Checking kernel memory !

NTFSD
1

Hello EveryOne,

I’m checking a kernel memory using the following -

#define KRNL_MEM_START 0X80000000

if ( ptrtoAFunction >= (casted to right ptr type) KRNL_MEM_START ) {

//it is in the kernel mem space
}else {

//whatever
}

What I get is

:
f6e14d00 53 push ebx
f6e14d01 55 push ebp
f6e14d02 56 push esi
f6e14d03 57 push edi
f6e14d04 8b7c2414 mov edi,[esp+0x14]
f6e14d08 33f6 xor esi,esi
f6e14d0a 8b4708 mov eax,[edi+0x8]
f6e14d0d 85c0 test eax,eax <— This is a test for non zero

>>>>>

I was excepting cmp 0x80000000

Any help !!!

prokash

2

Your C compiler is doing a signed compare. You can cast your function to an
unsigned or just check the upper bit with a logical AND.

i.e…:

if ( ptrtoAFunction & (casted to right ptr type) KRNL_MEM_START ) {

//it is in the kernel mem space
}

OR:

if ( (unsigned)ptrtoAFunction >= KRNL_MEM_START ) {

//it is in the kernel mem space
}

-----Original Message-----
From: Prokash Sinha [mailto:xxxxx@zonelabs.com]
Sent: Monday, July 08, 2002 12:20 PM
To: File Systems Developers
Subject: [ntfsd] Checking kernel memory !
Importance: High

Hello EveryOne,

I’m checking a kernel memory using the following -

#define KRNL_MEM_START 0X80000000

if ( ptrtoAFunction >= (casted to right ptr type) KRNL_MEM_START ) {

//it is in the kernel mem space
}else {

//whatever
}

What I get is

:
f6e14d00 53 push ebx
f6e14d01 55 push ebp
f6e14d02 56 push esi
f6e14d03 57 push edi
f6e14d04 8b7c2414 mov edi,[esp+0x14]
f6e14d08 33f6 xor esi,esi
f6e14d0a 8b4708 mov eax,[edi+0x8]
f6e14d0d 85c0 test eax,eax <— This is a test for non zero

>>>>>

I was excepting cmp 0x80000000

Any help !!!

prokash


You are currently subscribed to ntfsd as: xxxxx@1vision.com
To unsubscribe send a blank email to %%email.unsub%%

3

Do not know what the problem is, maybe more code and disassembly would help.
However, I would like to mention that kernel memory does not necessarily
start at 0x8000000. It may also start at 0xC0000000 if NT is started with
3GB application support.

You can detect which start address is used by calling PsGetCurrentProcess()
in your DriverEntry routine and doing a bitwise-and on the return pointer
with 0xC0000000. Calling PsGetCurrentProcess in your DriverEntry routine
returns the KPEB of the system process and this assumes it is loaded lower
than 0xC0000000 when kernel mem starts at 0x80000000 (I’ve always seen it
loaded very close to 0x80000000).

void* g_krnl_mem_start;

NTSTATUS NTAPI DriverEntry(…

g_krnl_mem_start = PsGetCurrentProcess() & 0xC0000000;

-----Original Message-----
From: Prokash Sinha [mailto:xxxxx@zonelabs.com]
Sent: Monday, July 08, 2002 2:20 PM
To: File Systems Developers
Subject: [ntfsd] Checking kernel memory !
Importance: High

Hello EveryOne,

I’m checking a kernel memory using the following -

#define KRNL_MEM_START 0X80000000

if ( ptrtoAFunction >= (casted to right ptr type) KRNL_MEM_START ) {

//it is in the kernel mem space
}else {

//whatever
}

What I get is

:
f6e14d00 53 push ebx
f6e14d01 55 push ebp
f6e14d02 56 push esi
f6e14d03 57 push edi
f6e14d04 8b7c2414 mov edi,[esp+0x14]
f6e14d08 33f6 xor esi,esi
f6e14d0a 8b4708 mov eax,[edi+0x8]
f6e14d0d 85c0 test eax,eax <— This is a test for non zero

>>>>>

I was excepting cmp 0x80000000

Any help !!!

prokash


You are currently subscribed to ntfsd as: xxxxx@datum.com
To unsubscribe send a blank email to %%email.unsub%%

4

Very risky, very dangerous. Better to just use the OS-defined mechanisms
for checking this. MM_HIGHEST_USER_ADDRESS to check user addresses. This
does the right thing on 4GT systems, IA64 systems, AMD64 systems AND normal
vanilla x86.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

Hope to see you at the next OSR file systems class in San Jose, CA September
16, 2002!

-----Original Message-----
From: Jerry Willett [mailto:xxxxx@datum.com]
Sent: Monday, July 08, 2002 4:22 PM
To: File Systems Developers
Subject: [ntfsd] RE: Checking kernel memory !

Do not know what the problem is, maybe more code and disassembly would help.
However, I would like to mention that kernel memory does not necessarily
start at 0x8000000. It may also start at 0xC0000000 if NT is started with
3GB application support.

You can detect which start address is used by calling PsGetCurrentProcess()
in your DriverEntry routine and doing a bitwise-and on the return pointer
with 0xC0000000. Calling PsGetCurrentProcess in your DriverEntry routine
returns the KPEB of the system process and this assumes it is loaded lower
than 0xC0000000 when kernel mem starts at 0x80000000 (I’ve always seen it
loaded very close to 0x80000000).

void* g_krnl_mem_start;

NTSTATUS NTAPI DriverEntry(…

g_krnl_mem_start = PsGetCurrentProcess() & 0xC0000000;

-----Original Message-----
From: Prokash Sinha [mailto:xxxxx@zonelabs.com]
Sent: Monday, July 08, 2002 2:20 PM
To: File Systems Developers
Subject: [ntfsd] Checking kernel memory !
Importance: High

Hello EveryOne,

I’m checking a kernel memory using the following -

#define KRNL_MEM_START 0X80000000

if ( ptrtoAFunction >= (casted to right ptr type) KRNL_MEM_START ) {

//it is in the kernel mem space
}else {

//whatever
}

What I get is

:
f6e14d00 53 push ebx
f6e14d01 55 push ebp
f6e14d02 56 push esi
f6e14d03 57 push edi
f6e14d04 8b7c2414 mov edi,[esp+0x14]
f6e14d08 33f6 xor esi,esi
f6e14d0a 8b4708 mov eax,[edi+0x8]
f6e14d0d 85c0 test eax,eax <— This is a test for non zero

>>>>>

I was excepting cmp 0x80000000

Any help !!!

prokash


You are currently subscribed to ntfsd as: xxxxx@datum.com
To unsubscribe send a blank email to %%email.unsub%%


You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to %%email.unsub%%

5

> I’m checking a kernel memory using the following -

#define KRNL_MEM_START 0X80000000

IIRC there was a more correct MmHighestUserAddress variable.
Anyway ProbeForxxx will do this for you - if you want to probe the
user memory.

Max