HyperDbg Debugger
Loading...
Searching...
No Matches
Functions
MemoryManager.c File Reference

Reading/Writing memory and all memory affairs. More...

#include "pch.h"

Functions

BOOLEAN MemoryManagerReadProcessMemoryNormal (HANDLE PID, PVOID Address, DEBUGGER_READ_MEMORY_TYPE MemType, PVOID UserBuffer, SIZE_T Size, PSIZE_T ReturnSize)
 Read process memory.
 

Detailed Description

Reading/Writing memory and all memory affairs.

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.1
Date
2020-04-24
Copyright
This project is released under the GNU Public License v3.

Function Documentation

◆ MemoryManagerReadProcessMemoryNormal()

BOOLEAN MemoryManagerReadProcessMemoryNormal ( HANDLE PID,
PVOID Address,
DEBUGGER_READ_MEMORY_TYPE MemType,
PVOID UserBuffer,
SIZE_T Size,
PSIZE_T ReturnSize )

Read process memory.

This function should not be called from vmx-root mode

Parameters
PIDTarget Process Id
AddressTarget Address
MemTypeType of memory
UserBufferBuffer to save to the user. This buffer must be in nonpageable memory.
SizeSize of read
ReturnSizeReturn Size
Returns
BOOLEAN
35{
36 PEPROCESS SourceProcess;
37 MM_COPY_ADDRESS CopyAddress = {0};
38 KAPC_STATE State = {0};
39 PHYSICAL_ADDRESS TempPhysicalAddress = {0};
40
41 //
42 // Check if we want another process memory, this way we attach to that process
43 // the find the physical address of the memory and read it from here using physical
44 // address
45
46 //
47 // The second thing that we consider here is reading a physical address doesn't
48 // need to attach to another process
49 //
50 if (PsGetCurrentProcessId() != PID && MemType == DEBUGGER_READ_VIRTUAL_ADDRESS)
51 {
52 //
53 // User needs another process memory
54 //
55
56 if (PsLookupProcessByProcessId(PID, &SourceProcess) != STATUS_SUCCESS)
57 {
58 //
59 // if the process not found
60 //
61 return FALSE;
62 }
63 __try
64 {
65 KeStackAttachProcess(SourceProcess, &State);
66
67 //
68 // We're in context of another process let's read the memory
69 //
70 TempPhysicalAddress = MmGetPhysicalAddress(Address);
71
72 KeUnstackDetachProcess(&State);
73
74 //
75 // Now we have to read the physical address
76 //
77 CopyAddress.PhysicalAddress.QuadPart = TempPhysicalAddress.QuadPart;
78 MmCopyMemory(UserBuffer, CopyAddress, Size, MM_COPY_MEMORY_PHYSICAL, ReturnSize);
79
80 ObDereferenceObject(SourceProcess);
81
82 return TRUE;
83 }
84 __except (EXCEPTION_EXECUTE_HANDLER)
85 {
86 KeUnstackDetachProcess(&State);
87
88 ObDereferenceObject(SourceProcess);
89
90 return FALSE;
91 }
92 }
93 else
94 {
95 //
96 // Process needs itself memory
97 //
98 __try
99 {
100 if (MemType == DEBUGGER_READ_VIRTUAL_ADDRESS)
101 {
102 CopyAddress.VirtualAddress = Address;
103 MmCopyMemory(UserBuffer, CopyAddress, Size, MM_COPY_MEMORY_VIRTUAL, ReturnSize);
104 }
105 else if (MemType == DEBUGGER_READ_PHYSICAL_ADDRESS)
106 {
107 //
108 // Check whether the physical memory is valid or not
109 //
110 if (!CheckAddressPhysical((UINT64)Address))
111 {
112 return FALSE;
113 }
114
115 CopyAddress.PhysicalAddress.QuadPart = (LONGLONG)Address;
116 MmCopyMemory(UserBuffer, CopyAddress, Size, MM_COPY_MEMORY_PHYSICAL, ReturnSize);
117 }
118 else
119 {
120 //
121 // Type is not recognized
122 //
123 return FALSE;
124 }
125
126 //
127 // MmCopyVirtualMemory(SourceProcess, Address, TargetProcess, UserBuffer, Size, KernelMode, ReturnSize);
128 // memcpy(UserBuffer, Address, Size);
129 //
130
131 return TRUE;
132 }
133 __except (EXCEPTION_EXECUTE_HANDLER)
134 {
135 return FALSE;
136 }
137 }
138}
CheckAddressPhysical
BOOLEAN CheckAddressPhysical(UINT64 PAddr)
Checks if the physical address is correct or not based on physical address width.
Definition AddressCheck.c:120
TRUE
#define TRUE
Definition BasicTypes.h:55
FALSE
#define FALSE
Definition BasicTypes.h:54
UINT64
unsigned __int64 UINT64
Definition BasicTypes.h:21
Address
UINT64 Address
Definition HyperDbgScriptImports.h:67
DEBUGGER_READ_PHYSICAL_ADDRESS
@ DEBUGGER_READ_PHYSICAL_ADDRESS
Definition RequestStructures.h:229
DEBUGGER_READ_VIRTUAL_ADDRESS
@ DEBUGGER_READ_VIRTUAL_ADDRESS
Definition RequestStructures.h:230