Read Kernel Memory from user mode WITHOUT driver

Question

I'm writing an program which enumerates hooks created by SetWindowsHookEx() Here is the process:

1. Use GetProcAddress() to obtain gSharedInfo exported in User32.dll (works, verified)
2. Read User-Mode memory at gSharedInfo + 8 , the result should be a pointer of first handle entry. (works, verified)
3. Read User-Mode memory at [gSharedInfo] + 8 , the result should be count of handles to enumerate. (works, verified)
4. Read data from address obtained in step 2, repeat count times
5. Check if HANDLEENTRY.bType is 5(which means it's a HHOOK). If so, print informations.

The problem is, although step 1-3 only mess around with user mode memory, step 4 requires the program to read kernel memory. After some research I found that ZwSystemDebugControl can be used to access Kernel Memory from user mode. So I wrote the following function:

BOOL GetKernelMemory(PVOID pKernelAddr, PBYTE pBuffer, ULONG uLength)
{
    MEMORY_CHUNKS mc;
    ULONG uReaded = 0;
    mc.Address = (UINT)pKernelAddr;  //Kernel Memory Address - input
    mc.pData = (UINT)pBuffer;//User Mode Memory Address  - output
    mc.Length = (UINT)uLength;       //length  
    ULONG st = -1;
    ZWSYSTEMDEBUGCONTROL ZwSystemDebugControl = (ZWSYSTEMDEBUGCONTROL)GetProcAddress(
    GetModuleHandleA("ntdll.dll"), "NtSystemDebugControl");
    st = ZwSystemDebugControl(SysDbgCopyMemoryChunks_0, &mc, sizeof(MEMORY_CHUNKS), 0, 0, &uReaded);
    return st == 0;
}

But the function above didn't work. uReaded is always 0 and st is always 0xC0000002. How do I resolve this error?

my full program: http://pastebin.com/xzYfGdC5

Answer 1

在Windows XP之后，MSFT没有实现NtSystemDebugControl系统调用。

Answer 2

The Meltdown vulnerability makes it possible to read Kernel memory from User Mode on most Intel CPUs with a speed of approximately 500kB/s. This works on most unpatched OS'es.