用来自另一个进程的数据填充分配的 memory
[英]Fill allocated memory with data from another process
问题描述
Okay, this question is not regular, and maybe stupid, cause im not familiar with pointers and links in c++:
好的,这个问题不正常,而且可能很愚蠢,因为我不熟悉 c++ 中的指针和链接:
So i have some data in memory of another process ( http://prntscr.com/zmfb4p ), it's about 1200-1600 bytes.所以我在另一个进程的 memory 中有一些数据( http://prntscr.com/zmfb4p ),大约是 1200-1600 字节。 I have a driver, which can do kernel read-write to needed process.我有一个驱动程序,它可以对所需进程进行 kernel 读写。 I have a user-mode application, which one communicate with driver like that:我有一个用户模式应用程序,它与驱动程序进行如下通信:
int reading_data = driver.readvirtualmemory<int>(<processId>, <adress to read>, <size to read>);
It works as intended with small data types, but i can't understand, how to get "large" amount of bytes and store it:它适用于小数据类型,但我不明白如何获取“大量”字节并存储它:
Allocating memory to store data:分配 memory 来存储数据:
char* test_buf = new char[size_matricies_buffer]; // allocating memory and creating a pointer to it ~1200-1600 depends on situation
*test_buf = driver.ReadVirtualMemory<char>(<process>, <address>, static_cast<uint32_t>(size_matricies_buffer)); // filling allocated memory with data?
It compiles, and works, but when im trying to get access to *test i get an error:它可以编译并且可以工作,但是当我尝试访问 *test 时出现错误:
cout << "buf: " << *test_buf << " | " << &test_buf << endl;
Unhandled exception at 0x00007FF6D1DD1671 in Mysoftware.exe: 0xC0000005: Access violation writing location 0x00000000C21C833C.
Any idea what im missing here?知道我在这里缺少什么吗?
1 个解决方案
解决方案1
0 已采纳 2021-02-16 11:56:33
So basic function readVirtualMemory doin this(i guess i presented too short explanation above, but nvm now):所以基本的 function readVirtualMemory 这样做(我想我上面的解释太短了,但现在是 nvm):
template <typename type>
type ReadVirtualMemory(ULONG64 ProcessId, ULONG64 ReadAddress, SIZE_T Size)
{
type Buffer;
KERNEL_READ_REQUEST ReadRequest;
ReadRequest.ProcessId = ProcessId;
ReadRequest.Address = ReadAddress;
ReadRequest.pBuff = &Buffer;
ReadRequest.Size = Size;
if (DeviceIoControl(hDriver, IO_READ_REQUEST, &ReadRequest, sizeof(ReadRequest), &ReadRequest, sizeof(ReadRequest), 0, 0))
{
return Buffer;
}
return Buffer;
}
And KERNEL_READ_REQUEST is: KERNEL_READ_REQUEST 是:
typedef struct _KERNEL_READ_REQUEST
{
ULONG64 ProcessId;
ULONG64 Address;
PVOID64 pBuff;
ULONG64 Size;
} KERNEL_READ_REQUEST, * PKERNEL_READ_REQUEST;
So the problem was with necessary type definition in original function and structure of function.所以问题在于原始 function 中的必要类型定义和 function 的结构。 Problem was solved with next solution: adding a new kernel_read function, without type declaration, with pointer to buffer which needs to be filled by read data.下一个解决方案解决了问题:添加一个新的 kernel_read function,没有类型声明,带有指向缓冲区的指针,需要由读取数据填充。 (thanks to @SamiKuhmonen for idea): (感谢@SamiKuhmonen 的想法):
bool ReadBuffer(ULONG64 ProcessId, void* buffer, ULONG64 ReadAddress, SIZE_T Size, bool secondary = false)
{
KERNEL_READ_REQUEST ReadRequest;
ReadRequest.ProcessId = ProcessId;
ReadRequest.Address = ReadAddress;
ReadRequest.pBuff = buffer;
ReadRequest.Size = Size;
if (DeviceIoControl(hDriver, IO_READ_REQUEST, &ReadRequest, sizeof(ReadRequest), &ReadRequest, sizeof(ReadRequest), 0, 0))
{
return true;
}
return false;
}
After that my buffer之后我的缓冲区
char* matricies_buf_buf = new char[size_matricies_buffer];
driver.ReadBuffer(pid, matricies_buf_buf, transform_data[0], size_matricies_buffer);
was filled with needed data.充满了所需的数据。
sry for some ppl, who was annoyed with that question, it's my first time when i trying to ask a question and stackoverflow.对不起一些对这个问题感到恼火的人,这是我第一次尝试提出问题和stackoverflow。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.