Strange error when using KMDF MmCopyVirtualMemory() with PsGetProcessId()

Question

This code here is meant to be able to read kernel memory and theoretically should work.

bool read_kernel_memory(HANDLE pid, PVOID address, PVOID buffer, SIZE_T size) {
    if (!address || !buffer || !size)
        return false;

    SIZE_T bytes = 0;
    PEPROCESS process;
    if (!NT_SUCCESS(PsLookupProcessByProcessId(pid, &process))) {
        DbgPrintEx(0, 0, "proc lookup failed (rmode)");
        return false;
    }
    return MmCopyVirtualMemory(process, address, PsGetCurrentProcess(), buffer, size, KernelMode, &bytes) == STATUS_SUCCESS;
}

While I am writing, IntelliSense says that on the line that starts 'return MmCopyVirtualMemory(...'

argument of type PEPROCESS is incompatible with parameter of type PEPROCESS

(Thrown by the PsGetCurrenProcess() parameter)

Does anyone know how to fix this?

I expected the code to copy the provide buffer in the pid and address provided and return STATUS_SUCCESS

I have tried initialising a PEPROCESS as a variable the line before and using that as the parameter instead.

score 0 · Answer 1 · answered Dec 12 '22 at 04:13

0

I found the answer

I did in an included header #include ntifs.h

and in the main file #include ntddk.h

This causes redefinition errors and this error

answered Dec 12 '22 at 04:13

Sergei Kiselev

42
6

Strange error when using KMDF MmCopyVirtualMemory() with PsGetProcessId()

1 Answers1