I have this kernel driver used to read a string from the process memory:
KeAttachProcess(GlobalProcessPE);
char* source = *(ULONG*)pBuf;
RtlZeroMemory(pBuf, pIoStackLocation->Parameters.DeviceIoControl.OutputBufferLength);
RtlCopyMemory(pBuf, source, 256);
KeDetachProcess();
And here is the communication process in C++:
DWORD ReadBuffer2[180] = { 0 };
DeviceIoControl(hDevice, IOCTL_READPROCMEM_S, &msg, sizeof(msg), ReadBuffer2, sizeof(ReadBuffer2), &dwBytesRead, NULL);
printf("Message: %s\n", ReadBuffer2);
printf("Bytes read: %d\n", dwBytesRead);
Upon running and searching for the string, it actually captures the first four letters from it, as well as displaying the following:
Message: ABCD
Bytes read: 4
I have checked the string using an alternative method, and it is supposed to display ABCDEFGHIJKL...
The question lies here, why is it only reading (or probably writing) the first four bytes alone?
I have managed to read the string by reading each 4 characters at every address + 4.
Here's the communication code: (I also added some a __try {} _except () {} in the Driver so it doesn't BSOD)
std::string str = "";
bool scanning = true;
for (int i = 0; i < 35; i++) {
if (!scanning) break;
msg = 0x095A2A28 + i * 0x4;
DWORD ReadBuffer2[50] = {0};
DeviceIoControl(hDevice, IOCTL_READPROCMEM_S, &msg, sizeof(msg), ReadBuffer2, sizeof(ReadBuffer2), &dwBytesRead, NULL);
char dtostr[4];
sprintf(dtostr, "%s", ReadBuffer2);
for (int l = 0; l < 4; l++) {
str += dtostr[l];
if (dtostr[l] == '\0') {
scanning = false;
break;
}
}
}
std::cout << "~Message: " << str << std::endl;