【发布时间】:2016-06-10 18:00:37
【问题描述】:
我想要达到的是:
- UM-App 将 DeviceIoControl 发送给我的驱动程序,告诉 PID 和虚拟地址进行操作。
- KM-Driver 读取或写入指定进程的指定内存。
- KM-Driver 发回结果(如果有)。
- UM-App 读取结果。
似乎很简单,是的,但无论我尝试什么 - 都失败了(崩溃),这就是我在这里发帖的原因。
- 试图附加到进程并直接访问内存。
- 试图通过 MDL 附加到进程并访问内存。
这是我的例程的完整代码:
NTSTATUS DriverCallback_IoControl_Internal_VMOperation(IRP* _IRP, IO_STACK_LOCATION* _IRPStack, ULONG* _ResultLength)
{
NTSTATUS result = STATUS_SUCCESS;
KIRQL kirql = KeGetCurrentIrql();
switch (kirql)
{
case PASSIVE_LEVEL:
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: IRQL = [%s]", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", "PASSIVE_LEVEL");
break;
}
case APC_LEVEL:
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: IRQL = [%s]", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", "APC_LEVEL");
break;
}
case DISPATCH_LEVEL:
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: IRQL = [%s]", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", "DISPATCH_LEVEL");
break;
}
default:
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: IRQL = [%d]", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", kirql);
break;
}
}
if (kirql > DISPATCH_LEVEL) // some APIs we use can't run if IRQL is too high.
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: BAD IRQL.", "km_helper", "DriverCallback_IoControl_Internal_VMOperation");
return STATUS_INVALID_LEVEL;
}
if (_IRP->AssociatedIrp.SystemBuffer)
{
if (_ResultLength)
{
*_ResultLength = 0;
if (_IRPStack->Parameters.DeviceIoControl.OutputBufferLength >= _IRPStack->Parameters.DeviceIoControl.InputBufferLength)
{
CMemoryPacket* mem = reinterpret_cast<CMemoryPacket*>(_IRP->AssociatedIrp.SystemBuffer);
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: PID: [%08X] Virtual Address: [%08X] Length: [%08X] Type: [%d]", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", mem->ProcessId, mem->Address, mem->Size, mem->Type);
PEPROCESS process = NULL;
result = PsLookupProcessByProcessId(reinterpret_cast<HANDLE>(mem->ProcessId), &process);
if (NT_SUCCESS(result))
{
PEPROCESS xd = PsGetCurrentProcess();
HANDLE id = PsGetCurrentProcessId();
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: EProcess: [%08X] ID: [%08X] Target: [%08X].", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", xd, id, process);
KAPC_STATE apcState;
KeStackAttachProcess(process, &apcState);
xd = PsGetCurrentProcess();
id = PsGetCurrentProcessId();
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: EProcess: [%08X] ID: [%08X] Target: [%08X].", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", xd, id, process);
void* Buffer_Source = NULL;
void* Buffer_Target = NULL;
MDL* Buffer_MDL = IoAllocateMdl(reinterpret_cast<void*>(mem->Address), mem->Size, FALSE, FALSE, NULL);
if (Buffer_MDL)
{
void* mdl_va = MmGetMdlVirtualAddress(Buffer_MDL);
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: MDL: [%08X] VA: [%08X]", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", Buffer_MDL, mdl_va);
switch (mem->Type)
{
case MEMORYOPERATION::MO_READ:
{
// calling RtlCopyMemory directly has no difference at all, crashes too.
__try
{
MmProbeAndLockPages(Buffer_MDL, MODE::UserMode, LOCK_OPERATION::IoReadAccess); // crashes here. tried both KernelMode and UserMode access.
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: %s", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", "MmProbeAndLockPages exploded...");
IoFreeMdl(Buffer_MDL);
KeUnstackDetachProcess(&apcState);
ObDereferenceObject(process);
return STATUS_ACCESS_VIOLATION;
}
// execution flow doesn't even hit here.
__try
{
Buffer_Source = MmMapLockedPagesSpecifyCache(Buffer_MDL, MODE::UserMode, MEMORY_CACHING_TYPE::MmCached, NULL, FALSE, MM_PAGE_PRIORITY::NormalPagePriority);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: %s", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", "MmMapLockedPagesSpecifyCache exploded...");
MmUnlockPages(Buffer_MDL);
IoFreeMdl(Buffer_MDL);
KeUnstackDetachProcess(&apcState);
ObDereferenceObject(process);
return STATUS_ACCESS_VIOLATION;
}
if (Buffer_Source)
{
Buffer_Target = mem->Data;
__try
{
RtlCopyMemory(Buffer_Target, Buffer_Source, mem->Size);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: %s", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", "RtlCopyMemory exploded...");
MmUnmapLockedPages(Buffer_Source, Buffer_MDL);
MmUnlockPages(Buffer_MDL);
IoFreeMdl(Buffer_MDL);
KeUnstackDetachProcess(&apcState);
ObDereferenceObject(process);
return STATUS_ACCESS_VIOLATION;
}
mem->DataSize = mem->Size;
*_ResultLength = mem->DataSize;
MmUnmapLockedPages(Buffer_Source, Buffer_MDL);
}
else DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: ERROR %d (%08X).", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", 3, STATUS_NO_MEMORY);
MmUnlockPages(Buffer_MDL);
break;
}
case MEMORYOPERATION::MO_WRITE:
{
// TODO.
break;
}
case MEMORYOPERATION::MO_QUERY:
{
// TODO.
break;
}
}
IoFreeMdl(Buffer_MDL);
}
else DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: ERROR %d (%08X).", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", 2, STATUS_NO_MEMORY);
KeUnstackDetachProcess(&apcState);
ObDereferenceObject(process);
}
else DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: ERROR %d (%08X).", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", 1, result);
}
else result = STATUS_BUFFER_OVERFLOW;
}
else result = STATUS_INVALID_PARAMETER;
}
else result = STATUS_INVALID_PARAMETER;
return result;
}
提供给驱动程序的缓冲区可以是所有内容(.text/.data 部分、堆等)。我知道还有一些其他方法可以访问非分页池(虽然没有测试它们),但我想让通用方式工作。
我也没有尝试通过内核 API (ZwRead/WriteVirtualMemory) 读取/写入,但这不是我想要使用的。
顺便说一下,我在VirtualBox VM(Win7 SP1 x86)中测试我的代码,会不会是崩溃的原因?遗憾的是我没有其他环境可以测试。
DbgView 的结果是: Results
【问题讨论】:
-
在不需要的情况下使用保留标识符,在这种情况下,像
_IRP这样的名称以下划线开头,后跟大写字母,只是自找麻烦。这是我要改变的第一个。 -
是的,刚刚也注意到了碰撞。但无论如何,vs13 似乎足够聪明来处理这个问题。
-
你是用 C++ 写的?我不知道这是可能的。