Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/idouble/kernel-memory-reading-writing

🔍 Code to read / write the Process Memory from the Kernel 🔧
https://github.com/idouble/kernel-memory-reading-writing

c easy-to-use kernel kernel-driver kernel-functions kernelmode memory process read simple template thread windows windows-kernel write

Last synced: 16 days ago
JSON representation

🔍 Code to read / write the Process Memory from the Kernel 🔧

Host: GitHub
URL: https://github.com/idouble/kernel-memory-reading-writing
Owner: IDouble
License: mit
Created: 2019-08-12T06:18:57.000Z (about 5 years ago)
Default Branch: master
Last Pushed: 2024-02-29T17:05:34.000Z (8 months ago)
Last Synced: 2024-10-03T12:23:51.506Z (about 1 month ago)
Topics: c, easy-to-use, kernel, kernel-driver, kernel-functions, kernelmode, memory, process, read, simple, template, thread, windows, windows-kernel, write
Language: C
Homepage:
Size: 678 KB
Stars: 50
Watchers: 5
Forks: 8
Open Issues: 1
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        # 🔍 Kernel Memory Reading Writing 🔧

🔍 Template to read / write the Process Memory from the **Kernel** (kernelmode) 🔧

**How does it Work?**

**A: It uses the undocumented NT API "MmCopyVirtualMemory" function in ntoskrnl.exe (Windows NT operating system kernel)**

## 📝 KernelReadWriteMemory.c 📝

```

#include 

#include 

DRIVER_INITIALIZE DriverEntry;

#pragma alloc_text(INIT, DriverEntry)

// API function from ntoskrnl.exe which we use

// to copy memory to and from an user process.

NTSTATUS NTAPI MmCopyVirtualMemory

(

	PEPROCESS SourceProcess,

	PVOID SourceAddress,

	PEPROCESS TargetProcess,

	PVOID TargetAddress,

	SIZE_T BufferSize,

	KPROCESSOR_MODE PreviousMode,

	PSIZE_T ReturnSize

);

NTKERNELAPI

NTSTATUS

PsLookupProcessByProcessId(

	_In_ HANDLE ProcessId,

	_Outptr_ PEPROCESS* Process

);

NTSTATUS KeReadProcessMemory(PEPROCESS Process, PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size) {

	// Since the process we are reading from is the input process, we set

	// the source process variable for that.

	PEPROCESS SourceProcess = Process;

	// Since the "process" we read the output to is this driver

	// we set the target process as the current module.

	PEPROCESS TargetProcess = PsGetCurrentProcess();

	SIZE_T Result;

	if (NT_SUCCESS(MmCopyVirtualMemory(SourceProcess, SourceAddress, TargetProcess, TargetAddress, Size, KernelMode, &Result)))

		return STATUS_SUCCESS; // operation was successful

	else

		return STATUS_ACCESS_DENIED;

}

NTSTATUS KeWriteProcessMemory(PEPROCESS Process, PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size) {

	// This write func is just like the read func, except vice versa.

	// Since the process writing from is our module

	// change the source process variable for that.

	PEPROCESS SourceProcess = PsGetCurrentProcess();

	// Since the process we write to is the input process

	// we set the target process as the argument

	PEPROCESS TargetProcess = Process;

	SIZE_T Result;

	if (NT_SUCCESS(MmCopyVirtualMemory(SourceProcess, SourceAddress, TargetProcess, TargetAddress, Size, KernelMode, &Result)))

		return STATUS_SUCCESS; // operation was successful

	else

		return STATUS_ACCESS_DENIED;

}

NTSTATUS DriverEntry(_In_  struct _DRIVER_OBJECT* DriverObject, _In_  PUNICODE_STRING RegistryPath)

{

	int Writeval = 666;

	PEPROCESS Process; // our target process

	// enter your process ID here.

	PsLookupProcessByProcessId(4872, &Process); //lookup the process by it's id;

	KeWriteProcessMemory(Process, &Writeval, 0x010F29B0, sizeof(__int32));

	DbgPrint("Value of int i: %d", Writeval);

	return STATUS_SUCCESS;

}

```

![Binance Ready to give crypto a try ? buy bitcoin and other cryptocurrencies on binance](Images/binance.jpg)