插入APC读写内存-CSDN博客

本文详细介绍了在Windows内核模式下使用APC（Asynchronous Procedure Call）进行跨进程内存读写的方法。通过具体代码示例，展示了如何利用PsLookupProcessByProcessId定位目标进程，以及如何使用KeStackAttachProcess和KeUnstackDetachProcess实现温柔的内存读取和写入操作。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

#include "ntddk.h"
#include "a_header.h"


NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(HANDLE ProcessId, PEPROCESS *Process);
NTKERNELAPI VOID NTAPI KeStackAttachProcess(PEPROCESS Process, PKAPC_STATE ApcState);
NTKERNELAPI VOID NTAPI KeUnstackDetachProcess(PKAPC_STATE ApcState);

ULONG PID = 2340;
ULONG length = 6;
ULONGLONG address = 0x0725F102;

//插入APC温柔读内存
BOOLEAN APCReadProcessMemory()
{
	PEPROCESS pepro;
	LONG retdata = 0;
	KAPC_STATE ExitApc = { 0 };

	NTSTATUS st = PsLookupProcessByProcessId((HANDLE)PID, &pepro);
	if (!NT_SUCCESS(st))
	{
		return FALSE;
	}

	ObDereferenceObject(pepro);
	__try
	{
		KeStackAttachProcess(pepro, &ExitApc);
		ProbeForRead((CONST PVOID)address, length, sizeof(CHAR));
		RtlCopyMemory(&retdata, (PUCHAR)address, length);
		KeUnstackDetachProcess(&ExitApc);
		KdPrint(("读取的数据为:%x", retdata));
	}
	__except (EXCEPTION_EXECUTE_HANDLER)
	{
		KdPrint(("获取失败"));
		KeUnstackDetachProcess(&ExitApc);
		return FALSE;
	}
	return TRUE;
}

//插APC温柔写内存
BOOLEAN APCWriteProcessMemory()
{
	PEPROCESS pepro;
	KAPC_STATE kapc = { 0 };
	NTSTATUS st = PsLookupProcessByProcessId((HANDLE)PID, &pepro);
	if (!NT_SUCCESS(st))
	{
		return FALSE;
	}

	ObDereferenceObject(pepro);
	ULONG64 Cr0;
	__try
	{
		KeStackAttachProcess(pepro, &kapc);
		ProbeForWrite((CONST PVOID)address, length, sizeof(CHAR));
		_disable();
		Cr0 = __readcr0();
		Cr0 &= 0xfffffffffffeffff;
		__writecr0(Cr0);
		_enable();
		memcpy((PCHAR)address, "ffffff", length);
		_disable();
		Cr0 |= 10000;
		__writecr0(Cr0);
		_enable();
		KeUnstackDetachProcess(&kapc);
		KdPrint(("获取成功"));
	}
	__except (EXCEPTION_EXECUTE_HANDLER)
	{
		_disable();
		Cr0 |= 10000;
		__writecr0(Cr0);
		_enable();
		KeUnstackDetachProcess(&kapc);

		KdPrint(("获取失败"));
		return FALSE;
	}
	return TRUE;
}