|
阅读:2735回复:5
如何调用NtReadVirtualMemory
牛人们看看,我想读内核地址 0x80674008 总是失败,返回字节数是0
NTSTATUS callfun() { tempAddress = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 186 * 4;//0x7A为 myNtReadVirtualMemoryJmpAddress= *(ULONG*)tempAddress+7; DbgPrint("myNtReadVirtualMemoryJmpAddress:0x%08X",myNtReadVirtualMemoryJmpAddress); return STATUS_SUCCESS; } __declspec(naked) NTSTATUS __stdcall myNtReadVirtualMemory (IN HANDLE ProcessHandle, IN PVOID BaseAddress, OUT PVOID Buffer, IN ULONG NumberOfBytesToRead, OUT PULONG NumberOfBytesRead OPTIONAL) { __asm{ push 1Ch push 0x804da4b8 jmp [myNtReadVirtualMemoryJmpAddress] } } 我先调用callfun() 又这样调用myNtReadVirtualMemory case READmem: InputBuffer =OutputBuffer = pIrp->AssociatedIrp.SystemBuffer; idint=atoi((char*)InputBuffer); DbgPrint("传入的句柄: yuankey = %d\n", idint); passmem[0]='\0'; myNtReadVirtualMemory ((HANDLE)idint, (PVOID)(0x80674008), passmem, 16, &memnum); DbgPrint("反回字符数: %d\n", memnum); DbgPrint("内存字符: %s\n", passmem); DbgPrint("Starting \"Hello World\"\n"); break; 参数是这样订意的 PVOID InputBuffer, OutputBuffer; ULONG memnum=0; int idint; char passmem[16]; 在ring3中这样调用的 char InBuff[5]; int n; n=2736; // 我在ring3取的句柄id InBuff[4]='\0'; //传递启动的I/O控制代码 if (!(DeviceIoControl(hDevice,READmem,&InBuff,sizeof(InBuff),NULL,0,&RetBytes,NULL))) 高手看看,谢谢 |
|
|
沙发#
发布于:2007-06-01 11:04
直接读不就好了
RtlCopyMemory |
|
|
|
板凳#
发布于:2007-06-01 14:18
用RtlCopyMemory试了一下,搞不明白,RtlCopyMemory没有进程id,读的是谁的内存呢?读是能读,结果很怪,读出来的是IRP_MJ_DEVICE_C,郁闷
|
|
|
地板#
发布于:2007-06-01 14:40
内核地址不分进程的。。。
|
|
|
|
地下室#
发布于:2007-06-01 14:58
恩,可是我读出来的都是IRP_MJ_DEVICE_C,怎么样回事呢
|
|
|
5楼#
发布于:2007-06-01 15:42
真是怪了,我读别的地址可以读,读这个地址就返回这样的字符
|
|