Reputation:
Can Kernel mode driver do ReadProcessMemory on any process?
I am currently writing a kernel mode driver (software driver) with KMDF and since I am very new to this topic I want to ask you if my driver would be able to call OpenProcess and ReadProcessMemory on any running process or is there some way to prevent that my driver can call those functions on a process from kernel mode?
Upvotes: 2
Views: 8996
Answers (3)
Reputation: 640
You have NtReadVirtualMemory, but there is no Zw* version in kernel-mode, which means you're going to have to locate the address yourself (using the KeServiceDescriptorTable will work, but memory scanning is also an option).
Bear in mind, if you want to make use of any kernel-mode addresses, you'll need to set the PreviousMode of the current thread to 0 (KernelMode) if you happen to be executing under the context of a non-kernel thread (e.g. in a callback routine you might be put under the context of another process other than NTOSKRNL). This is what the Zw* routines will do for you automatically in kernel-mode, but obviously as I've already said, there isn't one for NtReadVirtualMemory in kernel-mode (Microsoft just don't want you to use it I guess).
A second approach would be to attach to the context of the process you'd like to read the memory of, and then rely on MmCopyMemory (documented at MSDN) to copy memory from an address valid in the process you've just attached to, to your own buffer. Then you can access the copied memory from your own buffer. Remember to detach.
Alternatively, you can take the path which @RbMm suggested. Personally, I'd take his suggestion because it is a documented approach, and you're likely to have more success with implementing it (not to mention you'll have less work to do).
Upvotes: 3
Reputation: 33734
you can get target process pointer by call PsLookupProcessByProcessId. than call KeStackAttachProcess and direct read process memory. because this is user mode memory - mandatory do it in __try/__except block. finally call KeUnstackDetachProcess and ObfDereferenceObject for target process
Upvotes: 7
Reputation: 36028
According to https://github.com/Zer0Mem0ry/KernelBhop/blob/master/Driver/Driver.c, you need to use an undocumented MmCopyVirtualMemory for both reading and writing any process.
NTSTATUS NTAPI MmCopyVirtualMemory
(
PEPROCESS SourceProcess,
PVOID SourceAddress,
PEPROCESS TargetProcess,
PVOID TargetAddress,
SIZE_T BufferSize,
KPROCESSOR_MODE PreviousMode,
PSIZE_T ReturnSize
);
Upvotes: 4
Related Questions
- Detect & Block Read/WriteProcessMemory calls from a Driver
- Can programs detect if I am using ReadProcessMemory on it?
- Faster alternatives too WINAPI ReadProcessMemory
- ReadProcessMemory Win32
- Possible to hook an event for ReadProcessMemory()?
- C++ WinAPI ReadProcessMemory
- Windows kernel ReadProcessMemory() / WriteProcessMemory()?
- Does ReadProcessMemory/WriteProcessMemory access program data or code?
- Two-way interaction between user-mode app and kernel-mode driver?
- Windows: accessing driver memory from userspace (read only) - possible?