接
160 NTSTATUS CreateMyDevice(IN PDRIVER_OBJECT pDriverObject)
161 {
162 NTSTATUS status;
163 PDEVICE_OBJECT pDevObj;
164 PDEVICE_EXTENSION pDevExt;
165
166 //创建设备名称
167 UNICODE_STRING devName;
168 RtlInitUnicodeString(&devName, L
"\\Device\\My_DriverLinkName");
169
170 //创建设备
171 status = IoCreateDevice(pDriverObject,
sizeof(DEVICE_EXTENSION),&devName,FILE_DEVICE_UNKNOWN,
0, FALSE,&
pDevObj);
172 if (!
NT_SUCCESS(status))
173 return status;
174
175 pDevObj->Flags |=
DO_DIRECT_IO;
176 pDevExt = (PDEVICE_EXTENSION)pDevObj->
DeviceExtension;
177 pDevExt->pDevice =
pDevObj;
178 pDevExt->ustrDeviceName =
devName;
179
180 //申请模拟文件的缓冲区
181 pDevExt->buffer = (PUCHAR)ExAllocatePool(PagedPool,
1024);
182 //设置模拟文件大小
183 pDevExt->file_length =
0;
184
185 //创建符号链接
186 UNICODE_STRING symLinkName;
187 RtlInitUnicodeString(&symLinkName, L
"\\??\\My_DriverLinkName");
188 pDevExt->ustrSymLinkName =
symLinkName;
189 status = IoCreateSymbolicLink(&symLinkName, &
devName);
190
191 if (!
NT_SUCCESS(status))
192 {
193 IoDeleteDevice(pDevObj);
194 return status;
195 }
196 return STATUS_SUCCESS;
197 }
198
199 //处理其他IO消息直接返回成功
200 #pragma PAGEDCODE
201 NTSTATUS NtCreateMessage(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp)
202 {
203
204 NTSTATUS status =
STATUS_SUCCESS;
205 // 完成IRP
206 pIrp->IoStatus.Status =
status;
207 pIrp->IoStatus.Information =
0;
// bytes xfered
208 IoCompleteRequest(pIrp, IO_NO_INCREMENT);
209 return status;
210 }
211
212 //读内存整数型
213 int ReadProcessMemory(VOID* Address, SIZE_T BYTE_size,
int PID)
214 {
215 PEPROCESS pEProcess;
216 PVOID buff1;
217 VOID *
buff2;
218 int MemoryNumerical =
0;
219 KAPC_STATE KAPC = {
0 };
220 __try
221 {
222 //得到进程EPROCESS
223 PsLookupProcessByProcessId((HANDLE)PID, &
pEProcess);
224 //分配内存
225 buff1 = ExAllocatePoolWithTag((POOL_TYPE)
0, BYTE_size,
1222);
226 buff2 =
buff1;
227 *(
int*)buff1 =
1;
228 //附加到要读写的进程
229 KeStackAttachProcess((PRKPROCESS)pEProcess, &
KAPC);
230 // 判断内存是否可读
231 ProbeForRead(Address, BYTE_size,
1);
232 //复制内存
233 memcpy(buff2, Address, BYTE_size);
234 // 剥离附加的进程
235 KeUnstackDetachProcess(&
KAPC);
236 //读内存
237 MemoryNumerical = *(
int*
)buff2;
238 // 释放申请的内存
239 ExFreePoolWithTag(buff2,
1222);
240 }
241 __except (EXCEPTION_EXECUTE_HANDLER)
242 {
243 KdPrint((
"错误\n"));
244 }
245 return MemoryNumerical;
246
247 }
248 //写内存整数型
249 int WriteProcessMemory(VOID* Address, SIZE_T BYTE_size, VOID *VirtualAddress,
int PID)
250 {
251 PEPROCESS pEProcess;
252 PVOID buff1;
253 VOID *
buff2;
254 int MemoryNumerical =
0;
255 KAPC_STATE KAPC = {
0 };
256 __try
257 {
258 //得到进程EPROCESS
259 PsLookupProcessByProcessId((HANDLE)PID, &
pEProcess);
260 //分配内存
261 buff1 = ExAllocatePoolWithTag((POOL_TYPE)
