win64 Windows 8 1 基于 x64 的系统的更新 KB2919355 from

方案3（R0）

在驱动里，直接附加到宿主进程内存，然后进行内存修改，强杀进程的时候也经常用这个姿势

进去，然后进程虚拟地址空间擦除直接干进程。

(,,,){=()ExAllocatePool(NonPagedPool,sizeof(PKAPC_STATE));KeStackAttachProcess(Process,pKs);//Attach进程虚拟空间if(MmIsAddressValid(Address)){RtlCopyMemory(Address,Buffer,Length);DbgPrint("[x64Drv]Datewrote.");}KeUnstackDetachProcess(pKs);}

方案4（R0）：加强版方案3（也叫CR3大法，因为是操作了CR3）

可以理解成是反汇编了方案3的代码后，直接自己实现了方案3。不过这个设计到不同系统的结构不同问题，用的时候注意确定每个系统的相关数据结构偏移：

以下代码是Win764

#defineDIRECTORY_TABLE_BASE0x028UINT32idTarget=0;PEPROCESSepTarget=NULL;UINT32idGame=0;PEPROCESSepGame=NULL;UINT32rw_len=0;UINT64base_addr=0;ULONG64Get64bitValue(PVOIDp){if(MmIsAddressValid(p)==FALSE)return0;return*(PULONG64)p;}ULONG32Get32bitValue(PVOIDp){if(MmIsAddressValid(p)==FALSE)return0;return*(PULONG32)p;}voidKReadProcessMemory(INPEPROCESSProcess,INPVOIDAddress,INUINT32Length,OUTPVOIDBuffer){ULONG64pDTB=0,OldCr3=0,vAddr=0;//GetDTBpDTB=Get64bitValue((UCHAR*)Process+DIRECTORY_TABLE_BASE);if(pDTB==0){DbgPrint("[x64Drv]CannotgetPDT");return;}//Recordoldcr3andsetnewcr3_disable();OldCr3=__readcr3();__writecr3(pDTB);_enable();//Readprocessmemoryif(MmIsAddressValid(Address)){RtlCopyMemory(Buffer,Address,Length);DbgPrint("[x64Drv]Dateread:%ld",*(PDWORD)Buffer);}//Restoreoldcr3_disable();__writecr3(OldCr3);_enable();}voidKWriteProcessMemory(INPEPROCESSProcess,INPVOIDAddress,INUINT32Length,INPVOIDBuffer){ULONG64pDTB=0,OldCr3=0,vAddr=0;//GetDTBpDTB=Get64bitValue((UCHAR*)Process+DIRECTORY_TABLE_BASE);if(pDTB==0){DbgPrint("[x64Drv]CannotgetPDT");return;}//Recordoldcr3andsetnewcr3_disable();OldCr3=__readcr3();__writecr3(pDTB);_enable();//Readprocessmemoryif(MmIsAddressValid(Address)){RtlCopyMemory(Address,Buffer,Length);DbgPrint("[x64Drv]Datewrote.");}//Restoreoldcr3_disable();__writecr3(OldCr3);_enable();}下面是方案4的执行结果。