Kernel driver read memory is not sending the whole string
Question
I have this kernel driver used to read a string from the process memory:
KeAttachProcess(GlobalProcessPE);
char* source = *(ULONG*)pBuf;
RtlZeroMemory(pBuf, pIoStackLocation->Parameters.DeviceIoControl.OutputBufferLength);
RtlCopyMemory(pBuf, source, 256);
KeDetachProcess();
And here is the communication process in C++:
DWORD ReadBuffer2[180] = { 0 };
DeviceIoControl(hDevice, IOCTL_READPROCMEM_S, &msg, sizeof(msg), ReadBuffer2, sizeof(ReadBuffer2), &dwBytesRead, NULL);
printf("Message: %s\n", ReadBuffer2);
printf("Bytes read: %d\n", dwBytesRead);
Upon running and searching for the string, it actually captures the first four letters from it, as well as displaying the following:
Message: ABCD
Bytes read: 4
I have checked the string using an alternative method, and it is supposed to display ABCDEFGHIJKL...
The question lies here, why is it only reading (or probably writing) the first four bytes alone?
2 answers
solution1
0 ACCPTED 2016-02-11 21:20:56
I have managed to read the string by reading each 4 characters at every address + 4.
Here's the communication code: (I also added some a __try {} _except () {} in the Driver so it doesn't BSOD)
std::string str = "";
bool scanning = true;
for (int i = 0; i < 35; i++) {
if (!scanning) break;
msg = 0x095A2A28 + i * 0x4;
DWORD ReadBuffer2[50] = {0};
DeviceIoControl(hDevice, IOCTL_READPROCMEM_S, &msg, sizeof(msg), ReadBuffer2, sizeof(ReadBuffer2), &dwBytesRead, NULL);
char dtostr[4];
sprintf(dtostr, "%s", ReadBuffer2);
for (int l = 0; l < 4; l++) {
str += dtostr[l];
if (dtostr[l] == '\0') {
scanning = false;
break;
}
}
}
std::cout << "~Message: " << str << std::endl;
solution2
0 2018-03-22 15:28:20
Welcome to "kernel land". This answer may be a bit late, but better than never right ?
What you are doing to send/read the data is not safe and ugly.
To send the whole string to user mode, here is an example:
PCHAR data = "This String is from Device Driver !!!";
size_t datalen = strlen(data) + 1;//Length of data including null
RtlCopyBytes(Irp->AssociatedIrp.SystemBuffer, data, irpStack->Parameters.DeviceIoControl.OutputBufferLength);
This assumes that you are not using UNICODE, and note that although this example is working 100%, it's not complete and needs to be improved.
Enjoy.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.