关于MmMapIoSpace函数(高手们进来帮帮忙,在线等)
[code]
ULONG SIZE = 16;
//ULONG ADDRESS = 0x00000413;
PHYSICAL_ADDRESS ioPhysicalBase = {0x0000050F,0x00000500};
SECTOR_KEY = (PUCHAR)MmMapIoSpace(ioPhysicalBase,SIZE,FALSE);
DbgPrint("SECORT_KEY_007:\n");
if(SECTOR_KEY==NULL)
{
DbgPrint("This is NULL!\n");
}else{
DbgPrint("%x\n",SECTOR_KEY);
DbgPrint("%X\n",*SECTOR_KEY);
DbgPrint("not null end\n");
}
我在0x00000500这个位置写了三个字符"aut",但是用DbgPrint打印出来的消息并不时"aut",而是"FF"。不知道是不是我这个函数是否用对了,还望懂这个东西的高手们帮下忙。
小弟在这先谢过了
小弟就是想在驱动程序中以字符串指针的方式读内存物理地址为0x00000500下的16个字符,或者有其它的方法。希望知道的高手们不吝赐教,最好能详细解释下或给段代码给我。
再谢过啦!!!
MmMapIoSpace
The MmMapIoSpace routine maps the given physical address range to nonpaged system space.
PVOID
MmMapIoSpace(
IN PHYSICAL_ADDRESS PhysicalAddress,
IN ULONG NumberOfBytes,
IN MEMORY_CACHING_TYPE CacheType
);
Parameters
PhysicalAddress
Specifies the starting physical address of the I/O range to be mapped.
NumberOfBytes
Specifies a value greater than zero, indicating the number of bytes to be mapped.
CacheType
Specifies a MEMORY_CACHING_TYPE value, which indicates the permitted caching behavior when mapping the physical address range.
Return Value
MmMapIoSpace returns the base virtual address that maps the base physical address for the range. If space for mapping the range is insufficient, it returns NULL.
已经弄出来了!发个大家共享下!
- #include
- #include
- //#include
- #include
- #define BYTESPERLINE 16
- #define LINESPERSCREEN 25
- #define OBJ_CASE_INSENSITIVE 0x00000040L
- #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
- #define InitializeObjectAttributes( p, n, a, r, s ) { \
- (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \
- (p)->RootDirectory = r; \
- (p)->Attributes = a; \
- (p)->ObjectName = n; \
- (p)->SecurityDescriptor = s; \
- (p)->SecurityQualityOfService = NULL; \
- }
- typedef struct _UNICODE_STRING
- {
- USHORT Length;
- USHORT MaximumLength;
- #ifdef MIDL_PASS
- [size_is(MaximumLength / 2), length_is((Length) / 2) ] USHORT * Buffer;
- #else // MIDL_PASS
- PWSTR Buffer;
- #endif // MIDL_PASS
- } UNICODE_STRING;
- typedef LARGE_INTEGER PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS; // windbgkd
- typedef LONG NTSTATUS;
- typedef UNICODE_STRING *PUNICODE_STRING;
- typedef enum _SECTION_INHERIT{ ViewShare = 1 , ViewUnmap = 2 } SECTION_INHERIT;
- //*************************************************************************************************
- typedef struct _OBJECT_ATTRIBUTES
- {
- ULONG Length;
- HANDLE RootDirectory;
- PUNICODE_STRING ObjectName;
- ULONG Attributes;
- PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR
- PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE
- } OBJECT_ATTRIBUTES;
- typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;
- //************************************************************************
- NTSTATUS (__stdcall *NtUnmapViewOfSection)
- (
- IN HANDLE ProcessHandle,
- IN PVOID BaseAddress
- );
- NTSTATUS (__stdcall *NtOpenSection)
- (
- OUT PHANDLE SectionHandle,
- IN ACCESS_MASK DesiredAccess,
- IN POBJECT_ATTRIBUTES ObjectAttributes
- );
- NTSTATUS (__stdcall *NtMapViewOfSection)
- (
- IN HANDLE SectionHandle,
- IN HANDLE ProcessHandle,
- IN OUT PVOID *BaseAddress,
- IN ULONG ZeroBits,
- IN ULONG CommitSize,
- IN OUT PLARGE_INTEGER SectionOffset, /* optional */
- IN OUT PULONG ViewSize,
- IN SECTION_INHERIT InheritDisposition,
- IN ULONG AllocationType,
- IN ULONG Protect
- );
- VOID (__stdcall *RtlInitUnicodeString)
- (
- IN OUT PUNICODE_STRING DestinationString,
- IN PCWSTR SourceString
- );
- ULONG (__stdcall *RtlNtStatusToDosError)
- (
- IN NTSTATUS Status
- );
- VOID UnmapPhysicalMemory( DWORD Address )
- {
- NTSTATUS status;
- status = NtUnmapViewOfSection( (HANDLE) -1, (PVOID) Address );
- }
- //************************************************************************
- //--------------------------------------------------------
- //
- // MapPhysicalMemory
- //
- // Maps a view of a section.
