#include "ntddk.h"
#include "a_header.h"
NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(HANDLE ProcessId, PEPROCESS *Process);
NTKERNELAPI VOID NTAPI KeStackAttachProcess(PEPROCESS Process, PKAPC_STATE ApcState);
NTKERNELAPI VOID NTAPI KeUnstackDetachProcess(PKAPC_STATE ApcState);
ULONG PID = 2340;
ULONG length = 6;
ULONGLONG address = 0x0725F102;
//插入APC温柔读内存
BOOLEAN APCReadProcessMemory()
{
PEPROCESS pepro;
LONG retdata = 0;
KAPC_STATE ExitApc = { 0 };
NTSTATUS st = PsLookupProcessByProcessId((HANDLE)PID, &pepro);
if (!NT_SUCCESS(st))
{
return FALSE;
}
ObDereferenceObject(pepro);
__try
{
KeStackAttachProcess(pepro, &ExitApc);
ProbeForRead((CONST PVOID)address, length, sizeof(CHAR));
RtlCopyMemory(&retdata, (PUCHAR)address, length);
KeUnstackDetachProcess(&ExitApc);
KdPrint(("读取的数据为:%x", retdata));
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
KdPrint(("获取失败"));
KeUnstackDetachProcess(&ExitApc);
return FALSE;
}
return TRUE;
}
//插APC温柔写内存
BOOLEAN APCWriteProcessMemory()
{
PEPROCESS pepro;
KAPC_STATE kapc = { 0 };
NTSTATUS st = PsLookupProcessByProcessId((HANDLE)PID, &pepro);
if (!NT_SUCCESS(st))
{
return FALSE;
}
ObDereferenceObject(pepro);
ULONG64 Cr0;
__try
{
KeStackAttachProcess(pepro, &kapc);
ProbeForWrite((CONST PVOID)address, length, sizeof(CHAR));
_disable();
Cr0 = __readcr0();
Cr0 &= 0xfffffffffffeffff;
__writecr0(Cr0);
_enable();
memcpy((PCHAR)address, "ffffff", length);
_disable();
Cr0 |= 10000;
__writecr0(Cr0);
_enable();
KeUnstackDetachProcess(&kapc);
KdPrint(("获取成功"));
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
_disable();
Cr0 |= 10000;
__writecr0(Cr0);
_enable();
KeUnstackDetachProcess(&kapc);
KdPrint(("获取失败"));
return FALSE;
}
return TRUE;
}
本文详细介绍了在Windows内核模式下使用APC(Asynchronous Procedure Call)进行跨进程内存读写的方法。通过具体代码示例,展示了如何利用PsLookupProcessByProcessId定位目标进程,以及如何使用KeStackAttachProcess和KeUnstackDetachProcess实现温柔的内存读取和写入操作。
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
