0x01 目的
测试函数 ZwOpenProcess 与 ZwAllocateVirtualMemory
0x02 驱动代码
#include <ntddk.h>
NTSTATUS
ZwAllocateVirtualMemory(
__in HANDLE ProcessHandle,
__inout PVOID *BaseAddress,
__in ULONG_PTR ZeroBits,
__inout PSIZE_T RegionSize,
__in ULONG AllocationType,
__in ULONG Protect
);
NTSTATUS ReadWriteProcess()
{
NTSTATUS Status;
HANDLE hProcess;
CLIENT_ID ClientId;
PVOID AllocateAddress;
size_t ReginSize;
OBJECT_ATTRIBUTES ObjAttr;
ClientId.UniqueProcess = (HANDLE)3848;
ClientId.UniqueThread =0;
AllocateAddress = 0; //不赋值 会C000018错误
memset(&ObjAttr,0,sizeof(OBJECT_ATTRIBUTES));
Status = ZwOpenProcess(&hProcess,PROCESS_ALL_ACCESS,&ObjAttr,&ClientId);
if(!NT_SUCCESS(Status))
{
DbgPrint("ZwOpenProcess Error -- %#X",Status);
ZwClose(hProcess);
return Status;
}
DbgPrint("ZwOpenProcess Success");
ReginSize = 0xff;
Status = ZwAllocateVirtualMemory(hProcess,&AllocateAddress,0,&ReginSize,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
if(!NT_SUCCESS(Status))
{
DbgPrint("ZwAllocateVirtualMemory Error -- %#X",Status);
ZwClose(hProcess);
return Status;
}
DbgPrint("address: %x - %d -size:- %d",AllocateAddress,AllocateAddress,ReginSize);
ZwClose(hProcess);
return Status;
}
VOID MyUnload(PDRIVER_OBJECT pDriverObject)
{
DbgPrint("GoodBye World!");
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING pRegisterPath)
{
pDriverObject->DriverUnload = MyUnload;
DbgPrint("Hello World");
ReadWriteProcess();
return STATUS_SUCCESS;
}
0x03 测试代码
void CTestProcessNewDemoDlg::OnBnClickedButtonWrite()
{
// TODO: 在此添加控件通知处理程序代码
ULONG uBaseAddress;
WCHAR szBuffer[0xf0] = L"www.gyarmy.com";
uBaseAddress = GetDlgItemInt(IDC_EDIT_ADDRESS);
memcpy((PVOID)uBaseAddress, szBuffer, 0xf0);
}
void CTestProcessNewDemoDlg::OnBnClickedButtonRead()
{
// TODO: 在此添加控件通知处理程序代码
ULONG uBaseAddress;
uBaseAddress = GetDlgItemInt(IDC_EDIT_ADDRESS);
SetDlgItemText(IDC_EDIT_CONTENT, (LPCTSTR)uBaseAddress);
}