- //
- //--------------------------------------------------------
- BOOLEAN MapPhysicalMemory( HANDLE PhysicalMemory,
- PDWORD Address,
- PDWORD Length,
- PDWORD VirtualAddress )
- {
- NTSTATUS ntStatus;
- PHYSICAL_ADDRESS viewBase;
- //char error[256];
- *VirtualAddress = 0;
- viewBase.QuadPart = (ULONGLONG) (*Address);
- ntStatus = NtMapViewOfSection (PhysicalMemory,
- (HANDLE) -1,
- (PVOID *) VirtualAddress,
- 0L,
- *Length,
- &viewBase,
- Length,
- ViewShare,
- 0,
- PAGE_READONLY );
- *Address = viewBase.LowPart;
- return TRUE;
- }
- //--------------------------------------------------------
- //
- // OpensPhysicalMemory
- //
- // This function opens the physical memory device. It
- // uses the native API since
- //
- //--------------------------------------------------------
- HANDLE OpenPhysicalMemory()
- {
- NTSTATUS status;
- HANDLE physmem;
- UNICODE_STRING physmemString;
- OBJECT_ATTRIBUTES attributes;
- WCHAR physmemName[] = L"\\device\\physicalmemory";
- RtlInitUnicodeString( &physmemString, physmemName );
- InitializeObjectAttributes( &attributes, &physmemString,
- OBJ_CASE_INSENSITIVE, NULL, NULL );
- status = NtOpenSection( &physmem, SECTION_MAP_READ, &attributes );
- return physmem;
- }
- //--------------------------------------------------------
- //
- // LocateNtdllEntryPoints
- //
- // Finds the entry points for all the functions we
- // need within NTDLL.DLL.
- //
- //--------------------------------------------------------
- BOOLEAN LocateNtdllEntryPoints()
- {
- if( !(RtlInitUnicodeString = (void (__stdcall *)(PUNICODE_STRING,PCWSTR)) GetProcAddress( GetModuleHandle("ntdll.dll"),"RtlInitUnicodeString" )) )
- {
- return FALSE;
- }
- if( !(NtUnmapViewOfSection = (NTSTATUS (__stdcall *)(HANDLE,PVOID)) GetProcAddress( GetModuleHandle("ntdll.dll"),"NtUnmapViewOfSection" )) )
- {
- return FALSE;
- }
- if( !(NtOpenSection = (NTSTATUS (__stdcall *)(PHANDLE,ACCESS_MASK,POBJECT_ATTRIBUTES)) GetProcAddress( GetModuleHandle("ntdll.dll"),"NtOpenSection" )) )
- {
- return FALSE;
- }
- if( !(NtMapViewOfSection = (NTSTATUS (__stdcall *)(IN HANDLE,
- IN HANDLE,
- IN OUT PVOID *,
- IN ULONG ,
- IN ULONG ,
- IN OUT PLARGE_INTEGER ,
- IN OUT PULONG,
- IN SECTION_INHERIT,
- IN ULONG ,
- IN ULONG )) GetProcAddress( GetModuleHandle("ntdll.dll"),"NtMapViewOfSection" )) )
- {
- return FALSE;
- }
- if( !(RtlNtStatusToDosError = (ULONG (__stdcall *)(NTSTATUS)) GetProcAddress( GetModuleHandle("ntdll.dll"),"RtlNtStatusToDosError" )) )
- {
- return FALSE;
- }
- return TRUE;
- }
- //--------------------------------------------------------
- //
- //Memory_Call
- //
- //
- //--------------------------------------------------------
- void Memory_Call()
- {
- HANDLE physmem;
- DWORD vaddress, paddress, length;
- char key[16];
- char input[256];
- char mk[] = "12";
- char jk[] = "12";
- //
- // Load NTDLL entry points
- LocateNtdllEntryPoints();
- physmem = OpenPhysicalMemory();
-
- paddress = 0x00;
- length = 0x00;
- while(1)
- {
- memcpy(input,mk,3);
- sscanf( input, "%x", &paddress );
- memcpy(input,jk,3);
- sscanf( input, "%x", &length );
- if( !MapPhysicalMemory( physmem, &paddress, &length,&vaddress ))
- continue;
- memcpy(key,(char *)vaddress+1280,16);
- printf(key);
- printf("\n");
- break;
- UnmapPhysicalMemory( vaddress );
- }
-
- CloseHandle( physmem );
- }
- //--------------------------------------------------------
- //
- // Main
- //
- // This program drives the command loop
- //
- //--------------------------------------------------------
- int main( int argc, char *argv[] )
- {
- Memory_Call();
- _getch();
- return 0;
- }
贴出来的代码没有注释,不好理解,感觉和读取0x00000500下的16个字符无关。
MmMapIoSpace函数调用错在这里:
PHYSICAL_ADDRESS ioPhysicalBase = {0x0000050F,0x00000500};
物理地址是64位的地址,这样写的意思是访问0x5000000050F,而不是从0x00000500到0x0000050F。
修改如下:
PHYSICAL_ADDRESS ioPhysicalBase = {0x0000050F,0};
京公网安备 11010802033920号
