在内核模式驱动程序中访问用户模式内存
Accessing user-mode memory inside kernel-mode driver
我想达到的是:
- UM-App 将 DeviceIoControl 发送到我的驱动程序,告知 PID 和虚拟地址进行操作。
- KM-Driver 读取或写入指定进程的指定内存。
- KM-Driver 发回结果(如果有的话)。
- UM-App 读取结果。
看起来很简单,是的,但是无论我尝试什么 - 都失败了(崩溃),这就是我在这里发帖的原因。
- 尝试附加到进程并直接访问内存。
- 尝试附加到进程并通过 MDL 访问内存。
这是我例程的完整代码:
NTSTATUS DriverCallback_IoControl_Internal_VMOperation(IRP* _IRP, IO_STACK_LOCATION* _IRPStack, ULONG* _ResultLength)
{
NTSTATUS result = STATUS_SUCCESS;
KIRQL kirql = KeGetCurrentIrql();
switch (kirql)
{
case PASSIVE_LEVEL:
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: IRQL = [%s]", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", "PASSIVE_LEVEL");
break;
}
case APC_LEVEL:
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: IRQL = [%s]", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", "APC_LEVEL");
break;
}
case DISPATCH_LEVEL:
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: IRQL = [%s]", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", "DISPATCH_LEVEL");
break;
}
default:
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: IRQL = [%d]", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", kirql);
break;
}
}
if (kirql > DISPATCH_LEVEL) // some APIs we use can't run if IRQL is too high.
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: BAD IRQL.", "km_helper", "DriverCallback_IoControl_Internal_VMOperation");
return STATUS_INVALID_LEVEL;
}
if (_IRP->AssociatedIrp.SystemBuffer)
{
if (_ResultLength)
{
*_ResultLength = 0;
if (_IRPStack->Parameters.DeviceIoControl.OutputBufferLength >= _IRPStack->Parameters.DeviceIoControl.InputBufferLength)
{
CMemoryPacket* mem = reinterpret_cast<CMemoryPacket*>(_IRP->AssociatedIrp.SystemBuffer);
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: PID: [%08X] Virtual Address: [%08X] Length: [%08X] Type: [%d]", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", mem->ProcessId, mem->Address, mem->Size, mem->Type);
PEPROCESS process = NULL;
result = PsLookupProcessByProcessId(reinterpret_cast<HANDLE>(mem->ProcessId), &process);
if (NT_SUCCESS(result))
{
PEPROCESS xd = PsGetCurrentProcess();
HANDLE id = PsGetCurrentProcessId();
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: EProcess: [%08X] ID: [%08X] Target: [%08X].", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", xd, id, process);
KAPC_STATE apcState;
KeStackAttachProcess(process, &apcState);
xd = PsGetCurrentProcess();
id = PsGetCurrentProcessId();
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: EProcess: [%08X] ID: [%08X] Target: [%08X].", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", xd, id, process);
void* Buffer_Source = NULL;
void* Buffer_Target = NULL;
MDL* Buffer_MDL = IoAllocateMdl(reinterpret_cast<void*>(mem->Address), mem->Size, FALSE, FALSE, NULL);
if (Buffer_MDL)
{
void* mdl_va = MmGetMdlVirtualAddress(Buffer_MDL);
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: MDL: [%08X] VA: [%08X]", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", Buffer_MDL, mdl_va);
switch (mem->Type)
{
case MEMORYOPERATION::MO_READ:
{
// calling RtlCopyMemory directly has no difference at all, crashes too.
__try
{
MmProbeAndLockPages(Buffer_MDL, MODE::UserMode, LOCK_OPERATION::IoReadAccess); // crashes here. tried both KernelMode and UserMode access.
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: %s", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", "MmProbeAndLockPages exploded...");
IoFreeMdl(Buffer_MDL);
KeUnstackDetachProcess(&apcState);
ObDereferenceObject(process);
return STATUS_ACCESS_VIOLATION;
}
// execution flow doesn't even hit here.
