怎样读写其它进程的核心态内存?如:线性地址E0000000H处DWORD值。 怎样读写其它进程的核心态内存?如:线性地址E0000000H处DWORD值。能给出原码和驱动程序的最好! 解决方案 » 免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货 好像是不能直接读取 硬地址的内容的..不知道通过DDK 可不可以..MK. DDK可以的不用驱动,都可以的但这个是商业代码,没Free的,给分都不行哦只能提供思路方法1)建立CallGate,Far Call进入Ring0,就可以直接访问线性地址了方法2)也可以线性地址到物理地址的转换后,读出物理地址,效果一样procedure Ring0Func; stdcall;begin asm pushad pushf cli mov esi, MemoryAddress.VirtualAddress push esi call _MmGetPhysicalAddress mov MemoryAddress.PhysicalAddress.LowPart, eax // save low part of LARGE_INTEGER mov MemoryAddress.PhysicalAddress.HighPart, edx // save high part of LARGE_INTEGER popf popad retf end;end;procedure MmGetPhysicalAddress;var hNTDll: THandle;begin _MmGetPhysicalAddress := 0; hNTDll := LoadLibrary('ntoskrnl.exe'); if hNTDll <> 0 then begin _MmGetPhysicalAddress := NTOSBaseAddr + Cardinal(GetProcAddress(hNTDll, 'MmGetPhysicalAddress')) - hNTDll; FreeLibrary(hNTDll);// ShowMessage(Format('Virtual address of MmGetPhysicalAddress in Kernel Mode : %s', [IntToHex(_MmGetPhysicalAddress, 8)])); end; if _MmGetPhysicalAddress > 0 then ExecRing0Proc(@Ring0Func, 32);end;VA到PA也可以通过内核对象获取ZwQuerySystemInformation,而且不需要Ring0权限,也没驱动例如<<< Linear Address to Physical Address Translation >>>Total System Handle = 8849Current Process ID = $00000EBCOpen Current PID Handle = $000000ACObject EProcess virtual address = $81D88AA0> PDE/PDBR/CR3 virtual address = EProcess + $18PDE/PDBR/CR3 virtual address = $81D88AB8PDE/PDBR/CR3 = $075D7000> PTE entry in PDE = PDE + (VirtualAddress shr 22) * 4PTE entry in PDE = $075D7F70PTE base address = $02A6F000> PTE = PTE + ((VirtualAddress shr 12) and $3FF) * 4PTE = $02BF1000> PhysicalAddress = PTE + VirtualAddress and $FFFVirtual address = $F73F9000 Physical address = $02BF1000具体原理看Intel X86 CPU开发手册的相关内容:)可以结贴,再问下去相信没人会的了 还有别途径,用第三方写好的SYS驱动,编写调用代码,都OK的Google上找了'ntoskrnl.exe'是NT内核来的里面有很多Ring0才能用的函数MmGetPhysicalAddress就可以实现VA到PA,但需要R0权限为什么要VA到PA?因为可以自由访问物理内存呀当然这需要技巧,到网上很多了“如何访问物理内存”N多答案的:) 数据库的迷茫,希望高人给指条名路 高兴^_^,散分 [散分规则:每人(100 div 回复人数)分,前(100 mod 回复人数)人再加1分] 难问题: 高手请进! 在线等待给分! 晕,为什么找不到存储过程呢? 关于treeview控件 不好意思,上一个问题问错了。各位请问,如何返'王'的Unicode 字符代码,及如何反过来求? api含数SetCursor怎么用 对DBGRID的设计 那里有关于DELPHI开发ISAPI书下载? 第一次做自定义报表系统,有何要点和建议。 请问在Windows中最大能支持多大的bmp图 菜鸟求教:如何在动态获取IP的同时,再绑定一个固定IP!
不用驱动,都可以的但这个是商业代码,没Free的,给分都不行哦只能提供思路
方法1)建立CallGate,Far Call进入Ring0,就可以直接访问线性地址了
方法2)也可以线性地址到物理地址的转换后,读出物理地址,效果一样
procedure Ring0Func; stdcall;
begin
asm
pushad
pushf
cli mov esi, MemoryAddress.VirtualAddress
push esi
call _MmGetPhysicalAddress
mov MemoryAddress.PhysicalAddress.LowPart, eax // save low part of LARGE_INTEGER
mov MemoryAddress.PhysicalAddress.HighPart, edx // save high part of LARGE_INTEGER popf
popad
retf
end;
end;procedure MmGetPhysicalAddress;
var hNTDll: THandle;
begin
_MmGetPhysicalAddress := 0;
hNTDll := LoadLibrary('ntoskrnl.exe');
if hNTDll <> 0 then
begin
_MmGetPhysicalAddress := NTOSBaseAddr + Cardinal(GetProcAddress(hNTDll, 'MmGetPhysicalAddress')) - hNTDll;
FreeLibrary(hNTDll);
// ShowMessage(Format('Virtual address of MmGetPhysicalAddress in Kernel Mode : %s', [IntToHex(_MmGetPhysicalAddress, 8)]));
end;
if _MmGetPhysicalAddress > 0 then ExecRing0Proc(@Ring0Func, 32);
end;VA到PA也可以
通过内核对象获取ZwQuerySystemInformation,而且不需要Ring0权限,也没驱动
例如
<<< Linear Address to Physical Address Translation >>>
Total System Handle = 8849
Current Process ID = $00000EBC
Open Current PID Handle = $000000AC
Object EProcess virtual address = $81D88AA0
> PDE/PDBR/CR3 virtual address = EProcess + $18
PDE/PDBR/CR3 virtual address = $81D88AB8
PDE/PDBR/CR3 = $075D7000
> PTE entry in PDE = PDE + (VirtualAddress shr 22) * 4
PTE entry in PDE = $075D7F70
PTE base address = $02A6F000
> PTE = PTE + ((VirtualAddress shr 12) and $3FF) * 4
PTE = $02BF1000
> PhysicalAddress = PTE + VirtualAddress and $FFF
Virtual address = $F73F9000 Physical address = $02BF1000具体原理看Intel X86 CPU开发手册的相关内容:)可以结贴,再问下去相信没人会的了
Google上找了'ntoskrnl.exe'是NT内核来的
里面有很多Ring0才能用的函数MmGetPhysicalAddress就可以实现VA到PA,但需要R0权限为什么要VA到PA?因为可以自由访问物理内存呀
当然这需要技巧,到网上很多了“如何访问物理内存”N多答案的:)