-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathmemory.h
41 lines (29 loc) · 1.22 KB
/
memory.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
#pragma once
#include "stdafx.h"
// IOCTRL Codes for dbutil Driver Dispatch Methods
#define IOCTL_VIRTUAL_READ 0x9B0C1EC4
#define IOCTL_VIRTUAL_WRITE 0x9B0C1EC8
#define IOCTL_PHYSICAL_READ 0x9B0C1F40
#define IOCTL_PHYSICAL_WRITE 0x9B0C1F44
// Size of the parameters/header of each IOCTRL packet/buffer
#define VIRTUAL_PACKET_HEADER_SIZE 0x18
#define PHYSICAL_PACKET_HEADER_SIZE 0x10
#define PARAMETER_SIZE 0x8
#define GARBAGE_VALUE 0xDEADBEEF
class Memory {
public:
HANDLE DriverHandle;
Memory();
// Virtual Kernel Memory Read Primitive
BOOL VirtualRead(_In_ DWORD64 address, _Out_ void* buffer, _In_ size_t bytesToRead);
// Virtual Kernel Memory Write Primitive
BOOL VirtualWrite(_In_ DWORD64 address, _In_ void* buffer, _In_ size_t bytesToWrite);
// Physical Memory Read Primitive
BOOL PhysicalRead(_In_ DWORD64 address, _Out_ void* buffer, _In_ size_t bytesToRead);
// Physical Memory Write Primitive
BOOL PhysicalWrite(_In_ DWORD64 address, _In_ void* buffer, _In_ size_t bytesToWrite);
// Gets kernel base address for modules
DWORD64 GetKernelBase(_In_ std::string name);
// Gets pointer to a processes EPROCESS struct
DWORD64 GetEPROCESSPointer(_In_ DWORD64 ntoskrnlBase, _In_ std::string processName);
};