I'm writing a kernel driver, which should read (and in some cases, also write) some memory addresses in kernel session space (win32k.sys). I've read in another topic that for example in Windbg I should change the context to a random user process to read the memory of kernel session space (with .process /p). How can I do that in a kernel driver? Should I create a user process which communicate with the driver (that's my idea now, but I hope that there is a better solution) or there is a more simple solution for this?
我正在编写一个内核驱动程序,它应该在内核会话空间(win32k.sys)中读取(在某些情况下还会写入)一些内存地址。我在另一个主题中读过,例如在Windbg中我应该将上下文更改为随机用户进程以读取内核会话空间的内存(使用.process / p)。我怎么能在内核驱动程序中这样做?我应该创建一个与驱动程序通信的用户进程(这是我现在的想法,但我希望有更好的解决方案)或者有一个更简单的解决方案吗?
3 个解决方案
#1
2
Session space are not mapped in system address space (that drivers share, if not attached to any process). Those why you getting BSOD while accessing win32k.
会话空间未映射到系统地址空间(驱动程序共享,如果未附加到任何进程)。那些为什么你在访问win32k时获得BSOD的原因。
You need to be attached to EPROCESS via KeStackAttachProcess to perform this operation. You can get session id with ZwQueryInformationProcess(ProcessSessionInformation) function.
您需要通过KeStackAttachProcess连接到EPROCESS才能执行此操作。您可以使用ZwQueryInformationProcess(ProcessSessionInformation)函数获取会话ID。
#2
1
Kernel memory space is shared among all of the kernel objects ( just like a real/unprotected mode in DOS and early Windows versions). Kernel driver can access any address within the kernel space, whether it belongs to him or not.
内核内存空间在所有内核对象之间共享(就像DOS和早期Windows版本中的真实/不受保护的模式一样)。内核驱动程序可以访问内核空间中的任何地址,无论它是否属于他。
#3
0
You must find and attach to the csrss process! win32k.sys is not loaded in the system address space of all process only for csrss.
您必须找到并附加到csrss进程! win32k.sys未加载到csrss的所有进程的系统地址空间中。
You should do stack attach to csrss process.
您应该将附加堆栈附加到csrss进程。
#1
2
Session space are not mapped in system address space (that drivers share, if not attached to any process). Those why you getting BSOD while accessing win32k.
会话空间未映射到系统地址空间(驱动程序共享,如果未附加到任何进程)。那些为什么你在访问win32k时获得BSOD的原因。
You need to be attached to EPROCESS via KeStackAttachProcess to perform this operation. You can get session id with ZwQueryInformationProcess(ProcessSessionInformation) function.
您需要通过KeStackAttachProcess连接到EPROCESS才能执行此操作。您可以使用ZwQueryInformationProcess(ProcessSessionInformation)函数获取会话ID。
#2
1
Kernel memory space is shared among all of the kernel objects ( just like a real/unprotected mode in DOS and early Windows versions). Kernel driver can access any address within the kernel space, whether it belongs to him or not.
内核内存空间在所有内核对象之间共享(就像DOS和早期Windows版本中的真实/不受保护的模式一样)。内核驱动程序可以访问内核空间中的任何地址,无论它是否属于他。
#3
0
You must find and attach to the csrss process! win32k.sys is not loaded in the system address space of all process only for csrss.
您必须找到并附加到csrss进程! win32k.sys未加载到csrss的所有进程的系统地址空间中。
You should do stack attach to csrss process.
您应该将附加堆栈附加到csrss进程。