Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can Kernel mode driver do ReadProcessMemory on any process?

I am currently writing a kernel mode driver (software driver) with KMDF and since I am very new to this topic I want to ask you if my driver would be able to call OpenProcess and ReadProcessMemory on any running process or is there some way to prevent that my driver can call those functions on a process from kernel mode?


2 Answers

you can get target process pointer by call PsLookupProcessByProcessId. than call KeStackAttachProcess and direct read process memory. because this is user mode memory - mandatory do it in __try/__except block. finally call KeUnstackDetachProcess and ObfDereferenceObject for target process

like image 55
RbMm Avatar answered Jun 30 '26 23:06

RbMm


According to https://github.com/Zer0Mem0ry/KernelBhop/blob/master/Driver/Driver.c, you need to use an undocumented MmCopyVirtualMemory for both reading and writing any process.

NTSTATUS NTAPI MmCopyVirtualMemory
(
    PEPROCESS SourceProcess,
    PVOID SourceAddress,
    PEPROCESS TargetProcess,
    PVOID TargetAddress,
    SIZE_T BufferSize,
    KPROCESSOR_MODE PreviousMode,
    PSIZE_T ReturnSize
);
like image 24
ivan_pozdeev Avatar answered Jun 30 '26 22:06

ivan_pozdeev