Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/idouble/kernel-memory-reading-writing

🔍 Code to read / write the Process Memory from the Kernel 🔧
https://github.com/idouble/kernel-memory-reading-writing

c easy-to-use kernel kernel-driver kernel-functions kernelmode memory process read simple template thread windows windows-kernel write

Last synced: 6 days ago
JSON representation

🔍 Code to read / write the Process Memory from the Kernel 🔧

Awesome Lists containing this project

README

        

# 🔍 Kernel Memory Reading Writing 🔧
🔍 Template to read / write the Process Memory from the **Kernel** (kernelmode) 🔧

**How does it Work?**
**A: It uses the undocumented NT API "MmCopyVirtualMemory" function in ntoskrnl.exe (Windows NT operating system kernel)**

## 📝 KernelReadWriteMemory.c 📝

```
#include
#include

DRIVER_INITIALIZE DriverEntry;
#pragma alloc_text(INIT, DriverEntry)

// API function from ntoskrnl.exe which we use
// to copy memory to and from an user process.
NTSTATUS NTAPI MmCopyVirtualMemory
(
PEPROCESS SourceProcess,
PVOID SourceAddress,
PEPROCESS TargetProcess,
PVOID TargetAddress,
SIZE_T BufferSize,
KPROCESSOR_MODE PreviousMode,
PSIZE_T ReturnSize
);

NTKERNELAPI
NTSTATUS
PsLookupProcessByProcessId(
_In_ HANDLE ProcessId,
_Outptr_ PEPROCESS* Process
);

NTSTATUS KeReadProcessMemory(PEPROCESS Process, PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size) {
// Since the process we are reading from is the input process, we set
// the source process variable for that.
PEPROCESS SourceProcess = Process;
// Since the "process" we read the output to is this driver
// we set the target process as the current module.
PEPROCESS TargetProcess = PsGetCurrentProcess();
SIZE_T Result;
if (NT_SUCCESS(MmCopyVirtualMemory(SourceProcess, SourceAddress, TargetProcess, TargetAddress, Size, KernelMode, &Result)))
return STATUS_SUCCESS; // operation was successful
else
return STATUS_ACCESS_DENIED;
}

NTSTATUS KeWriteProcessMemory(PEPROCESS Process, PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size) {
// This write func is just like the read func, except vice versa.

// Since the process writing from is our module
// change the source process variable for that.
PEPROCESS SourceProcess = PsGetCurrentProcess();
// Since the process we write to is the input process
// we set the target process as the argument
PEPROCESS TargetProcess = Process;
SIZE_T Result;

if (NT_SUCCESS(MmCopyVirtualMemory(SourceProcess, SourceAddress, TargetProcess, TargetAddress, Size, KernelMode, &Result)))
return STATUS_SUCCESS; // operation was successful
else
return STATUS_ACCESS_DENIED;
}

NTSTATUS DriverEntry(_In_ struct _DRIVER_OBJECT* DriverObject, _In_ PUNICODE_STRING RegistryPath)
{
int Writeval = 666;

PEPROCESS Process; // our target process
// enter your process ID here.
PsLookupProcessByProcessId(4872, &Process); //lookup the process by it's id;

KeWriteProcessMemory(Process, &Writeval, 0x010F29B0, sizeof(__int32));

DbgPrint("Value of int i: %d", Writeval);

return STATUS_SUCCESS;
}
```

![Binance Ready to give crypto a try ? buy bitcoin and other cryptocurrencies on binance](Images/binance.jpg)