Hello everybody.
I’m actually trying to setup a mapped section from kernel mode that any apps can use. (I know it’s not really secure and all but i’m doing it to test the limits of Windows Internals).
So i run into a problem. My section is created correctly and i’m setting a value to the view of this section successfully. But, when i try to map a view of this section in usermode. It will recover some garbage value. As if it was dereferencing a pointer.
Here are some snippets :
Kernel mode →
`
namespace shared
{
class KeSharedManager
{
private:
HANDLE handle_ke_shared_section_;
SECURITY_DESCRIPTOR sec_desc_ke_shared_section_;
UNICODE_STRING ustring_section_name_;
LARGE_INTEGER large_int_section_view_size_;
void* p_section_view_;
void SetupSecurityDescriptor();
void SetupKernelSharedSection();
void RefreshSectionView();
public:
KeSharedManager(const wchar_t* section_name)
{
/* Create a security descriptor that allow us to access the section from usermode */
SetupSecurityDescriptor();
/* Initialize the attributes that are going to be useful in SetupKernelSharedSection() */
RtlInitUnicodeString(&this->ustring_section_name_, section_name);
this->large_int_section_view_size_.HighPart = 0;
this->large_int_section_view_size_.LowPart = 1024 * 10;
/* Create the kernel shared section with the rights to access it from usermode */
/* By rights i mean that we attach a security descriptor to the shared section */
SetupKernelSharedSection();
/* If a section is already mapped, unmap it. Then use ZwMapViewOfSection */
RefreshSectionView();
/* Write a debug value to the view of the mapped section */
this->p_section_view_ = (void*)7777;
DbgPrintEx(0, 0, "Section view value -> %d\n", (int)this->p_section_view_);
}
};
}
`
So this will successfully print that the section have been created and that the value is successfully assigned. I have to mention that i don’t have any destructor in this class.
The call :
`
NTSTATUS DriverEntry(PDRIVER_OBJECT p_driver_object,
PUNICODE_STRING p_registry_path)
{
UNREFERENCED_PARAMETER(p_registry_path);
p_driver_object->DriverUnload = DriverUnload;
shared::KeSharedManager ke_shared_manager = shared::KeSharedManager(L"\\BaseNamedObjects\\Cerberus");
return STATUS_SUCCESS;
}
`
How i recover and print my value from usermode :
`int main()
{
HANDLE handle_ke_section_read_ = OpenFileMappingA(FILE_MAP_READ,
false,
“Global\Cerberus”);
HANDLE handle_ke_section_write_ = OpenFileMappingA(FILE_MAP_WRITE,
false,
"Global\\Cerberus");
void* test = MapViewOfFile(handle_ke_section_read_, SECTION_MAP_READ, 0, 0, sizeof(int));
std::cout << "buffer -> " << (int)test << std::endl;
std::cin.get();
}
`
One of my guess is that the problem comes from the fact that i print a mapped view in my usermode that maybe not valid or expired.
Im really lost here.
Thanks in advance for any help.
Ayuro.