Kernel driver read memory is not sending the whole string

Question

I have this kernel driver used to read a string from the process memory:

KeAttachProcess(GlobalProcessPE);
char* source = *(ULONG*)pBuf;

RtlZeroMemory(pBuf, pIoStackLocation->Parameters.DeviceIoControl.OutputBufferLength);
RtlCopyMemory(pBuf, source, 256);

KeDetachProcess();

And here is the communication process in C++:

DWORD ReadBuffer2[180] = { 0 };
DeviceIoControl(hDevice, IOCTL_READPROCMEM_S, &msg, sizeof(msg), ReadBuffer2, sizeof(ReadBuffer2), &dwBytesRead, NULL);
printf("Message: %s\n", ReadBuffer2);
printf("Bytes read: %d\n", dwBytesRead);

Upon running and searching for the string, it actually captures the first four letters from it, as well as displaying the following:

Message: ABCD
Bytes read: 4

I have checked the string using an alternative method, and it is supposed to display ABCDEFGHIJKL...

The question lies here, why is it only reading (or probably writing) the first four bytes alone?

pBuf is the Irp->AssociatedIrp.SystemBuffer, which is supposed to be the address of the memory I am reading. — Johnaudi, Feb 11 '16 at 18:37
Please state your point as I do not understand whether it is wrong to obtain the char pointer from an unsigned long...? — Johnaudi, Feb 11 '16 at 18:45
This assumes that a `ULONG` is equivalent to a pointer, and not a safe bet. `SystemBuffer` is already a pointer, so there is no need to do this. — user4581301, Feb 11 '16 at 18:46
You are assigning an integer to a pointer. Good luck running that on Win64. — too honest for this site, Feb 11 '16 at 18:47
Are you assuming that there will be an address stored at `SystemBuffer` that you are trying to recover? — user4581301, Feb 11 '16 at 18:50
Thank you Hans, I will fix those shortly and get back to you. — Johnaudi, Feb 11 '16 at 18:51
The reason it is 254 is because I am expecting a certain string for the moment (for testing purposes) - nevertheless, it still hasn't affected the code. Using ULONG_PTR instead of ULONG will cause an illegal indirection, thus forcing me to use * (ULONG *) knowing that pBuf is PVOID. - The method provided above is similar to the method Cheat Engine uses, if not, the same. — Johnaudi, Feb 11 '16 at 18:57
I did change the InputBufferLength with the OutputBufferLength yet it hasn't affected the code in any way. Also, I do not see a point in providing a negative vote to the question...? — Johnaudi, Feb 11 '16 at 18:58
@HansPassant: On what basis do you think that "`sizeof(ReadBuffer2)` is 4 times too small"? `DeviceIoControl` size arguments are measured in bytes, same as `sizeof`. — Ben Voigt, Feb 11 '16 at 19:13
@user3528438 changing *(ULONG *) with *(char **) caused a BSOD. — Johnaudi, Feb 11 '16 at 19:49
if that's the case, then your code has more things wrong than you think — user3528438, Feb 11 '16 at 21:32
The code is based off Cheat Engine's driver, it's the best way to read the memory according to some. — Johnaudi, Feb 11 '16 at 21:49
its suppose to be `*(char *)` not `*(char **)` that will stop the BSOD. — SSpoke, Apr 02 '20 at 06:53

score 1 · Accepted Answer · answered Feb 11 '16 at 21:20

I have managed to read the string by reading each 4 characters at every address + 4.

Here's the communication code: (I also added some a __try {} _except () {} in the Driver so it doesn't BSOD)

std::string str = "";
bool scanning = true;
for (int i = 0; i < 35; i++) {
    if (!scanning) break;

    msg = 0x095A2A28 + i * 0x4;
    DWORD ReadBuffer2[50] = {0};
    DeviceIoControl(hDevice, IOCTL_READPROCMEM_S, &msg, sizeof(msg), ReadBuffer2, sizeof(ReadBuffer2), &dwBytesRead, NULL);
    char dtostr[4];
    sprintf(dtostr, "%s", ReadBuffer2);
    for (int l = 0; l < 4; l++) {
        str += dtostr[l];
        if (dtostr[l] == '\0') {
            scanning = false;
            break;
        }
    }
}
std::cout << "~Message: " << str << std::endl;

score 0 · Answer 2 · answered Mar 22 '18 at 15:28

Welcome to "kernel land". This answer may be a bit late, but better than never right ?

What you are doing to send/read the data is not safe and ugly.

To send the whole string to user mode, here is an example:

PCHAR data = "This String is from Device Driver !!!";
size_t datalen = strlen(data) + 1;//Length of data including null

RtlCopyBytes(Irp->AssociatedIrp.SystemBuffer, data, irpStack->Parameters.DeviceIoControl.OutputBufferLength);

This assumes that you are not using UNICODE, and note that although this example is working 100%, it's not complete and needs to be improved.

Enjoy.

Kernel driver read memory is not sending the whole string

2 Answers2