我正在创建一个内核模式驱动程序来管理我自己的进程和其他进程中的某些内存。到目前为止,一切都很好,我将其手动映射到我处理过的进程,并使用导出的函数从用户模式执行函数。我导出一个单一的函数来管理读写内存,这会触发单独的未导出函数来为我完成工作。
我为此使用的函数是ntoskrnl.exe内部名为MmCopyVirtualMemory的未记录函数,每当我尝试使用它时,都会导致链接器错误。这导致我无法编译驱动程序。
我尝试使用来自https://github.com/Zer0Mem0ry KernelReadWriteMemory和KernelBhop项目的某些源,但是都没有解决我的问题。
我还试图关闭大多数(如果不是全部)与链接器有关的错误消息和运行时错误。两者都没有解决此问题。
/* The Linker Error: unresolved external symbol "long __cdecl MmCopyVirtualMemory(struct _KPROCESS *,void *,struct _KPROCESS *,void *,unsigned __int64,char,unsigned __int64 *)" (?MmCopyVirtualMemory@@YAJPEAU_KPROCESS@@PEAX01_KDPEA_K@Z) referenced in function "int __cdecl readmem(struct _KPROCESS *,void *,void *,unsigned __int64)" (?readmem@@YAHPEAU_KPROCESS@@PEAX1_K@Z) */
// Undocumented Definitions
NTSTATUS NTAPI MmCopyVirtualMemory
(
PEPROCESS SourceProcess,
PVOID SourceAddress,
PEPROCESS TargetProcess,
PVOID TargetAddress,
SIZE_T BufferSize,
KPROCESSOR_MODE PreviousMode,
PSIZE_T ReturnSize
);
NTKERNELAPI
NTSTATUS
PsLookupProcessByProcessId(
IN HANDLE ProcessId,
OUT PEPROCESS *Process
);
// Memory Functions
int readmem(PEPROCESS Process, PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size)
{
PSIZE_T Bytes = 0;
if (Process != nullptr && NT_SUCCESS(MmCopyVirtualMemory(Process, SourceAddress, current_process, TargetAddress, Size, KernelMode, Bytes))) {
return 1; // memory successful
}
else {
return 0; // request failure
}
}
int writemem(PEPROCESS Process, PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size)
{
PSIZE_T Bytes = 0;
if (Process != nullptr && NT_SUCCESS(MmCopyVirtualMemory(current_process, SourceAddress, Process, TargetAddress, Size, KernelMode, Bytes))) {
return 1; // memory successful
}
else {
return 0; // request failure
}
}
// Memory Export
extern "C" __declspec(dllexport) PMEMORY_REQUEST memory_handler(int code, PMEMORY_REQUEST request) {
int requestcode = -1;
PEPROCESS memory_process;
if (request->read != nullptr) {
requestcode = 1;
}
else if (request->write != nullptr) {
requestcode = 2;
}
if (requestcode != code) {
request->read = nullptr;
request->write = nullptr;
return request; // bad request
}
if (code == 1) { // read
PsLookupProcessByProcessId(reinterpret_cast<HANDLE>(request->read->ProcessId), &memory_process);
request->response = readmem(memory_process, reinterpret_cast<PVOID>(request->read->Address), &request->read->Response, request->read->Size);
DbgPrintEx(0, 0, "read value: %d", request->read->Response);
}
else if (code == 2) { // write
PsLookupProcessByProcessId(reinterpret_cast<HANDLE>(request->write->ProcessId), &memory_process);
request->response = writemem(memory_process, &request->write->Value, reinterpret_cast<PVOID>(request->write->Address), request->write->Size);
DbgPrintEx(0, 0, "write value: %d", request->write->Value);
}
return request;
}