__try
{
Buffer_Source = MmMapLockedPagesSpecifyCache(Buffer_MDL, MODE::UserMode, MEMORY_CACHING_TYPE::MmCached, NULL, FALSE, MM_PAGE_PRIORITY::NormalPagePriority);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: %s", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", "MmMapLockedPagesSpecifyCache exploded...");
MmUnlockPages(Buffer_MDL);
IoFreeMdl(Buffer_MDL);
KeUnstackDetachProcess(&apcState);
ObDereferenceObject(process);
return STATUS_ACCESS_VIOLATION;
}
if (Buffer_Source)
{
Buffer_Target = mem->Data;
__try
{
RtlCopyMemory(Buffer_Target, Buffer_Source, mem->Size);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: %s", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", "RtlCopyMemory exploded...");
MmUnmapLockedPages(Buffer_Source, Buffer_MDL);
MmUnlockPages(Buffer_MDL);
IoFreeMdl(Buffer_MDL);
KeUnstackDetachProcess(&apcState);
ObDereferenceObject(process);
return STATUS_ACCESS_VIOLATION;
}
mem->DataSize = mem->Size;
*_ResultLength = mem->DataSize;
MmUnmapLockedPages(Buffer_Source, Buffer_MDL);
}
else DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: ERROR %d (%08X).", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", 3, STATUS_NO_MEMORY);
MmUnlockPages(Buffer_MDL);
break;
}
case MEMORYOPERATION::MO_WRITE:
{
// TODO.
break;
}
case MEMORYOPERATION::MO_QUERY:
{
// TODO.
break;
}
}
IoFreeMdl(Buffer_MDL);
}
else DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: ERROR %d (%08X).", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", 2, STATUS_NO_MEMORY);
KeUnstackDetachProcess(&apcState);
ObDereferenceObject(process);
}
else DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: ERROR %d (%08X).", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", 1, result);
}
else result = STATUS_BUFFER_OVERFLOW;
}
else result = STATUS_INVALID_PARAMETER;
}
else result = STATUS_INVALID_PARAMETER;
return result;
}
提供给驱动程序的缓冲区可以是任何东西(.text/.data 部分、堆等)。我知道还有一些其他方法可以访问非分页池(虽然没有测试它们),但我想让通用方式工作。
我也没有尝试的是reading/writing通过内核API(ZwRead/WriteVirtualMemory),但这不是我想用的
顺便说一下,我在VirtualBox VM (Win7 SP1 x86) 中测试我的代码,会不会是崩溃的原因?遗憾的是我没有其他环境可以测试。
DbgView 的结果是:
Results
好的,所以这不是代码中的问题,而是环境中的问题。代码现在可以正常工作了。
由于模块基础随机化,我正在读取无效的内存地址。没仔细看。。。在project->linker settings里面改了这个参数。
我想达到的是:
- UM-App 将 DeviceIoControl 发送到我的驱动程序,告知 PID 和虚拟地址进行操作。
- KM-Driver 读取或写入指定进程的指定内存。
- KM-Driver 发回结果(如果有的话)。
- UM-App 读取结果。
看起来很简单,是的,但是无论我尝试什么 - 都失败了(崩溃),这就是我在这里发帖的原因。
- 尝试附加到进程并直接访问内存。
- 尝试附加到进程并通过 MDL 访问内存。
这是我例程的完整代码:
NTSTATUS DriverCallback_IoControl_Internal_VMOperation(IRP* _IRP, IO_STACK_LOCATION* _IRPStack, ULONG* _ResultLength)
{
NTSTATUS result = STATUS_SUCCESS;
KIRQL kirql = KeGetCurrentIrql();
switch (kirql)
{
case PASSIVE_LEVEL:
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: IRQL = [%s]", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", "PASSIVE_LEVEL");
break;
}
case APC_LEVEL:
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: IRQL = [%s]", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", "APC_LEVEL");
break;
}
case DISPATCH_LEVEL:
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: IRQL = [%s]", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", "DISPATCH_LEVEL");
break;
}
default:
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: IRQL = [%d]", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", kirql);
break;
}
}
if (kirql > DISPATCH_LEVEL) // some APIs we use can't run if IRQL is too high.
