1、 突破TP,NP保护跨进程读写内存22021在线班郁金香灬老师 QQ 150330575交流群:158280115学习目标: 突破TP,NP保护跨进程读写内存2League of Legends.exe0x400000 IoAllocateMdl IoFreeMdlMmBuildMdlForNonPagedPoolMmMapLockedPages MmUnmapLockedPagesKeStackAttachProcess KeUnstackDetachProcess#include /OK 测试通过 遇到2个坑 /第1个坑 sizeof(PKAPC_STATE)是指针 得改结构大小 size
2、of(KAPC_STATE)/第2个坑 KeStackAttachProcess后 进程空间变化了 得用内核内存 中转 BUF缓冲区/Address为目标进程的内存地址/Buffer /当前进程的地址BOOLEAN KReadProcessMemory2(IN PEPROCESS Process, IN PVOID Address, IN UINT32 Length, IN PVOID UserBuffer)KAPC_STATE apc_state;RtlZeroMemory(&apc_state, sizeof(KAPC_STATE); /1为UserBuffer 创建 MDL内存描述 /创
3、建MDL来读取内存 UserBuffer=0x200000PMDL g_pmdl = IoAllocateMdl(UserBuffer,Length, 0, 0, NULL); /8 可以修改成 要读取的内存大小if (!g_pmdl)return FALSE;/2标记为非分页内存MmBuildMdlForNonPagedPool(g_pmdl);/3锁定 映射用户内存 到 内核内存 0x100000unsigned char* Mapped = (unsigned char*)MmMapLockedPages(g_pmdl, KernelMode); /UserModeif (!Mapped
4、) /映射失败IoFreeMdl(g_pmdl);return FALSE;/成功 映射了 地址/切换到 目标进程KeStackAttachProcess(PVOID)Process, &apc_state);/判断目标地址是否可以访问 UserBuffer不可访问 Mapped可以访问BOOLEAN dwRet = MmIsAddressValid(Address);if (dwRet)KdPrint(yjxsys64 RtlCopyMemory(Address, Buffer, Length);rn, Address, UserBuffer, Length); /如果目标地址 可以访问 直
5、接复制目标地址内容 到映射的内核地址区域RtlCopyMemory(Mapped, Address, Length); /memcpy RtlCopyMemory(Address,Mapped, Length); /memcpy elseKdPrint(yjx:sys64:Error Line37);/分离目标进程空间 恢复环境KeUnstackDetachProcess(&apc_state);DbgPrint(yjx: sys分离目标进程); /MDL清理工作/释放MDL相关 资源MmUnmapLockedPages(PVOID)Mapped, g_pmdl);IoFreeMdl(g_pm
6、dl); return dwRet;/dwPid为目标进程id/lpBaseAddress 目标进程地址/lpBuffer 当前进程地址 1/内核内存地址 当前进程地址 2int ReadProcessMemoryForPid2(UINT32 dwPid, PVOID pBase, PVOID lpBuffer, UINT32 nSize)/根据pid获取PEPROCESSPEPROCESS Seleted_pEPROCESS = NULL;DbgPrint(yjx:sys64 ReadMemory pid=%d pBase=%p, dwPid, pBase);if (PsLookupProc
7、essByProcessId(PVOID)(UINT_PTR)(dwPid), &Seleted_pEPROCESS) = STATUS_SUCCESS)BOOLEAN br = KReadProcessMemory2(Seleted_pEPROCESS, (PVOID)pBase, nSize, lpBuffer);ObDereferenceObject(Seleted_pEPROCESS);if (br)return nSize;elseKdPrint(yjx sys64 PsLookupProcessByProcessId Fail.);return 0;/ STATUS_UNSUCCE
8、SSFUL;/int ReadProcessMemoryForPid2(UINT32 dwPid, PVOID pBase, PVOID lpBuffer, UINT32 nSize);NTSTATUS IRP_ReadProcessMemory2(PDEVICE_OBJECT device_Object, PIRP pirp)UNREFERENCED_PARAMETER(device_Object); /未使用的参数 禁止警告DbgPrint(yjx:sysNtAllocateVirtualMemory 进入 IRP_YJX_VirtualAllocEx n);NTSTATUS ntStat
9、us = STATUS_SUCCESS;PIO_STACK_LOCATION irpStack = NULL;irpStack = IoGetCurrentIrpStackLocation(pirp);#pragma pack(push)#pragma pack(1)typedef struct TINPUT_BUFDWORD32 dwPid;PVOID pBase; /目标进程地址DWORD32 nSize;/缓冲区大小TINPUT_BUF;#pragma pack(pop)/结构PVOID BaseAddress = NULL; /返回地址PEPROCESS selectedprocess
10、 = NULL;/目标进程SIZE_T RegionSize = 0;/分配大小TINPUT_BUF*bufInput = pirp-AssociatedIrp.SystemBuffer; /输入 输出 缓冲区 ReadProcessMemoryForPid2(bufInput-dwPid, bufInput-pBase, bufInput, bufInput-nSize);/ENDCODE:/pirp-IoStatus.Status = STATUS_SUCCESS;/pirp-IoStatus.Information = 4;/返回给DeviceIoControl中的 倒数第二个参数lpB
11、ytesReturned/IoCompleteRequest(pirp, IO_NO_INCREMENT);/调用方已完成所有I/O请求处理操作 并且不增加优先级 if (irpStack) /if (ntStatus = STATUS_SUCCESS) /成功则返回 缓冲区大小pirp-IoStatus.Information = irpStack-Parameters.DeviceIoControl.OutputBufferLength;/DeviceIoControlelse /失败则不返回pirp-IoStatus.Information = 0;/完成请求IoCompleteRequest(pirp, IO_NO_INCREMENT);pirp-IoStatus.Status = ntStatus;return ntStatus;