0, BYTE_size,
1111);
262 buff2 =
buff1;
263 *(
int*)buff1 =
1;
264 if (MmIsAddressValid((PVOID)VirtualAddress))
265 {
266 //复制内存
267 memcpy(buff2, VirtualAddress, BYTE_size);
268 }
269 else
270 {
271 return 0;
272 }
273 //附加到要读写的进程
274 KeStackAttachProcess((PRKPROCESS)pEProcess, &
KAPC);
275 if (MmIsAddressValid((PVOID)Address))
276 {
277 //判断地址是否可写
278 ProbeForWrite(Address, BYTE_size,
1);
279 //复制内存
280 memcpy(Address, buff2, BYTE_size);
281 }
282 else
283 {
284 return 0;
285 }
286 // 剥离附加的进程
287 KeUnstackDetachProcess(&
KAPC);
288 ExFreePoolWithTag(buff2,
1111);
289 }
290 __except (EXCEPTION_EXECUTE_HANDLER)
291 {
292 KdPrint((
"错误\n"));
293 }
294 return 1;
295 }
1 R3通信代码
2
3 #include <stdio.h>
4 #include <windows.h>
5 #include<winioctl.h>
6 #define READPROCESSMEMORY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS)
7 #define WRITEPROCESSMEMORY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS)
8 #define WRITEPROCESSMEMORY_BYTE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x802, METHOD_BUFFERED, FILE_ANY_ACCESS)
9 int ReadMemory(HANDLE hDevice,
int PID,
int Address,
int size)
//读内存
10 {
11
12 int port[
3];
13 int bufret;
14 DWORD dwWrite;
15 port[
0]=
PID;
16 port[
1]=
Address;
17 port[
2]=
size;
18 DeviceIoControl(hDevice,READPROCESSMEMORY, &port,
12, &bufret,
4, &
dwWrite, NULL);
19 return bufret;
20
21 }
22
23 int WriteMemory_int(HANDLE hDevice,
int PID,
int Address,
int buff,
int size)
//写内存整数型
24 {
25
26 int port[
4];
27 int bufret;
28 DWORD dwWrite;
29 port[
0]=
PID;
30 port[
1]=
Address;
31 port[
2]=
buff;
32 port[
3]=
size;
33 DeviceIoControl(hDevice,WRITEPROCESSMEMORY, &port,
16, &bufret,
4, &
dwWrite, NULL);
34 return bufret;
35
36 }
37
38 int WriteMemory_byte(HANDLE hDevice,
int PID,
int Address,BYTE *buff,
int size)
//写内存字节集
39 {
40 int port[
4];
41 int bufret;
42 DWORD dwWrite;
43 port[
0]=
PID;
44 port[
1]=
Address;
45 port[
2]=(
int)buff;
46 port[
3]=
size;
47 DeviceIoControl(hDevice,WRITEPROCESSMEMORY_BYTE, &port,
16, &bufret,
4, &
dwWrite, NULL);
48 return bufret;
49
50 }
51 int main(
int argc,
char*
argv[])
52 {
53 HANDLE hDevice = CreateFileW(L
"\\\\.\\My_DriverLinkName", GENERIC_READ | GENERIC_WRITE,
0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL );
54 if (hDevice ==
INVALID_HANDLE_VALUE)
55 {
56 printf(
"获取驱动失败: %s with Win32 error code: %d\n",
"MyDriver", GetLastError() );
57 getchar();
58 return -
1;
59 }
60 int PID=
0;
61 printf(
"输入进程ID!\n");
62 scanf(
"%d",&
PID);
63 BYTE a[]={
0x01,
0x02,
0x03,
0x04,
0x05};
64 int r=WriteMemory_byte(hDevice,PID,
9165792,a,
5);
//写内存字节集
65 printf(
"0x8BDBE0=%d\n",r);
66 getchar();
67 getchar();
68 return 0;
69 }
转载于:https://www.cnblogs.com/IMyLife/p/4826230.html
相关资源:利用原神驱动读写内存
