-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathmemory.c
More file actions
121 lines (105 loc) · 2.79 KB
/
memory.c
File metadata and controls
121 lines (105 loc) · 2.79 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
#include "memory.h"
NTSTATUS
RwMemReadProcessMemory(
PIRP Irp,
P_RWMEM_READ ReadInfo)
{
NTSTATUS ntResult = 0;
PEPROCESS TargetProcess = NULL;
PEPROCESS RequestingProcess = NULL;
if (!ReadInfo || !Irp)
return STATUS_INVALID_PARAMETER;
/*
Get requesting process EPROCESS
*/
RequestingProcess = IoGetRequestorProcess(Irp);
if (RequestingProcess == NULL)
{
DbgPrint("[-] Failed to find requestor process");
return STATUS_ACCESS_DENIED;
}
/*
Get target process EPROCESS
*/
ntResult = PsLookupProcessByProcessId((HANDLE)ReadInfo->ProcessId, &TargetProcess);
if (!NT_SUCCESS(ntResult))
{
DbgPrint("[-] Failed to find process with PID: 0x%08x", ntResult);
return ntResult;
}
DbgPrint("[+] Process %zu requested to read %zu bytes from process %zu at address %p\n",
(ULONG_PTR)PsGetProcessId(RequestingProcess),
ReadInfo->NumberOfBytesToRead,
(ULONG_PTR)PsGetProcessId(TargetProcess),
ReadInfo->AddressToRead);
/*
Copy memory from target process address to requesting process buffer
*/
ntResult = MmCopyVirtualMemory(
TargetProcess,
ReadInfo->AddressToRead,
RequestingProcess,
ReadInfo->Buffer,
ReadInfo->NumberOfBytesToRead,
KernelMode,
&ReadInfo->NumberOfBytesToRead);
if (!NT_SUCCESS(ntResult))
{
DbgPrint("[-] Failed to copy process memory into user buffer: 0x%08x", ntResult);
return ntResult;
}
ObDereferenceObject(TargetProcess);
return STATUS_SUCCESS;
}
NTSTATUS
RwMemWriteProcessMemory(
PIRP Irp,
P_RWMEM_WRITE WriteInfo)
{
NTSTATUS ntResult = 0;
PEPROCESS TargetProcess = NULL;
PEPROCESS RequestingProcess = NULL;
if (!WriteInfo || !Irp)
return STATUS_INVALID_PARAMETER;
/*
Get requesting process EPROCESS
*/
RequestingProcess = IoGetRequestorProcess(Irp);
if (RequestingProcess == NULL)
{
DbgPrint("[-] Failed to find requestor process");
return STATUS_ACCESS_DENIED;
}
/*
Get target process EPROCESS
*/
ntResult = PsLookupProcessByProcessId((HANDLE)WriteInfo->ProcessId, &TargetProcess);
if (!NT_SUCCESS(ntResult))
{
DbgPrint("[-] Failed to find process with PID: 0x%08x", ntResult);
return ntResult;
}
DbgPrint("[+] Process %zu requested to write %zu bytes to process %zu at address %p\n",
(ULONG_PTR)PsGetProcessId(RequestingProcess),
WriteInfo->NumberOfBytesToWrite,
(ULONG_PTR)PsGetProcessId(TargetProcess),
WriteInfo->AddressToWrite);
/*
Copy memory from requesting process buffer to target process address
*/
ntResult = MmCopyVirtualMemory(
RequestingProcess,
WriteInfo->Buffer,
TargetProcess,
WriteInfo->AddressToWrite,
WriteInfo->NumberOfBytesToWrite,
KernelMode,
&WriteInfo->NumberOfBytesToWrite);
if (!NT_SUCCESS(ntResult))
{
DbgPrint("[-] Failed to copy user buffer into process memory: 0x%08x", ntResult);
return ntResult;
}
ObDereferenceObject(TargetProcess);
return STATUS_SUCCESS;
}