How to read a string with kernel driver

Question

1.00/5 (1 vote)

See more:

so my driver can read integers, DWORD64 etc but now i want to read strings i tried a lot of things and am sure this one should work but for some reason it displays some random chars

this is how am reading from kernel

Objective-C

<pre>PCHAR ReadMem_String(MEMDATA *data) {
	NTSTATUS ntStatus;
	PEPROCESS targetProc;
	char string[12800] = "";

	ntStatus = PsLookupProcessByProcessId((HANDLE)(*data).proccessId, &targetProc);
	if (ntStatus != STATUS_SUCCESS || !targetProc)
		return;

	__try {
		KeAttachProcess((PKPROCESS)targetProc);
		if (MmIsAddressValid((void*)(*data).address))
			RtlCopyMemory(string, (const void*)data->address, data->Read);
		KeDetachProcess();
	}
	__except (GetExceptionCode()) {
		return;
	}

	return(string);
}

Objective-C

case(READ_chars): {
    MEMDATA *userCom = pBuf;
    PCHAR string = ReadMem_String(userCom);
    RtlCopyMemory(pBuf, string, strlen(string));
    size = strlen(string);
    break;
}

also am using method buffered

in my usermode program

C++

<pre>	char Readchar(UINT64 proccessId, uint64_t address) {
		MEMDATA dataToSend;
		uint64_t readBuffer;
		DWORD64 dwBytesToRead = 0;

		dataToSend.proccessId = proccessId;
		dataToSend.address = address;
		dataToSend.Read = 0;

		DeviceIoControl(hDriver, READ_INT, &dataToSend, sizeof(MEMDATA), &readBuffer, sizeof(readBuffer), 0, 0);
		CloseHandle(hDriver);

		return((char)readBuffer);
	}

and am converting chars to strings like this

<pre lang="c++"><pre>	char test = Driver.Readchar(PID, 0x40E066FDB0);
	const char* add = reinterpret_cast<const char*>(&test);
	std::string str = add;
	printf("String found: %s\n", str.c_str());

and my struct is

C++

typedef struct {
	DWORD64 proccessId;
	DWORD64 address;
	DWORD64 Read;
} MEMDATA;

hope someone could help me and thanks for @

Richard MacCutchan

for helping me with the old problem :D ~~also pls if you know the fix of this problem dont just tell me its that or that just pls give me or show me the code to fix it~~

What I have tried:

<pre lang="c++"><pre>char test = Driver.Readchar(PID, 0x40E066FDB0);
	const char* add = reinterpret_cast<const char*>(&test);
	std::string str = add;
	printf("String found: %s\n", str.c_str());

but it didn't work i want to read

DefaultString

and it reads it like this

@ΘùΦ

Posted 23-Sep-18 8:00am

Member 13980942

Updated 24-Sep-18 0:48am

Richard MacCutchan

v2

Add a Solution

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard MacCutchan · Answer 1 · 2018-09-23T22:39:00

Solution 1

C++

if (MmIsAddressValid((void*)(*data).address))

Same problem as yesterday. Do not dereference the data variable in this way.

Posted 23-Sep-18 22:39pm

Richard MacCutchan

Comments

Member 13980942 24-Sep-18 8:11am

@Richard MacCutchan thanks i did that but still the same thing now it outputs only

String found : @ thats it ? and i have tried with wchar_t and std::wstring and the result was @ any ideas what is the problem here ?

Member 13980942 24-Sep-18 8:56am

i tired a lot of things but non of them worked could you tell me how could i do it i searched all over the internet but no one have done it before or i found some but it doesn't work

Richard MacCutchan 24-Sep-18 11:34am

First you need to know exactly what data is being extracted. Wherever this information is stored the kernel code has no way of telling what it is, how big it is etc. And looking at your question you are still dereferencing the data variable in a number of places, which means the pointer will be wrong, and so will the extracted data.

Member 13980942 24-Sep-18 12:22pm

@Richard MacCutchan so if i use it like the one you told me how to fix it like data->address should everything work ? and am using that function and using strlen to count the chars but still not working

Richard MacCutchan 24-Sep-18 13:35pm

I have no idea if it will work or not. However, I do not think you can use strlen in the kernel. Also in your user code you are setting the buffer size to sizeof(readBuffer), which is defined as a uint64_t so only enough space for 8 ASCII, or 4 Unicode characters.

Member 13980942 24-Sep-18 14:45pm

@Richard MacCutchan thanks didn't noticed that i will try something and see if it works and if it works i will post it here if not then idk i will post the code here and try to fix it

«_Superman_» · Answer 2 · 2018-09-23T22:43:00

Solution 2

Could be a string format issue between UNICODE and ANSI.
Try using wchar_t instead of char and std::wstring instead of std::string.

Posted 23-Sep-18 22:43pm

«_Superman_»

Comments

Member 13980942 24-Sep-18 8:11am

@«_Superman_» thanks i did that but still the same thing now it outputs only

String found : @ thats it ? and i have tried with wchar_t and std::wstring and the result was @ any ideas what is the problem here ?

Member 13980942 24-Sep-18 8:56am

i tired a lot of things but non of them worked could you tell me how could i do it i searched all over the internet but no one have done it before or i found some but it doesn't work