-
-
[分享]内核下对进程只读内存的安全写入方法SafeCopyMemory
-
发表于:
2017-6-10 00:09
7671
-
[分享]内核下对进程只读内存的安全写入方法SafeCopyMemory
测试过了,好用.
来看雪备份一下,顺便分享给大家.
原文出自,134K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3u0D9L8$3N6Q4x3X3g2U0M7$3c8F1i4K6u0W2L8X3g2@1i4K6u0r3N6e0l9I4x3K6M7$3x3e0l9K6y4W2)9J5c8X3q4J5N6r3W2U0L8r3g2Q4x3V1k6V1k6i4c8S2K9h3I4K6i4K6u0r3y4U0l9K6y4e0V1@1x3o6t1`.
BOOLEAN SafeCopyMemory(PVOID pDestination, PVOID pSourceAddress, SIZE_T SizeOfCopy)
{
PMDL pMdl = NULL;
PVOID pSafeAddress = NULL;
if (!MmIsAddressValid(pDestination) || !MmIsAddressValid(pSourceAddress))
return FALSE;
pMdl = IoAllocateMdl(pDestination, (ULONG)SizeOfCopy, FALSE, FALSE, NULL);
if (!pMdl)
return FALSE;
__try
{
MmProbeAndLockPages(pMdl, KernelMode, IoReadAccess);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
IoFreeMdl(pMdl);
return FALSE;
}
pSafeAddress = MmGetSystemAddressForMdlSafe(pMdl, NormalPagePriority);
if (!pSafeAddress)
return FALSE;
__try
{
RtlMoveMemory(pSafeAddress, pSourceAddress, SizeOfCopy);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
;
}
MmUnlockPages(pMdl);
IoFreeMdl(pMdl);
return TRUE;
}
void Test() {
PVOID HookCode = ExAllocatePool(NonPagedPool, 0x200);
RtlFillMemory(HookCode, 0x200, 0x90);
RtlMoveMemory(HookCode, NtOpenProcess, 0x3);
SafeCopyMemory(NtOpenProcess, HookCode, 0x3);
[培训]科锐逆向工程师培训第53期2025年7月8日开班!
lononan
hzqst
