2

I am currently writing a kernel mode driver (software driver) with KMDF and since I am very new to this topic I want to ask you if my driver would be able to call OpenProcess and ReadProcessMemory on any running process or is there some way to prevent that my driver can call those functions on a process from kernel mode?

ivan_pozdeev
  • 33,874
  • 19
  • 107
  • 152
  • This is an [XY Problem](http://xyproblem.info). What problem are you really trying to solve? – IInspectable Jun 02 '18 at 12:39
  • This is odd. You ask if this can be done, then ask if it can be prevented. Which is it? – David Heffernan Jun 02 '18 at 15:18
  • I want to create kind of an AntiVirus application which should have access to all processes memory and I want to avoid that other processes (I know that some malware or games do this) forbid my driver to scan their memory for signatures –  Jun 02 '18 at 17:22
  • I hope you like the colour blue :) – Paul Sanders Jun 03 '18 at 21:08

3 Answers3

6

you can get target process pointer by call PsLookupProcessByProcessId. than call KeStackAttachProcess and direct read process memory. because this is user mode memory - mandatory do it in __try/__except block. finally call KeUnstackDetachProcess and ObfDereferenceObject for target process

RbMm
  • 31,280
  • 3
  • 35
  • 56
4

According to https://github.com/Zer0Mem0ry/KernelBhop/blob/master/Driver/Driver.c, you need to use an undocumented MmCopyVirtualMemory for both reading and writing any process.

NTSTATUS NTAPI MmCopyVirtualMemory
(
    PEPROCESS SourceProcess,
    PVOID SourceAddress,
    PEPROCESS TargetProcess,
    PVOID TargetAddress,
    SIZE_T BufferSize,
    KPROCESSOR_MODE PreviousMode,
    PSIZE_T ReturnSize
);
ivan_pozdeev
  • 33,874
  • 19
  • 107
  • 152
3

You have NtReadVirtualMemory, but there is no Zw* version in kernel-mode, which means you're going to have to locate the address yourself (using the KeServiceDescriptorTable will work, but memory scanning is also an option).

Bear in mind, if you want to make use of any kernel-mode addresses, you'll need to set the PreviousMode of the current thread to 0 (KernelMode) if you happen to be executing under the context of a non-kernel thread (e.g. in a callback routine you might be put under the context of another process other than NTOSKRNL). This is what the Zw* routines will do for you automatically in kernel-mode, but obviously as I've already said, there isn't one for NtReadVirtualMemory in kernel-mode (Microsoft just don't want you to use it I guess).

A second approach would be to attach to the context of the process you'd like to read the memory of, and then rely on MmCopyMemory (documented at MSDN) to copy memory from an address valid in the process you've just attached to, to your own buffer. Then you can access the copied memory from your own buffer. Remember to detach.

Alternatively, you can take the path which @RbMm suggested. Personally, I'd take his suggestion because it is a documented approach, and you're likely to have more success with implementing it (not to mention you'll have less work to do).

ImmortaleVBR
  • 640
  • 5
  • 10