├── .gitattributes ├── README.md └── ReadWrite.c /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Kernal-Memory-ReadWrite 2 | Simple code to manipulate the memory of a usermode process from kernelmode. 3 | 4 | This works for both x64 & x86 processes. 5 | -------------------------------------------------------------------------------- /ReadWrite.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | 5 | 6 | DRIVER_INITIALIZE DriverEntry; 7 | #pragma alloc_text(INIT, DriverEntry) 8 | 9 | // API function from ntoskrnl.exe which we use 10 | // to copy memory to and from an user process. 11 | NTSTATUS NTAPI MmCopyVirtualMemory 12 | ( 13 | PEPROCESS SourceProcess, 14 | PVOID SourceAddress, 15 | PEPROCESS TargetProcess, 16 | PVOID TargetAddress, 17 | SIZE_T BufferSize, 18 | KPROCESSOR_MODE PreviousMode, 19 | PSIZE_T ReturnSize 20 | ); 21 | 22 | NTKERNELAPI 23 | NTSTATUS 24 | PsLookupProcessByProcessId( 25 | _In_ HANDLE ProcessId, 26 | _Outptr_ PEPROCESS *Process 27 | ); 28 | 29 | NTSTATUS KeReadProcessMemory(PEPROCESS Process, PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size) 30 | { 31 | // Since the process we are reading from is the input process, we set 32 | // the source process variable for that. 33 | PEPROCESS SourceProcess = Process; 34 | // Since the "process" we read the output to is this driver 35 | // we set the target process as the current module. 36 | PEPROCESS TargetProcess = PsGetCurrentProcess(); 37 | SIZE_T Result; 38 | if (NT_SUCCESS(MmCopyVirtualMemory(SourceProcess, SourceAddress, TargetProcess, TargetAddress, Size, KernelMode, &Result))) 39 | return STATUS_SUCCESS; // operation was successful 40 | else 41 | return STATUS_ACCESS_DENIED; 42 | } 43 | NTSTATUS KeWriteProcessMemory(PEPROCESS Process, PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size) 44 | { // This write func is just like the read func, except vice versa. 45 | 46 | // Since the process writing from is our module 47 | // change the source process variable for that. 48 | PEPROCESS SourceProcess = PsGetCurrentProcess(); 49 | // Since the process we write to is the input process 50 | // we set the target process as the argument 51 | PEPROCESS TargetProcess = Process; 52 | SIZE_T Result; 53 | 54 | if (NT_SUCCESS(MmCopyVirtualMemory(SourceProcess, SourceAddress, TargetProcess, TargetAddress, Size, KernelMode, &Result))) 55 | return STATUS_SUCCESS; // operation was successful 56 | else 57 | return STATUS_ACCESS_DENIED; 58 | 59 | } 60 | 61 | 62 | NTSTATUS DriverEntry( 63 | _In_ struct _DRIVER_OBJECT *DriverObject, 64 | _In_ PUNICODE_STRING RegistryPath 65 | ) 66 | { 67 | int Writeval = 666; 68 | 69 | PEPROCESS Process; // our target process 70 | // enter your process ID here. 71 | PsLookupProcessByProcessId(4872, &Process); //lookup the process by it's id; 72 | 73 | KeWriteProcessMemory(Process, &Writeval, 0x010F29B0, sizeof(__int32)); 74 | 75 | DbgPrint("Value of int i: %d", Writeval); 76 | 77 | return STATUS_SUCCESS; 78 | } 79 | --------------------------------------------------------------------------------