windows 内核模式读写内存

sysmain.c

#pragma warning(disable: 4100 4047 4024)
#pragma once 
#include <ntifs.h>
#include <ntddk.h>

NTKERNELAPI
NTSTATUS
MmCopyVirtualMemory(
  // 从哪里copy
  _In_ PEPROCESS srcProcess,
  _In_ PVOID srcAddr,

  // copy到哪里去
  _In_ PEPROCESS dstProcess,
  _In_ PVOID dstAddr,

  // 资源(数据)的大小
  _In_ SIZE_T DataSize,

  // KernelModel
  _In_	KPROCESSOR_MODE PreviousMode,
  _Out_	PSIZE_T RetureSize
);

NTSTATUS kReadProcessMemory(PEPROCESS Process, PVOID lpBaseAddress, PVOID lpBuffer, size_t nSize)
{
  PSIZE_T rSize;
  return MmCopyVirtualMemory(Process, lpBaseAddress, PsGetCurrentProcess(), lpBuffer, nSize, KernelMode, &rSize);
}


NTSTATUS kWriteProcessMemory(PEPROCESS Process, PVOID lpBaseAddress, PVOID lpBuffer, size_t nSize)
{
  PSIZE_T rSize;
  return MmCopyVirtualMemory(PsGetCurrentProcess(), lpBuffer, Process, lpBaseAddress, nSize, KernelMode, &rSize);
}

NTSTATUS DriverUnload(PDRIVER_OBJECT pDriverObject)
{
  DbgPrintEx(0, 0, "stop hsys.\n");
  return STATUS_SUCCESS;
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegister)
{
  pDriverObject->DriverUnload = DriverUnload;

  PEPROCESS Process;
  size_t pid = 2572;
  PsLookupProcessByProcessId((HANDLE)pid, &Process);
  PVOID addr = 0x00007FF72BB8C178;

  int newValue = 100;
  kWriteProcessMemory(Process, addr, &newValue, sizeof(int));

  int readValue = 0;
  kReadProcessMemory(Process, addr, &readValue, sizeof(int));

  DbgPrintEx(0, 0, "change value: %d\n", readValue);

  return  STATUS_SUCCESS;
}