云鉴权>> Kernel-Memory-Reading-Writing>> 返回
项目作者: AYIDouble

项目描述 :
🔍 Code to read / write the Process Memory from the Kernel 🔧
高级语言: C
项目地址: git://github.com/AYIDouble/Kernel-Memory-Reading-Writing.git
创建时间: 2019-08-12T06:18:57Z
项目社区:https://github.com/AYIDouble/Kernel-Memory-Reading-Writing
开源协议:MIT License
下载


🔍 Kernel Memory Reading Writing 🔧

🔍 Template to read / write the Process Memory from the Kernel (kernelmode) 🔧

How does it Work?

A: It uses the undocumented NT API “MmCopyVirtualMemory” function in ntoskrnl.exe (Windows NT operating system kernel)

📝 KernelReadWriteMemory.c 📝

  1. #include <ntdef.h>
  2. #include <ntifs.h>
  4. DRIVER_INITIALIZE DriverEntry;
  5. #pragma alloc_text(INIT, DriverEntry)
  7. // API function from ntoskrnl.exe which we use
  8. // to copy memory to and from an user process.
  9. NTSTATUS NTAPI MmCopyVirtualMemory
  10. (
  11.     PEPROCESS SourceProcess,
  12.     PVOID SourceAddress,
  13.     PEPROCESS TargetProcess,
  14.     PVOID TargetAddress,
  15.     SIZE_T BufferSize,
  16.     KPROCESSOR_MODE PreviousMode,
  17.     PSIZE_T ReturnSize
  18. );
  20. NTKERNELAPI
  21. NTSTATUS
  22. PsLookupProcessByProcessId(
  23.     _In_ HANDLE ProcessId,
  24.     _Outptr_ PEPROCESS* Process
  25. );
  27. NTSTATUS KeReadProcessMemory(PEPROCESS Process, PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size) {
  28.     // Since the process we are reading from is the input process, we set
  29.     // the source process variable for that.
  30.     PEPROCESS SourceProcess = Process;
  31.     // Since the "process" we read the output to is this driver
  32.     // we set the target process as the current module.
  33.     PEPROCESS TargetProcess = PsGetCurrentProcess();
  34.     SIZE_T Result;
  35.     if (NT_SUCCESS(MmCopyVirtualMemory(SourceProcess, SourceAddress, TargetProcess, TargetAddress, Size, KernelMode, &Result)))
  36.         return STATUS_SUCCESS; // operation was successful
  37.     else
  38.         return STATUS_ACCESS_DENIED;
  39. }
  41. NTSTATUS KeWriteProcessMemory(PEPROCESS Process, PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size) {
  42.     // This write func is just like the read func, except vice versa.
  44.     // Since the process writing from is our module
  45.     // change the source process variable for that.
  46.     PEPROCESS SourceProcess = PsGetCurrentProcess();
  47.     // Since the process we write to is the input process
  48.     // we set the target process as the argument
  49.     PEPROCESS TargetProcess = Process;
  50.     SIZE_T Result;
  52.     if (NT_SUCCESS(MmCopyVirtualMemory(SourceProcess, SourceAddress, TargetProcess, TargetAddress, Size, KernelMode, &Result)))
  53.         return STATUS_SUCCESS; // operation was successful
  54.     else
  55.         return STATUS_ACCESS_DENIED;
  56. }
  58. NTSTATUS DriverEntry(_In_  struct _DRIVER_OBJECT* DriverObject, _In_  PUNICODE_STRING RegistryPath)
  59. {
  60.     int Writeval = 666;
  62.     PEPROCESS Process; // our target process
  63.     // enter your process ID here.
  64.     PsLookupProcessByProcessId(4872, &Process); //lookup the process by it's id;
  66.     KeWriteProcessMemory(Process, &Writeval, 0x010F29B0, sizeof(__int32));
  68.     DbgPrint("Value of int i: %d", Writeval);
  70.     return STATUS_SUCCESS;
  71. }

Binance Ready to give crypto a try ? buy bitcoin and other cryptocurrencies on binance