通过进程附加方式读写进程内存通过调用KeStackAttachProcess我们可以把当前线程附加到目标进程中从而允许内核diamond直接访问目标进程的用户模式内存。#includentifs.h#includewindef.hstructReadMemoryStruct{DWORD pid;UINT64 address;DWORD size;BYTE*data;};BOOLMDLReadMemory(ReadMemoryStruct*data){PEPROCESS pEpnullptr;NTSTATUS statusPsLookupProcessByProcessId((HANDLE)data-pid,pEp);if(!NT_SUCCESS(status)||pEpnullptr){returnfalse;}BYTE*GetDatanullptr;KAPC_STATE stack{0};BOOL bRetFALSE;GetData(PBYTE)ExAllocatePool2(POOL_FLAG_PAGED,data-size,MyDr);if(!GetData){ObDereferenceObject(pEp);returnfalse;}KeStackAttachProcess(pEp,stack);__try{ProbeForRead((PVOID)data-address,data-size,1);RtlCopyMemory(GetData,(PVOID)data-address,data-size);bRettrue;}__except(EXCEPTION_EXECUTE_HANDLER){bRetfalse;}KeUnstackDetachProcess(stack);if(bRet){RtlCopyMemory(data-data,GetData,data-size);}ExFreePool2(GetData,MyDr,nullptr,0);ObDereferenceObject(pEp);returntrue;}VOIDDriverUnload(PDRIVER_OBJECT pDriverObj){UNREFERENCED_PARAMETER(pDriverObj);DbgPrintEx(DPFLTR_IHVDRIVER_ID,DPFLTR_INFO_LEVEL,Uninstall Driver Successfully!\n);}EXTERN_C NTSTATUSDriverEntry(PDRIVER_OBJECT pDriverObj,PUNICODE_STRING pRegPath){UNREFERENCED_PARAMETER(pRegPath);DbgPrintEx(DPFLTR_IHVDRIVER_ID,DPFLTR_INFO_LEVEL,Installing Driver...\n);pDriverObj-DriverUnloadDriverUnload;ReadMemoryStruct data;data.pid7840;data.address0x402c00;data.size20;data.data(PBYTE)ExAllocatePool2(POOL_FLAG_PAGED,data.size,DrMy);if(data.datanullptr){returnSTATUS_UNSUCCESSFUL;}MDLReadMemory(data);for(size_t i0;idata.size/sizeof(DWORD);i){DbgPrintEx(DPFLTR_IHVDRIVER_ID,DPFLTR_INFO_LEVEL,%x\n,((PDWORD)data.data)[i]);}ExFreePool2((PVOID)data.data,DrMy,nullptr,0);returnSTATUS_SUCCESS;}