用驱动实现自己的 ZwOpenProcess ZwReadVirtualMemory ZwWriteVirtualMemory

懒得自己写了，就转一个帖子吧。

<textarea cols="87" rows="23" name="code" class="cpp">用驱动实现自己的 ZwOpenProcess ZwReadVirtualMemory ZwWriteVirtualMemory /* jhxxs.C Author: &lt;your name&gt; Last Updated: 2006-03-23 This framework is generated by EasySYS 0.3.0 This template file is copying from QuickSYS 0.3.0 written by Chunhua Liu */ #include "dbghelp.h" #include "jhxxs.h" #include &lt;stdio.h&gt; #include &lt;ntdef.h&gt; #include &lt;ntstatus.h&gt; #include &lt;ntddk.h&gt; // // A structure representing the instance information associated with // a particular device // typedef struct _DEVICE_EXTENSION { ULONG StateVariable; } DEVICE_EXTENSION, *PDEVICE_EXTENSION; typedef struct _KAPC_STATE{ LIST_ENTRY ApcListHead[2]; PEPROCESS Process; UCHAR KernelApcInProgress; UCHAR KernelApcPending; UCHAR UserApcPending; }KAPC_STATE,*PKAPC_STATE; NTKERNELAPI void KeStackAttachProcess(IN PEPROCESS Process, OUT PKAPC_STATE ApcState); NTKERNELAPI void KeUnstackDetachProcess(IN PKAPC_STATE ApcState); NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(IN ULONG ulProcId,OUT PEPROCESS * pEProcess); NTKERNELAPI NTSTATUS ObOpenObjectByPointer( IN PVOID Object, IN ULONG HandleAttributes, IN PACCESS_STATE PassedAccessState OPTIONAL, IN ACCESS_MASK DesiredAccess OPTIONAL, IN POBJECT_TYPE ObjectType OPTIONAL, IN KPROCESSOR_MODE AccessMode, OUT PHANDLE Handle ); // // Device driver routine declarations. // NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ); NTSTATUS JhxxsDispatchCreate( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ); NTSTATUS JhxxsDispatchClose( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ); NTSTATUS JhxxsDispatchDeviceControl( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ); VOID JhxxsUnload( IN PDRIVER_OBJECT DriverObject ); #ifdef ALLOC_PRAGMA #pragma alloc_text(INIT, DriverEntry) #pragma alloc_text(PAGE, JhxxsDispatchCreate) #pragma alloc_text(PAGE, JhxxsDispatchClose) #pragma alloc_text(PAGE, JhxxsDispatchDeviceControl) #pragma alloc_text(PAGE, JhxxsUnload) #endif // ALLOC_PRAGMA NTSTATUS MyWriteMemory(IN HANDLE hProcess,OUT PVOID BaseAddress,IN PVOID Pbuff,IN ULONG BufferSize) { PEPROCESS EProcess; KAPC_STATE ApcState; PVOID writebuffer=NULL; NTSTATUS status; status = ObReferenceObjectByHandle( hProcess, PROCESS_VM_WRITE|PROCESS_VM_READ, NULL, KernelMode, &amp;EProcess, NULL ); if(!NT_SUCCESS(status)) { ObDereferenceObject(EProcess); return STATUS_UNSUCCESSFUL; } writebuffer = ExAllocatePoolWithTag (NonPagedPool, BufferSize, 'Sys'); if(writebuffer==NULL) { ObDereferenceObject(EProcess); ExFreePool (writebuffer); return STATUS_UNSUCCESSFUL; } *(ULONG*)writebuffer=(ULONG)0x1; if (MmIsAddressValid(Pbuff)) { __try { ProbeForRead ((CONST PVOID)Pbuff, BufferSize, sizeof(CHAR)); RtlCopyMemory (writebuffer, Pbuff, BufferSize); } __except(EXCEPTION_EXECUTE_HANDLER) { status = STATUS_UNSUCCESSFUL; } } else { status = STATUS_UNSUCCESSFUL; } if (NT_SUCCESS(status)) { KeStackAttachProcess (EProcess, &amp;ApcState); if (MmIsAddressValid(BaseAddress)) { __try { ProbeForWrite ((CONST PVOID)BaseAddress, BufferSize, sizeof(CHAR)); RtlCopyMemory (BaseAddress,writebuffer, BufferSize); } __except(EXCEPTION_EXECUTE_HANDLER) { status = STATUS_UNSUCCESSFUL; } } else { status = STATUS_UNSUCCESSFUL; } KeUnstackDetachProcess (&amp;ApcState); } ObDereferenceObject(EProcess); ExFreePool (writebuffer); return status; } NTSTATUS MyReadMemory(IN HANDLE hProcess,IN PVOID BaseAddress,OUT PVOID Pbuff,IN ULONG BufferSize) { PEPROCESS EProcess; KAPC_STATE ApcState; PVOID readbuffer=NULL; NTSTATUS status; status = ObReferenceObjectByHandle( hProcess, PROCESS_VM_WRITE|PROCESS_VM_READ, NULL, KernelMode, &amp;EProcess, NULL ); if(!NT_SUCCESS(status)) { ObDereferenceObject(EProcess); return STATUS_UNSUCCESSFUL; } readbuffer = ExAllocatePoolWithTag (NonPagedPool, BufferSize, 'Sys'); if(readbuffer==NULL) { ObDereferenceObject(EProcess); ExFreePool (readbuffer); return STATUS_UNSUCCESSFUL; } *(ULONG*)readbuffer=(ULONG)0x1; KeStackAttachProcess (EProcess, &amp;ApcState); if (MmIsAddressValid(BaseAddress)) { __try { ProbeForRead ((CONST PVOID)BaseAddress, BufferSize, sizeof(CHAR)); RtlCopyMemory (readbuffer, BaseAddress, BufferSize); } __except(EXCEPTION_EXECUTE_HANDLER) { status = STATUS_UNSUCCESSFUL; } } else { status = STATUS_UNSUCCESSFUL; } KeUnstackDetachProcess (&amp;ApcState); if(NT_SUCCESS(status)) { if (MmIsAddressValid(Pbuff)) { __try { ProbeForWrite(Pbuff, BufferSize, sizeof(CHAR)); RtlCopyMemory (Pbuff, readbuffer, BufferSize); } __except(EXCEPTION_EXECUTE_HANDLER) { status = STATUS_UNSUCCESSFUL; } } else { status = STATUS_UNSUCCESSFUL; } } ObDereferenceObject(EProcess); ExFreePool (readbuffer); return status; } NTSTATUS MyOpenProcess(ULONG PID, PHANDLE pHandle) { NTSTATUS status; PEPROCESS EProcess = NULL; HANDLE handle = NULL; UNICODE_STRING y; PULONG PsProcessType; status = PsLookupProcessByProcessId(PID, &amp;EProcess); if (NT_SUCCESS(status)) { handle = 0; RtlInitUnicodeString(&amp;y, L"PsProcessType"); PsProcessType = MmGetSystemRoutineAddress(&amp;y); if (PsProcessType) { status = ObOpenObjectByPointer(EProcess, 0, 0, PROCESS_ALL_ACCESS, (PVOID)*PsProcessType, UserMode, &amp;handle); if (NT_SUCCESS(status)) { *pHandle = handle; } } ObfDereferenceObject(EProcess); } return status; } NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ) { NTSTATUS status = STATUS_SUCCESS; UNICODE_STRING ntDeviceName; UNICODE_STRING dosDeviceName; PDEVICE_EXTENSION deviceExtension; PDEVICE_OBJECT deviceObject = NULL; BOOLEAN fSymbolicLink = FALSE; KdBreakPoint(); RtlInitUnicodeString(&amp;ntDeviceName, JHXXS_DEVICE_NAME_W); status = IoCreateDevice( DriverObject, sizeof(DEVICE_EXTENSION), &amp;ntDeviceName, FILE_DEVICE_JHXXS, 0, TRUE, &amp;deviceObject ); if (!NT_SUCCESS(status)) { goto __failed; } deviceExtension = (PDEVICE_EXTENSION)deviceObject-&gt;DeviceExtension; RtlInitUnicodeString(&amp;dosDeviceName, JHXXS_DOS_DEVICE_NAME_W); status = IoCreateSymbolicLink(&amp;dosDeviceName, &amp;ntDeviceName); if (!NT_SUCCESS(status)) { goto __failed; } fSymbolicLink = TRUE; DriverObject-&gt;MajorFunction[IRP_MJ_CREATE] = JhxxsDispatchCreate; DriverObject-&gt;MajorFunction[IRP_MJ_CLOSE] = JhxxsDispatchClose; DriverObject-&gt;MajorFunction[IRP_MJ_DEVICE_CONTROL] = JhxxsDispatchDeviceControl; DriverObject-&gt;DriverUnload = JhxxsUnload; if (NT_SUCCESS(status)) return status; __failed: if (fSymbolicLink) IoDeleteSymbolicLink(&amp;dosDeviceName); if (deviceObject) IoDeleteDevice(deviceObject); return status; } NTSTATUS JhxxsDispatchCreate( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { NTSTATUS status = STATUS_SUCCESS; Irp-&gt;IoStatus.Information = 0; Irp-&gt;IoStatus.Status = status; IoCompleteRequest(Irp, IO_NO_INCREMENT); return status; } NTSTATUS JhxxsDispatchClose( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { NTSTATUS status = STATUS_SUCCESS; Irp-&gt;IoStatus.Information = 0; Irp-&gt;IoStatus.Status = status; IoCompleteRequest(Irp, IO_NO_INCREMENT); return status; } NTSTATUS JhxxsDispatchDeviceControl( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { NTSTATUS status = STATUS_SUCCESS; PIO_STACK_LOCATION irpStack; PDEVICE_EXTENSION deviceExtension; PVOID ioBuf; ULONG inBufLength, outBufLength; ULONG ioControlCode; UCHAR *buff =0; ULONG OutByteCount =0; HANDLE Writehandel; PVOID WriteDstAddr; PVOID WriteSrcAddr; ULONG WriteSize; NTSTATUS WriteReturn; HANDLE Readhandel; PVOID ReadBaseAddr; PVOID ReadBuffer; ULONG ReadSize; NTSTATUS ReadReturn; ULONG OpenPid; PHANDLE PProcessHandle; NTSTATUS OpenReturn; irpStack = IoGetCurrentIrpStackLocation(Irp); deviceExtension = (PDEVICE_EXTENSION)DeviceObject-&gt;DeviceExtension; Irp-&gt;IoStatus.Information = 0; ioBuf = Irp-&gt;AssociatedIrp.SystemBuffer; inBufLength = irpStack-&gt;Parameters.DeviceIoControl.InputBufferLength; outBufLength = irpStack-&gt;Parameters.DeviceIoControl.OutputBufferLength; ioControlCode = irpStack-&gt;Parameters.DeviceIoControl.IoControlCode; switch (ioControlCode) { case 0X0022E004: { buff=(UCHAR *)Irp-&gt;AssociatedIrp.SystemBuffer ; memmove(&amp;Writehandel,&amp;buff[0],4); memmove(&amp;WriteDstAddr,&amp;buff[4],4); memmove(&amp;WriteSrcAddr,&amp;buff[8],4); memmove(&amp;WriteSize,&amp;buff[12],4); WriteReturn=MyWriteMemory(Writehandel,WriteDstAddr,WriteSrcAddr,WriteSize); memmove(Irp-&gt;AssociatedIrp.SystemBuffer,&amp;WriteReturn,4); OutByteCount=4; break; } case 0X0022E008: { buff=(UCHAR *)Irp-&gt;AssociatedIrp.SystemBuffer ; memmove(&amp;Readhandel,&amp;buff[0],4); memmove(&amp;ReadBaseAddr,&amp;buff[4],4); memmove(&amp;ReadBuffer,&amp;buff[8],4); memmove(&amp;ReadSize,&amp;buff[12],4); ReadReturn=MyReadMemory(Readhandel,ReadBaseAddr,ReadBuffer,ReadSize); memmove(&amp;buff[0],&amp;ReadReturn,4); OutByteCount=4; break; } case 0X0022E000: { OpenReturn = MyOpenProcess(*(PULONG)ioBuf,ioBuf); buff=(UCHAR *)Irp-&gt;AssociatedIrp.SystemBuffer ; memmove(&amp;buff[4],&amp;OpenReturn,4); OutByteCount=8; break; } case IOCTL_JHXXS_HELLO: { break; } default: status = STATUS_INVALID_PARAMETER; break; } Irp-&gt;IoStatus.Status = status; Irp-&gt;IoStatus.Information = OutByteCount; IoCompleteRequest(Irp, IO_NO_INCREMENT); return status; } VOID JhxxsUnload( IN PDRIVER_OBJECT DriverObject ) { UNICODE_STRING dosDeviceName; RtlInitUnicodeString(&amp;dosDeviceName, JHXXS_DOS_DEVICE_NAME_W); IoDeleteSymbolicLink(&amp;dosDeviceName); IoDeleteDevice(DriverObject-&gt;DeviceObject); } </textarea>