├── Images └── binance.jpg ├── KernelReadWriteMemory.c ├── LICENSE └── README.md /Images/binance.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IDouble/Kernel-Memory-Reading-Writing/75167731e9b5df5b2e8b00c17c237a24539f5d2d/Images/binance.jpg -------------------------------------------------------------------------------- /KernelReadWriteMemory.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | DRIVER_INITIALIZE DriverEntry; 5 | #pragma alloc_text(INIT, DriverEntry) 6 | 7 | // API function from ntoskrnl.exe which we use 8 | // to copy memory to and from an user process. 9 | NTSTATUS NTAPI MmCopyVirtualMemory 10 | ( 11 | PEPROCESS SourceProcess, 12 | PVOID SourceAddress, 13 | PEPROCESS TargetProcess, 14 | PVOID TargetAddress, 15 | SIZE_T BufferSize, 16 | KPROCESSOR_MODE PreviousMode, 17 | PSIZE_T ReturnSize 18 | ); 19 | 20 | NTKERNELAPI 21 | NTSTATUS 22 | PsLookupProcessByProcessId( 23 | _In_ HANDLE ProcessId, 24 | _Outptr_ PEPROCESS* Process 25 | ); 26 | 27 | NTSTATUS KeReadProcessMemory(PEPROCESS Process, PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size) { 28 | // Since the process we are reading from is the input process, we set 29 | // the source process variable for that. 30 | PEPROCESS SourceProcess = Process; 31 | // Since the "process" we read the output to is this driver 32 | // we set the target process as the current module. 33 | PEPROCESS TargetProcess = PsGetCurrentProcess(); 34 | SIZE_T Result; 35 | if (NT_SUCCESS(MmCopyVirtualMemory(SourceProcess, SourceAddress, TargetProcess, TargetAddress, Size, KernelMode, &Result))) 36 | return STATUS_SUCCESS; // operation was successful 37 | else 38 | return STATUS_ACCESS_DENIED; 39 | } 40 | 41 | NTSTATUS KeWriteProcessMemory(PEPROCESS Process, PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size) { 42 | // This write func is just like the read func, except vice versa. 43 | 44 | // Since the process writing from is our module 45 | // change the source process variable for that. 46 | PEPROCESS SourceProcess = PsGetCurrentProcess(); 47 | // Since the process we write to is the input process 48 | // we set the target process as the argument 49 | PEPROCESS TargetProcess = Process; 50 | SIZE_T Result; 51 | 52 | if (NT_SUCCESS(MmCopyVirtualMemory(SourceProcess, SourceAddress, TargetProcess, TargetAddress, Size, KernelMode, &Result))) 53 | return STATUS_SUCCESS; // operation was successful 54 | else 55 | return STATUS_ACCESS_DENIED; 56 | } 57 | 58 | NTSTATUS DriverEntry(_In_ struct _DRIVER_OBJECT* DriverObject, _In_ PUNICODE_STRING RegistryPath) 59 | { 60 | int Writeval = 666; 61 | 62 | PEPROCESS Process; // our target process 63 | // enter your process ID here. 64 | PsLookupProcessByProcessId(4872, &Process); //lookup the process by it's id; 65 | 66 | KeWriteProcessMemory(Process, &Writeval, 0x010F29B0, sizeof(__int32)); 67 | 68 | DbgPrint("Value of int i: %d", Writeval); 69 | 70 | return STATUS_SUCCESS; 71 | } -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 Alpay Yildirim 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # 🔍 Kernel Memory Reading Writing 🔧 2 | 🔍 Template to read / write the Process Memory from the **Kernel** (kernelmode) 🔧 3 | 4 | **How does it Work?**
5 | **A: It uses the undocumented NT API "MmCopyVirtualMemory" function in ntoskrnl.exe (Windows NT operating system kernel)** 6 | 7 | ## 📝 KernelReadWriteMemory.c 📝 8 | 9 | ``` 10 | #include 11 | #include 12 | 13 | DRIVER_INITIALIZE DriverEntry; 14 | #pragma alloc_text(INIT, DriverEntry) 15 | 16 | // API function from ntoskrnl.exe which we use 17 | // to copy memory to and from an user process. 18 | NTSTATUS NTAPI MmCopyVirtualMemory 19 | ( 20 | PEPROCESS SourceProcess, 21 | PVOID SourceAddress, 22 | PEPROCESS TargetProcess, 23 | PVOID TargetAddress, 24 | SIZE_T BufferSize, 25 | KPROCESSOR_MODE PreviousMode, 26 | PSIZE_T ReturnSize 27 | ); 28 | 29 | NTKERNELAPI 30 | NTSTATUS 31 | PsLookupProcessByProcessId( 32 | _In_ HANDLE ProcessId, 33 | _Outptr_ PEPROCESS* Process 34 | ); 35 | 36 | NTSTATUS KeReadProcessMemory(PEPROCESS Process, PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size) { 37 | // Since the process we are reading from is the input process, we set 38 | // the source process variable for that. 39 | PEPROCESS SourceProcess = Process; 40 | // Since the "process" we read the output to is this driver 41 | // we set the target process as the current module. 42 | PEPROCESS TargetProcess = PsGetCurrentProcess(); 43 | SIZE_T Result; 44 | if (NT_SUCCESS(MmCopyVirtualMemory(SourceProcess, SourceAddress, TargetProcess, TargetAddress, Size, KernelMode, &Result))) 45 | return STATUS_SUCCESS; // operation was successful 46 | else 47 | return STATUS_ACCESS_DENIED; 48 | } 49 | 50 | NTSTATUS KeWriteProcessMemory(PEPROCESS Process, PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size) { 51 | // This write func is just like the read func, except vice versa. 52 | 53 | // Since the process writing from is our module 54 | // change the source process variable for that. 55 | PEPROCESS SourceProcess = PsGetCurrentProcess(); 56 | // Since the process we write to is the input process 57 | // we set the target process as the argument 58 | PEPROCESS TargetProcess = Process; 59 | SIZE_T Result; 60 | 61 | if (NT_SUCCESS(MmCopyVirtualMemory(SourceProcess, SourceAddress, TargetProcess, TargetAddress, Size, KernelMode, &Result))) 62 | return STATUS_SUCCESS; // operation was successful 63 | else 64 | return STATUS_ACCESS_DENIED; 65 | } 66 | 67 | NTSTATUS DriverEntry(_In_ struct _DRIVER_OBJECT* DriverObject, _In_ PUNICODE_STRING RegistryPath) 68 | { 69 | int Writeval = 666; 70 | 71 | PEPROCESS Process; // our target process 72 | // enter your process ID here. 73 | PsLookupProcessByProcessId(4872, &Process); //lookup the process by it's id; 74 | 75 | KeWriteProcessMemory(Process, &Writeval, 0x010F29B0, sizeof(__int32)); 76 | 77 | DbgPrint("Value of int i: %d", Writeval); 78 | 79 | return STATUS_SUCCESS; 80 | } 81 | ``` 82 | 83 | ![Binance Ready to give crypto a try ? buy bitcoin and other cryptocurrencies on binance](Images/binance.jpg) 84 | --------------------------------------------------------------------------------