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: BAD IRQL.", "km_helper", "DriverCallback_IoControl_Internal_VMOperation");
return STATUS_INVALID_LEVEL;
}
if (_IRP->AssociatedIrp.SystemBuffer)
{
if (_ResultLength)
{
*_ResultLength = 0;
if (_IRPStack->Parameters.DeviceIoControl.OutputBufferLength >= _IRPStack->Parameters.DeviceIoControl.InputBufferLength)
{
CMemoryPacket* mem = reinterpret_cast<CMemoryPacket*>(_IRP->AssociatedIrp.SystemBuffer);
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: PID: [%08X] Virtual Address: [%08X] Length: [%08X] Type: [%d]", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", mem->ProcessId, mem->Address, mem->Size, mem->Type);
PEPROCESS process = NULL;
result = PsLookupProcessByProcessId(reinterpret_cast<HANDLE>(mem->ProcessId), &process);
if (NT_SUCCESS(result))
{
PEPROCESS xd = PsGetCurrentProcess();
HANDLE id = PsGetCurrentProcessId();
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: EProcess: [%08X] ID: [%08X] Target: [%08X].", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", xd, id, process);
KAPC_STATE apcState;
KeStackAttachProcess(process, &apcState);
xd = PsGetCurrentProcess();
id = PsGetCurrentProcessId();
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: EProcess: [%08X] ID: [%08X] Target: [%08X].", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", xd, id, process);
void* Buffer_Source = NULL;
void* Buffer_Target = NULL;
MDL* Buffer_MDL = IoAllocateMdl(reinterpret_cast<void*>(mem->Address), mem->Size, FALSE, FALSE, NULL);
if (Buffer_MDL)
{
void* mdl_va = MmGetMdlVirtualAddress(Buffer_MDL);
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: MDL: [%08X] VA: [%08X]", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", Buffer_MDL, mdl_va);
switch (mem->Type)
{
case MEMORYOPERATION::MO_READ:
{
// calling RtlCopyMemory directly has no difference at all, crashes too.
__try
{
MmProbeAndLockPages(Buffer_MDL, MODE::UserMode, LOCK_OPERATION::IoReadAccess); // crashes here. tried both KernelMode and UserMode access.
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: %s", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", "MmProbeAndLockPages exploded...");
IoFreeMdl(Buffer_MDL);
KeUnstackDetachProcess(&apcState);
ObDereferenceObject(process);
return STATUS_ACCESS_VIOLATION;
}
// execution flow doesn't even hit here.
__try
{
Buffer_Source = MmMapLockedPagesSpecifyCache(Buffer_MDL, MODE::UserMode, MEMORY_CACHING_TYPE::MmCached, NULL, FALSE, MM_PAGE_PRIORITY::NormalPagePriority);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: %s", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", "MmMapLockedPagesSpecifyCache exploded...");
MmUnlockPages(Buffer_MDL);
IoFreeMdl(Buffer_MDL);
KeUnstackDetachProcess(&apcState);
ObDereferenceObject(process);
return STATUS_ACCESS_VIOLATION;
}
if (Buffer_Source)
{
Buffer_Target = mem->Data;
__try
{
RtlCopyMemory(Buffer_Target, Buffer_Source, mem->Size);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: %s", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", "RtlCopyMemory exploded...");
MmUnmapLockedPages(Buffer_Source, Buffer_MDL);
MmUnlockPages(Buffer_MDL);
IoFreeMdl(Buffer_MDL);
KeUnstackDetachProcess(&apcState);
ObDereferenceObject(process);
return STATUS_ACCESS_VIOLATION;
}
mem->DataSize = mem->Size;
*_ResultLength = mem->DataSize;
MmUnmapLockedPages(Buffer_Source, Buffer_MDL);
}
else DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: ERROR %d (%08X).", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", 3, STATUS_NO_MEMORY);
MmUnlockPages(Buffer_MDL);
break;
}
case MEMORYOPERATION::MO_WRITE:
{
// TODO.
break;
}
case MEMORYOPERATION::MO_QUERY:
{
// TODO.
break;
}
}
IoFreeMdl(Buffer_MDL);
}
else DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: ERROR %d (%08X).", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", 2, STATUS_NO_MEMORY);
KeUnstackDetachProcess(&apcState);
ObDereferenceObject(process);
}
else DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[%s] %s: ERROR %d (%08X).", "km_helper", "DriverCallback_IoControl_Internal_VMOperation", 1, result);
}
else result = STATUS_BUFFER_OVERFLOW;
}
else result = STATUS_INVALID_PARAMETER;
}
else result = STATUS_INVALID_PARAMETER;
return result;
}
提供给驱动程序的缓冲区可以是任何东西(.text/.data 部分、堆等)。我知道还有一些其他方法可以访问非分页池(虽然没有测试它们),但我想让通用方式工作。
我也没有尝试的是reading/writing通过内核API(ZwRead/WriteVirtualMemory),但这不是我想用的
顺便说一下,我在VirtualBox VM (Win7 SP1 x86) 中测试我的代码,会不会是崩溃的原因?遗憾的是我没有其他环境可以测试。
DbgView 的结果是: Results
好的,所以这不是代码中的问题,而是环境中的问题。代码现在可以正常工作了。
由于模块基础随机化,我正在读取无效的内存地址。没仔细看。。。在project->linker settings里面改了这个参数。