32位_64位WINDOWS驱动之物理地址读写内存方法4_物理内存读写VIP免费

1/2132位/64位WINDOWS驱动之物理地址读写内存方法4一、32位/64位WINDOWS驱动之物理地址读写内存方法4GetPhysicalAddress;自写函数通过PID切换到目标进程环境计算出物理地址ZwMapViewOfSection;把物理地址映射到当前进程不使用时需要用ZwUnmapViewOfSection取消映射BOOLEANReadPVirtualMemory(UINT64ProcessID,INPVOIDVBaseAddress,INUINT32nSize,OUTPVOIDpBuf);//转换成物理地址的方式读取进程虚拟地址BOOLEANWritePVirtualMemory(UINT64ProcessID,INPVOIDVBaseAddress,INUINT32nSize,INPVOIDpBuf);二、驱动层，过保护读写筛选器中添加通过物理地址读写目标进程内存.c代码如下：1#include"ntifs.h"2//#include"rwPhysicalMemory.h"3//#include"VMProtectDDK.h"45//InfoTypeArrayindexBitrangeInformation6//0x8000000800-7Physicaladdressbits7//0x8000000808-15Virtualaddressbits8//0x80000008016-31Reserved9//0x800000081-30-31Reserved1011UINT64g_maxPhysAddress=0;12//利用cpuid取出物理地址Bits13UINT64getg_maxPhysAddress(void)14{15if(g_maxPhysAddress==0)16{17intphysicalbits;18UINT32r[4];//四个整数的数组，包含在EAX、EBX、ECX和EDX中返回的有关CPU支持的功能的信息19cpuid(r,0x80000008);//只有r[0]的前8位和8至15们有用后边3个全保留2021//getmaxphysicaladdress22physicalbits=r[0]&0xff;2324g_maxPhysAddress=0xFFFFFFFFFFFFFFFFULL;25g_maxPhysAddress=g_maxPhysAddress>>physicalbits;//ifphysicalbits==36theng_maxPhysAddress=0x000000000fffffff26g_maxPhysAddress=~(g_maxPhysAddress<getg_maxPhysAddress())||((UINT64)physicalBase+bytestoread>getg_maxPhysAddress())){KdPrint(("yjx:SYSInvalidphysicaladdress\n"));returnntStatus==FALSE;}outputMDL=IoAllocateMdl(output,(ULONG)bytestoread,FALSE,FALSE,NULL);try{MmProbeAndLockPages(outputMDL,KernelMode,IoWriteAccess);//MmBuildMdlForNonPagedPool//MmBuildMdlForNonPagedPool(outputMDL);//MmGetSystemAddressForMdlSafe(outputMDL,)}except(1){IoFreeMdl(outputMDL);returnFALSE;//STATUS_UNSUCCESSFUL;}//try//{//PVOIDpMapedAddr=MmMapLockedPagesSpecifyCache(outputMDL,KernelMode,MmCached,NULL,FALSE,NormalPagePriority);//if(!pMapedAddr)//{//KdPrint(("yjx:SYS:ErrorMmMapLockedPagesSpecifyCachepMapedAdd==NULL\n"));//returnFALSE;//}//}//except(1)//{//KdPrint(("yjx:SYS:ErrorMmMapLockedPagesSpecifyCachefail\n"));//returnFALSE;//}try{RtlInitUnicodeString(&physmemString,physmemName);InitializeObjectAttributes(&attributes,&physmemString,OBJ_CASE_INSENSITIVE,NULL,NULL);ntStatus=ZwOpenSection(&physmem,SECTION_ALL_ACCESS,&attributes);if(ntStatus==STATUS_SUCCESS){/...