Click here to Skip to main content
15,867,943 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
I have been attempting to write strings in Kernel Memory for some time now. I have been able to read strings, however I have no luck with writing them. I can write regular things such as a DWORD. I keep getting stuck on casting a string to a UINT_PTR. Any help is appreciated and here is my code for reading strings:

C++
std::string ReadString(UINT_PTR ProcessId, UINT_PTR ReadAddress, SIZE_T Size) {
    if (hDriver == INVALID_HANDLE_VALUE) {
        return {};
    }

    DWORD64 Bytes;
    KERNEL_READ_REQUEST ReadRequest{};

    std::vector<char> buffer(Size, char{ 0 });

    ReadRequest.ProcessId = ProcessId;
    ReadRequest.Address = ReadAddress;
    ReadRequest.Size = buffer.size();
    ReadRequest.Output = static_cast<void*>(&buffer[0]);

    // send code to our driver with the arguments
    if (DeviceIoControl(hDriver, IO_READ_REQUEST, &ReadRequest, sizeof(ReadRequest), &ReadRequest, sizeof(ReadRequest), 0, 0)) {
        return std::string(buffer.data());
    }
    else {
        return {};
    }
}


What I have tried:

C++
std::vector<char> buffer(Size, char{ 0 });

I have also tried:
C++
std::string WriteString(UINT_PTR ProcessId, UINT_PTR WriteAddress, UINT_PTR WriteValue, SIZE_T Size) {
    if (hDriver == INVALID_HANDLE_VALUE) {
        return {};
    }

    DWORD64 Bytes;
    KERNEL_WRITE_REQUEST WriteRequest{};

    std::vector<char> buffer(Size, char{ 0 });

    WriteRequest.ProcessId = ProcessId;
    WriteRequest.Address = WriteAddress;
    WriteRequest.Size = buffer.size();
    WriteRequest.Value = WriteValue;

    // send code to our driver with the arguments
    if (DeviceIoControl(hDriver, IO_WRITE_REQUEST, &WriteRequest, sizeof(WriteRequest), 0, 0, 0, 0)) {
        return {};
    }
    else {
        return {};
    }
}
Posted
Updated 5-Dec-18 11:14am
Comments
CPallini 5-Dec-18 17:17pm    
It looks similar to the code you may find here:
https://github.com/Zer0Mem0ry/KernelBhop/blob/master/KernelBhop/KeInterface.h
But it is different. For instance what is the type of KERNEL_WRITE_REQUEST.Value?

CAST a string? You can't. To be a valid pointer that would be one nasty looking string.

You have to PARSE the string into a value.

But then, one has to wonder why you're passing handle values around in/to/from the kernel as strings instead of the actual values.
 
Share this answer
 
You are misusing the API. Read the example code from Microsoft and the documentation.

I cant find details about your struct on the fly, so search and read it carefully. My best guess is that Address is the pointer to the data (your string) and Value is some type information and the Output is the amount of read data.

My real advice is: Read the documentation!!!
 
Share this answer
 

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900