用cr3读写内存
程序员文章站
2022-07-06 16:27:26
...
#define DIRECTORY_TABLE_BASE 0x028 // DirectoryTableBase
UINT32 idTarget = 0;
PEPROCESS epTarget = NULL;
UINT32 idGame = 0;
PEPROCESS epGame = NULL;
UINT32 rw_len = 0;
UINT64 base_addr = 0;
ULONG64 Get64bitValue(PVOID p)
{
if (MmIsAddressValid(p) == FALSE)
return 0;
return *(PULONG64)p;
}
ULONG32 Get32bitValue(PVOID p)
{
if (MmIsAddressValid(p) == FALSE)
return 0;
return *(PULONG32)p;
}
void KReadProcessMemory(IN PEPROCESS Process, IN PVOID Address, IN UINT32 Length, OUT PVOID Buffer)
{
ULONG64 pDTB = 0, OldCr3 = 0, vAddr = 0;
//Get DTB
pDTB = Get64bitValue((UCHAR*)Process + DIRECTORY_TABLE_BASE);
if (pDTB == 0)
{
DbgPrint("[x64Drv] Can not get PDT");
return;
}
//Record old cr3 and set new cr3
_disable();
OldCr3 = __readcr3();
__writecr3(pDTB);
_enable();
//Read process memory
if (MmIsAddressValid(Address))
{
RtlCopyMemory(Buffer, Address, Length);
DbgPrint("[x64Drv] Date read: %ld", *(PDWORD)Buffer);
}
//Restore old cr3
_disable();
__writecr3(OldCr3);
_enable();
}
void KWriteProcessMemory(IN PEPROCESS Process, IN PVOID Address, IN UINT32 Length, IN PVOID Buffer)
{
ULONG64 pDTB = 0, OldCr3 = 0, vAddr = 0;
//Get DTB
pDTB = Get64bitValue((UCHAR*)Process + DIRECTORY_TABLE_BASE);
if (pDTB == 0)
{
DbgPrint("[x64Drv] Can not get PDT");
return;
}
//Record old cr3 and set new cr3
_disable();
OldCr3 = __readcr3();
__writecr3(pDTB);
_enable();
//Read process memory
if (MmIsAddressValid(Address))
{
RtlCopyMemory(Address, Buffer, Length);
DbgPrint("[x64Drv] Date wrote.");
}
//Restore old cr3
_disable();
__writecr3(OldCr3);
_enable();
}
上一篇: 大数据BigData之Hive load外部数据时做了些什么?
下一篇: Hadoop集群搭建 HA