Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/idouble/kernel-memory-reading-writing
🔍 Code to read / write the Process Memory from the Kernel 🔧
https://github.com/idouble/kernel-memory-reading-writing
c easy-to-use kernel kernel-driver kernel-functions kernelmode memory process read simple template thread windows windows-kernel write
Last synced: 6 days ago
JSON representation
🔍 Code to read / write the Process Memory from the Kernel 🔧
- Host: GitHub
- URL: https://github.com/idouble/kernel-memory-reading-writing
- Owner: IDouble
- License: mit
- Created: 2019-08-12T06:18:57.000Z (over 5 years ago)
- Default Branch: master
- Last Pushed: 2024-02-29T17:05:34.000Z (10 months ago)
- Last Synced: 2024-12-17T06:09:03.453Z (10 days ago)
- Topics: c, easy-to-use, kernel, kernel-driver, kernel-functions, kernelmode, memory, process, read, simple, template, thread, windows, windows-kernel, write
- Language: C
- Homepage:
- Size: 678 KB
- Stars: 54
- Watchers: 5
- Forks: 9
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# 🔍 Kernel Memory Reading Writing 🔧
🔍 Template to read / write the Process Memory from the **Kernel** (kernelmode) 🔧**How does it Work?**
**A: It uses the undocumented NT API "MmCopyVirtualMemory" function in ntoskrnl.exe (Windows NT operating system kernel)**## 📝 KernelReadWriteMemory.c 📝
```
#include
#includeDRIVER_INITIALIZE DriverEntry;
#pragma alloc_text(INIT, DriverEntry)// API function from ntoskrnl.exe which we use
// to copy memory to and from an user process.
NTSTATUS NTAPI MmCopyVirtualMemory
(
PEPROCESS SourceProcess,
PVOID SourceAddress,
PEPROCESS TargetProcess,
PVOID TargetAddress,
SIZE_T BufferSize,
KPROCESSOR_MODE PreviousMode,
PSIZE_T ReturnSize
);NTKERNELAPI
NTSTATUS
PsLookupProcessByProcessId(
_In_ HANDLE ProcessId,
_Outptr_ PEPROCESS* Process
);NTSTATUS KeReadProcessMemory(PEPROCESS Process, PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size) {
// Since the process we are reading from is the input process, we set
// the source process variable for that.
PEPROCESS SourceProcess = Process;
// Since the "process" we read the output to is this driver
// we set the target process as the current module.
PEPROCESS TargetProcess = PsGetCurrentProcess();
SIZE_T Result;
if (NT_SUCCESS(MmCopyVirtualMemory(SourceProcess, SourceAddress, TargetProcess, TargetAddress, Size, KernelMode, &Result)))
return STATUS_SUCCESS; // operation was successful
else
return STATUS_ACCESS_DENIED;
}NTSTATUS KeWriteProcessMemory(PEPROCESS Process, PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size) {
// This write func is just like the read func, except vice versa.// Since the process writing from is our module
// change the source process variable for that.
PEPROCESS SourceProcess = PsGetCurrentProcess();
// Since the process we write to is the input process
// we set the target process as the argument
PEPROCESS TargetProcess = Process;
SIZE_T Result;if (NT_SUCCESS(MmCopyVirtualMemory(SourceProcess, SourceAddress, TargetProcess, TargetAddress, Size, KernelMode, &Result)))
return STATUS_SUCCESS; // operation was successful
else
return STATUS_ACCESS_DENIED;
}NTSTATUS DriverEntry(_In_ struct _DRIVER_OBJECT* DriverObject, _In_ PUNICODE_STRING RegistryPath)
{
int Writeval = 666;PEPROCESS Process; // our target process
// enter your process ID here.
PsLookupProcessByProcessId(4872, &Process); //lookup the process by it's id;KeWriteProcessMemory(Process, &Writeval, 0x010F29B0, sizeof(__int32));
DbgPrint("Value of int i: %d", Writeval);
return STATUS_SUCCESS;
}
```![Binance Ready to give crypto a try ? buy bitcoin and other cryptocurrencies on binance](Images/binance.jpg)