Kernel driver to read memory

Question

1.00/5 (1 vote)

See more:

so i cant read an integer from my usermode idk why i will share the code cuz i found it and its public hope that someone could help me with this :D

in kernel space

C++

<pre>typedef struct {
	DWORD64 proccessId;
	DWORD64 address;
	DWORD64 Read;
} MEMDATA;


UINT64 ReadMem(MEMDATA *data) {
	NTSTATUS ntStatus;
	PEPROCESS targetProc;
	UINT64 readBuff;

	ntStatus = PsLookupProcessByProcessId((HANDLE)(*data).proccessId, &targetProc);
	if (ntStatus != STATUS_SUCCESS || !targetProc)
		return;

	__try {
		KeAttachProcess((PKPROCESS)targetProc);
		if (MmIsAddressValid((void*)(*data).address))
			RtlCopyMemory(&readBuff, (const void*)(*data).address, sizeof(readBuff));
		KeDetachProcess();
	}
	__except (GetExceptionCode()) {
		return;
	}

	return(readBuff);
}

C++

<pre>	case(READ): {
		MEMDATA *userCom = pBuf;
		DWORD64 retVal = ReadMem(userCom);
		RtlCopyMemory(pBuf, &retVal, sizeof(retVal));
		size = sizeof(retVal);
		break;
	}

also am using method buffered

C++

#define READ CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0701 /* Our Custom Code */, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)

and here is my template for reading an integer

C++

<pre>	int Readint(DWORD64 pid, DWORD64 addr, DWORD64 len) {
		MEMDATA toSend;
		DWORD64 dwBytesRead = 0;
		DWORD64  readBuffer;
		toSend.proccessId = pid;
		toSend.address = addr;
		toSend.Read = len;

		DeviceIoControl(hDriver, READ, &toSend, sizeof(MEMDATA), &readBuffer, len, 0, 0);
		CloseHandle(hDriver);

		return(readBuffer);
	}

but its not working am trying to read (

) but its reading it like this (

-1676839616

) i guess that driver is reading it but its a problem with the buffer idk .

What I have tried:

i have tried this to read

C++

<pre>	int PID;
	cout << "give PID" << endl;
	cin >> PID;

	int test;
	test = Driver.Readint(PID, 0xB33B92FD88,sizeof(test));
	if (test) {
		cout <<"working boi" << test <<endl;
	}
	else
	{
		cout << "nope not working" << endl;
	}

but its not working and also pls if you know the fix of this problem dont just tell me its that or that just pls give me or show me the code to fix it and also am new to kernel sorry if i look like a noob but we are learning every day !

Posted 22-Sep-18 12:46pm

Member 13980942

Updated 23-Sep-18 1:44am

v2

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard MacCutchan · Accepted Answer · 2018-09-23T01:45:00

Solution 1

This line does not look correct:

C++

RtlCopyMemory(&readBuff, (const void*)(*data).address, sizeof(readBuff));

The variable data is defined as a pointer to a MEMDATA structure, so the dereference operator should not be necessary here. Try it as:

C++

RtlCopyMemory(&readBuff, (const void*)data.address, sizeof(readBuff));

Posted 23-Sep-18 1:45am

Richard MacCutchan

Comments

Member 13980942 23-Sep-18 9:23am

@Richard MacCutchan thanks man love ya !!!