Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

What is special about SEC_IMAGE in CreateFileMapping

Aditya_ShrivastavaAditya_Shrivastava Member Posts: 647
I noticed that when I map a PE file by specifying SEC_IMAGE in CFM the data mapped is different with the mapping done without sec_image flag. Any specific reasons, why?

details:
===============
I wrote some code to parse on disk PE files. I noticed a difference when i map the file specifying SEC_IMAGE in CFM and without SEC_IMAGE in CFM. The difference was in the data which is mapped. following code works fine when sec_image is specified and raise exception when not. I checked the exception and found that the members of descriptor pointer are all coming junk and hence accessing them results in an exception.

dosHeader = mapped file address;

PIMAGE_NT_HEADERS ntHeader = (PIMAGE_NT_HEADERS)((BYTE*)dosHeader+dosHeader->e_lfanew);

IMAGE_IMPORT_DESCRIPTOR *descriptor = (IMAGE_IMPORT_DESCRIPTOR*)((BYTE*)dosHeader + ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
======================

In fact if i try reading data through ReadFile the data returned is identical to the data returned when SEC_IMAGE is not specified in mapping. What is so special in SEC_COMMIT.

Thanks
Aditya

Comments

  • NTDEV-26NTDEV-26 Member Posts: 316
    IIRC SEC_IMAGE is for mapping it as as executable image just in a way it
    would be mapped by loader itself for execution.

    That means each sections of the PE image are occupy integral number of
    pages.
    And no two sections of PE image share a common page.

    SEC_COMMIT -- As MSDN says commits (and not reserve) from memory or
    pagefile.

    Regards
    Deepak

    On Thu, May 14, 2009 at 2:01 PM, wrote:

    > I noticed that when I map a PE file by specifying SEC_IMAGE in CFM the data
    > mapped is different with the mapping done without sec_image flag. Any
    > specific reasons, why?
    >
    > details:
    > ===============
    > I wrote some code to parse on disk PE files. I noticed a difference when i
    > map the file specifying SEC_IMAGE in CFM and without SEC_IMAGE in CFM. The
    > difference was in the data which is mapped. following code works fine when
    > sec_image is specified and raise exception when not. I checked the exception
    > and found that the members of descriptor pointer are all coming junk and
    > hence accessing them results in an exception.
    >
    > dosHeader = mapped file address;
    >
    > PIMAGE_NT_HEADERS ntHeader =
    > (PIMAGE_NT_HEADERS)((BYTE*)dosHeader+dosHeader->e_lfanew);
    >
    > IMAGE_IMPORT_DESCRIPTOR *descriptor =
    > (IMAGE_IMPORT_DESCRIPTOR*)((BYTE*)dosHeader +
    > ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
    > ======================
    >
    > In fact if i try reading data through ReadFile the data returned is
    > identical to the data returned when SEC_IMAGE is not specified in mapping.
    > What is so special in SEC_COMMIT.
    >
    > Thanks
    > Aditya
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > For our schedule of WDF, WDM, debugging and other seminars visit:
    > http://www.osr.com/seminars
    >
    > To unsubscribe, visit the List Server section of OSR Online at
    > http://www.osronline.com/page.cfm?name=ListServer
    >
  • Aditya_ShrivastavaAditya_Shrivastava Member Posts: 647
    Thanks Deepak,

    >>IIRC SEC_IMAGE is for mapping it as as executable image just in a way it would be mapped by loader itself for execution.

    I was also thinking in this direction, is there some alternative to achieve same effect, i mean retrieving data as loader loads without using CFM. I am looking for an alternative because of some specific malwares.

    SEC_COMMIT- Please ignore this, I never meant to write sec_commit, was just re-writing the question on sec_image. This probably happens as now days my mind is floating in too many directions at same time, :-(

    Aditya
  • NTDEV-26NTDEV-26 Member Posts: 316
    I was also thinking in this direction, is there some alternative to achieve
    > same effect, i mean retrieving data as loader loads without using CFM. I am
    > looking for an alternative because of some specific malwares.
    >
    >
    Yes there is an alternative.
    Read the whole file using ReadFile
    Now write a PE parser.
    You will have to write a code which will read the section headers which
    follows just after OPTIONAL_HEADER (if I am correct).
    Using the information from section headers, local system page size , Section
    Alignment (from OPTIONAL_HEADER) and File Alignment (from OPTIONAL_HEADER)
    you can determine how many pages each section is going to occupy.
    Also you can determine each section's RVA (relative virtual address) with
    the help of these values.

    Well I assume you already had a look at an age old article (but still a
    informative one) from Matt Pietrek
    http://msdn.microsoft.com/en-us/magazine/ms809762.aspx

    Regards
    Deepak
  • Maxim_S._ShatskihMaxim_S._Shatskih Member Posts: 10,396
    >I noticed that when I map a PE file by specifying SEC_IMAGE in CFM the data mapped is different

    SEC_IMAGE:

    - reads the PE header and validates it, it will fail if PE header is not valid
    - extracts the section table from the PE header
    - maps the binary according to the section table.

    --
    Maxim S. Shatskih
    Windows DDK MVP
    [email protected]
    http://www.storagecraft.com
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Internals & Software Drivers 15 November 2021 Live, Online
Writing WDF Drivers TBD Live, Online
Developing Minifilters 7 February 2022 Live, Online
Kernel Debugging 21 March 2022 Live, Online