| View previous topic :: View next topic |
| Author |
Message |
hevnfkxu
How do I cheat?
![]() Reputation: 0
Joined: 08 Aug 2007
Posts: 4
|
 Posted: Wed Aug 08, 2007 2:04 am Post subject: Read Usermode Process Memory From Kernel |
 |
|
How do I read usermode process memory in kernel driver?
Is there a Kernel API which supports such operation?
I tried to do it through virtual to physical memory translation.,, but because of my bad programming skills.. I couldn't figure out the bitwise operation stuff...
Can I get an example? thanks...
|
|
| Back to top |
|
 |
Noz3001
I'm a spammer
 Reputation: 26
Joined: 29 May 2006
Posts: 6220
Location: /dev/null
|
| Posted: Wed Aug 08, 2007 4:25 am Post subject: |
|
|
| ZwReadVirtualMemory?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25820
Location: The netherlands
|
| Posted: Wed Aug 08, 2007 11:04 am Post subject: |
|
|
and if that is blocked you can use keattachprocess and attach to the process and read the memory like it's the current process. (It actually is)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
hevnfkxu
How do I cheat?
![]() Reputation: 0
Joined: 08 Aug 2007
Posts: 4
|
| Posted: Wed Aug 08, 2007 7:52 pm Post subject: Thanks:) |
|
|
I will try KeAttachProcess!
One more thing though...
When I tried to use ZwReadVirtualMemory From kernel, I always get NtStatus C0000005(Access violation)
here's the code
ZwReadVirtualMemory((HANDLE)0xFFFFFFFF,(LPVOID)0x400000,&Buffer,4,NULL);
Is there anything wrong with the code?
|
|
| Back to top |
|
|
Noz3001
I'm a spammer
Reputation: 26
Joined: 29 May 2006
Posts: 6220
Location: /dev/null
|
| Posted: Thu Aug 09, 2007 5:08 am Post subject: |
|
|
Read this:
| Code: | | The NtXxxx version of the native system service is the name of the function itself. Thus, when a Kernel Mode component calls the NtXxxx version of the system service, whatever is presently set into previous mode is unchanged. Thus, it is quite possible that the Kernel component could be running on an arbitrary User stack, with the requestor mode set to User. The system service will not know any better, attempt to validate the request parameters, possibly using the credentials of the arbitrary User Mode thread, and thus possibly fail the request. Another problem here is that one step in the validation process for a User Mode request is that all passed in buffers have either ProbeForRead or ProbeForWrite executed on them, depending on the buffer’s usage. These routines raise exceptions if executed on Kernel Mode addresses. Therefore, if you pass in Kernel Mode buffers with your request mode set to User, your calls into the native API return STATUS_ACCESS_VIOLATION. |
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
