访问内核模式驱动程序中的用户模式内存

时间:2016-02-27 12:54:25

标签: c++ windows kernel

我想达到的是:

  1. UM-App将DeviceIoControl发送给我的驱动程序,告诉PID和虚拟地址运行。
  2. KM-Driver读取或写入指定进程的指定内存。
  3. KM-Driver发回结果(如果有的话)。
  4. UM-App读取结果。
  5. 看起来很简单,是的,但无论我尝试过什么 - 失败(崩溃),这就是我在这里发帖的原因。

    1. 试图附加到进程并直接访问内存。
    2. 尝试附加到进程并通过MDL访问内存。
    3. 这是我日常工作的完整代码:

      NTSTATUS DriverCallback_IoControl_Internal_VMOperation(IRP* _IRP, IO_STACK_LOCATION* _IRPStack, ULONG* _ResultLength)
      {
          NTSTATUS result = STATUS_SUCCESS;
      
          KIRQL kirql = KeGetCurrentIrql();
      
          switch (kirql)
          {
              case PASSIVE_LEVEL:
              {
                  DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: IRQL = [%s]", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", "PASSIVE_LEVEL");
      
                  break;
              }
      
              case APC_LEVEL:
              {
                  DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: IRQL = [%s]", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", "APC_LEVEL");
      
                  break;
              }
      
              case DISPATCH_LEVEL:
              {
                  DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: IRQL = [%s]", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", "DISPATCH_LEVEL");
      
                  break;
              }
      
              default:
              {
                  DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: IRQL = [%d]", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", kirql);
      
                  break;
              }
          }
      
          if (kirql > DISPATCH_LEVEL) // some APIs we use can't run if IRQL is too high.
          {
              DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: BAD IRQL.", "km_helper", "DriverCallback_IoControl_Internal_VMOperation");
      
              return STATUS_INVALID_LEVEL;
          }
      
          if (_IRP->AssociatedIrp.SystemBuffer)
          {
              if (_ResultLength)
              {
                  *_ResultLength = 0;
      
                  if (_IRPStack->Parameters.DeviceIoControl.OutputBufferLength >= _IRPStack->Parameters.DeviceIoControl.InputBufferLength)
                  {
                      CMemoryPacket* mem = reinterpret_cast<CMemoryPacket*>(_IRP->AssociatedIrp.SystemBuffer);
      
                      DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: PID: [%08X] Virtual Address: [%08X] Length: [%08X] Type: [%d]", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", mem->ProcessId, mem->Address, mem->Size, mem->Type);
      
                      PEPROCESS process = NULL;
                      result = PsLookupProcessByProcessId(reinterpret_cast<HANDLE>(mem->ProcessId), &process);
      
                      if (NT_SUCCESS(result))
                      {
                          PEPROCESS xd = PsGetCurrentProcess();
                          HANDLE id = PsGetCurrentProcessId();
      
                          DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: EProcess: [%08X] ID: [%08X] Target: [%08X].", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", xd, id, process);
      
                          KAPC_STATE apcState;
                          KeStackAttachProcess(process, &apcState);
      
                          xd = PsGetCurrentProcess();
                          id = PsGetCurrentProcessId();
      
                          DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: EProcess: [%08X] ID: [%08X] Target: [%08X].", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", xd, id, process);
      
                          void* Buffer_Source = NULL;
                          void* Buffer_Target = NULL;
                          MDL* Buffer_MDL = IoAllocateMdl(reinterpret_cast<void*>(mem->Address), mem->Size, FALSE, FALSE, NULL);
      
                          if (Buffer_MDL)
                          {
                              void* mdl_va = MmGetMdlVirtualAddress(Buffer_MDL);
      
                              DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: MDL: [%08X] VA: [%08X]", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", Buffer_MDL, mdl_va);
      
                              switch (mem->Type)
                              {
                                  case MEMORYOPERATION::MO_READ:
                                  {
                                      // calling RtlCopyMemory directly has no difference at all, crashes too.
      
