#include <ntddk.h>
BOOL MdlWriteMemory(PVOID pBaseAddress, PVOID pWriteData, SIZE_T writeDataSize)
{
PMDL pMdl = NULL;
PVOID pNewAddress = NULL;
// 创建mdl
pMdl = MmCreateMdl(NULL, pBaseAddress, writeDataSize);
if (NULL == pMdl)
{
return FALSE;
}
// 更新MDL对物理内存的描述
MmBuildMdlForNonPagedPool(pMdl);
// 映射到虚拟内存中
pNewAddress = MmMapLockedPages(pMdl, KernelMode);
if (NULL == pNewAddress)
{
IoFreeMdl(pMdl);
}
// 写入数据
RtlCopyMemory(pNewAddress, pWriteData, writeDataSize);
// 释放
MmUnmapLockedPages(pNewAddress, pMdl);
IoFreeMdl(pMdl);
return TRUE;
}
BOOL MdlWriteMemory2(PVOID pDestination, PVOID pSourceAddress, SIZE_T SizeOfCopy)
{
PMDL pMdl = NULL;
PVOID pSafeAddress = NULL;
if (!MmIsAddressValid(pDestination) || !MmIsAddressValid(pSourceAddress))
{
return FALSE;
}
// 创建mdl
pMdl = IoAllocateMdl(pDestination, (ULONG)SizeOfCopy, FALSE, FALSE, NULL);
if (!pMdl)
{
return FALSE;
}
__try
{
MmProbeAndLockPages(pMdl, KernelMode, IoReadAccess);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
IoFreeMdl(pMdl);
return FALSE;
}
pSafeAddress = MmGetSystemAddressForMdlSafe(pMdl, NormalPagePriority);
if (!pSafeAddress)
{
return FALSE;
}
__try
{
RtlMoveMemory(pSafeAddress, pSourceAddress, SizeOfCopy);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
}
MmUnlockPages(pMdl);
IoFreeMdl(pMdl);
return TRUE;
}
void TestMdl()
{
PVOID ptr1 = ExAllocatePool(PagedPool, 0x100);
PVOID ptr2 = ExAllocatePool(NonPagedPool, 0x200);
RtlFillMemory(ptr2, 0x200, 0x90);
RtlMoveMemory(ptr1, ptr2, 0x50);
ExFreePool(ptr1);
ExFreePool(ptr2);
UCHAR jmp_code[] = "\x48\xB8\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\xFF\xE0";
MdlWriteMemory(KeBugCheckEx, jmp_code, 12);
MdlWriteMemory2((PVOID)((ULONGLONG)KeBugCheckEx+12), jmp_code, 12);
}
本文介绍了一种使用MDL(Memory Descriptor List)在Windows内核模式下进行内存写入的方法,通过两个函数MdlWriteMemory和MdlWriteMemory2实现对指定地址的数据写入。文章详细展示了创建MDL、映射物理内存到虚拟地址空间并进行数据拷贝的过程。
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
