結(jié)構(gòu)體：

typedef struct? L_Process

{

? ? ULONG pid; //進(jìn)程ID

? ? ULONG64 Address; //內(nèi)存地址

? ? ULONG64 buf; //緩沖區(qū)指針

? ? ULONG Size; //內(nèi)存大小

}L_Process, * PL_Process;

讀：

L_ProcesspInputData = (L_Process)InputData;//拿到輸入的數(shù)據(jù)

Status = PsLookupProcessByProcessId((HANDLE)pInputData->pid, &process);通過(guò)進(jìn)程id獲得epprocess進(jìn)程結(jié)構(gòu)

if (NT_SUCCESS(Status) && MmIsAddressValid((PVOID)pInputData->buf) && process != NULL)

{

PMDL mdl = IoAllocateMdl((PVOID)pInputData->buf, pInputData->Size, 0, 0, NULL);//創(chuàng)建MDL，首地址為buf，長(zhǎng)度為size

if (!mdl) break;

MmBuildMdlForNonPagedPool(mdl);//創(chuàng)建非分頁(yè)

unsigned char* Map = (unsigned char*)MmMapLockedPages(mdl, KernelMode);//鎖定此頁(yè)

if (!Map)

{

IoFreeMdl(mdl);//釋放mdl

break;

}

TargetAddress = (PVOID)pInputData->Address;//目標(biāo)地址

TargetSize = pInputData->Size;//長(zhǎng)度

if (PsGetCurrentProcess() != process)

{

KeStackAttachProcess(process, &apc);//附加進(jìn)程成功

attach = TRUE;

}

__try {

if (MmIsAddressValid(TargetAddress))//判斷目標(biāo)地址是否有效

{

RtlCopyMemory(Map, TargetAddress, TargetSize);//目標(biāo)地址復(fù)制到map

KeLowerIrql(KeRaiseIrqlToDpcLevel());

}

}

__except (1) {

DbgPrint("無(wú)法訪問(wèn)地址.\n");

}

if (attach) KeUnstackDetachProcess(&apc);

MmUnmapLockedPages((PVOID)Map, mdl);

IoFreeMdl(mdl);

}

break;