                                      __try
                                      {
                                          MmProbeAndLockPages(Buffer_MDL, MODE::UserMode, LOCK_OPERATION::IoReadAccess); // crashes here. tried both KernelMode and UserMode access.
                                      }
                                      __except (EXCEPTION_EXECUTE_HANDLER)
                                      {
                                          DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: %s", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", "MmProbeAndLockPages exploded...");
      
                                          IoFreeMdl(Buffer_MDL);
      
                                          KeUnstackDetachProcess(&apcState);
                                          ObDereferenceObject(process);
      
                                          return STATUS_ACCESS_VIOLATION;
                                      }
      
                                      // execution flow doesn't even hit here.
      
                                      __try
                                      {
                                          Buffer_Source = MmMapLockedPagesSpecifyCache(Buffer_MDL, MODE::UserMode, MEMORY_CACHING_TYPE::MmCached, NULL, FALSE, MM_PAGE_PRIORITY::NormalPagePriority);
                                      }
                                      __except (EXCEPTION_EXECUTE_HANDLER)
                                      {
                                          DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: %s", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", "MmMapLockedPagesSpecifyCache exploded...");
      
                                          MmUnlockPages(Buffer_MDL);
                                          IoFreeMdl(Buffer_MDL);
      
                                          KeUnstackDetachProcess(&apcState);
                                          ObDereferenceObject(process);
      
                                          return STATUS_ACCESS_VIOLATION;
                                      }
      
                                      if (Buffer_Source)
                                      {
                                          Buffer_Target = mem->Data;
      
                                          __try
                                          {
                                              RtlCopyMemory(Buffer_Target, Buffer_Source, mem->Size);
                                          }
                                          __except (EXCEPTION_EXECUTE_HANDLER)
                                          {
                                              DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: %s", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", "RtlCopyMemory exploded...");
      
                                              MmUnmapLockedPages(Buffer_Source, Buffer_MDL);
                                              MmUnlockPages(Buffer_MDL);
                                              IoFreeMdl(Buffer_MDL);
      
                                              KeUnstackDetachProcess(&apcState);
                                              ObDereferenceObject(process);
      
                                              return STATUS_ACCESS_VIOLATION;
                                          }
      
                                          mem->DataSize = mem->Size;
                                          *_ResultLength = mem->DataSize;
      
                                          MmUnmapLockedPages(Buffer_Source, Buffer_MDL);
                                      }
                                      else DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: ERROR %d (%08X).", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", 3, STATUS_NO_MEMORY);
      
                                      MmUnlockPages(Buffer_MDL);
      
                                      break;
                                  }
      
                                  case MEMORYOPERATION::MO_WRITE:
                                  {
                                      // TODO.
      
                                      break;
                                  }
      
                                  case MEMORYOPERATION::MO_QUERY:
                                  {
                                      // TODO.
      
                                      break;
                                  }
                              }
      
                              IoFreeMdl(Buffer_MDL);
                          }
                          else DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: ERROR %d (%08X).", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", 2, STATUS_NO_MEMORY);
      
                          KeUnstackDetachProcess(&apcState);
                          ObDereferenceObject(process);
                      }
                      else DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: ERROR %d (%08X).", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", 1, result);
                  }
                  else result = STATUS_BUFFER_OVERFLOW;
              }
              else result = STATUS_INVALID_PARAMETER;
          }
          else result = STATUS_INVALID_PARAMETER;
      
          return result;
      }
      

      提供给驱动程序的缓冲区可以是所有内容(.text / .data节,堆等)。我知道还有一些其他方法可以访问非页面缓冲池(虽然没有测试它们),但我想让通用方法有效。

      我还没有尝试的是通过内核API(ZwRead / WriteVirtualMemory)读取/写入,但这不是我想要使用的。

      顺便说一句,我在 VirtualBox VM (Win7 SP1 x86)中测试我的代码,这可能是崩溃的原因吗?可悲的是,我没有其他可以测试的环境。

      DbgView的结果是: Results

1 个答案:

答案 0 :(得分:2)

好的,所以这不是代码中的问题,而是环境问题。代码现在工作正常。

由于模块库随机化,我正在读取无效的内存地址。没仔细看它......在project-&gt;链接器设置中改变了这个参数。