mdl 读写

结构体：

typedef struct  L_Process

{

    ULONG pid; //进程ID

    ULONG64 Address; //内存地址

    ULONG64 buf; //缓冲区指针

    ULONG Size; //内存大小

}L_Process, * PL_Process;

读：

L_ProcesspInputData = (L_Process)InputData;//拿到输入的数据

Status = PsLookupProcessByProcessId((HANDLE)pInputData->pid, &process);通过进程id获得epprocess进程结构

if (NT_SUCCESS(Status) && MmIsAddressValid((PVOID)pInputData->buf) && process != NULL)

{

PMDL mdl = IoAllocateMdl((PVOID)pInputData->buf, pInputData->Size, 0, 0, NULL);//创建MDL，首地址为buf，长度为size

if (!mdl) break;

MmBuildMdlForNonPagedPool(mdl);//创建非分页

unsigned char* Map = (unsigned char*)MmMapLockedPages(mdl, KernelMode);//锁定此页

if (!Map)

{

IoFreeMdl(mdl);//释放mdl

break;

}

TargetAddress = (PVOID)pInputData->Address;//目标地址

TargetSize = pInputData->Size;//长度

if (PsGetCurrentProcess() != process)

{

KeStackAttachProcess(process, &apc);//附加进程成功

attach = TRUE;

}

__try {

if (MmIsAddressValid(TargetAddress))//判断目标地址是否有效

{

RtlCopyMemory(Map, TargetAddress, TargetSize);//目标地址复制到map

KeLowerIrql(KeRaiseIrqlToDpcLevel());

}

}

__except (1) {

DbgPrint("无法访问地址.\n");

}

if (attach) KeUnstackDetachProcess(&apc);

MmUnmapLockedPages((PVOID)Map, mdl);

IoFreeMdl(mdl);

}

break;