Equivalent of ProbeForRead for Kernelmode memory

Does anyone know if there is an equivalent for ProbeForRead for kernel mode buffers?

In my Create, I am trying to open a process as its loading with ZwOpenProcess(). I then grab the ProcessBasicInformation block and check to see if the memory is accessable yet. (As it initially loads it is not, and I cannot use Ps* callbacks in this situation). What I tried to do was create a try/except block to check the memory, and if its not available to fail out cleanly… ie:

try
{
if( pbi.PebBaseAddress != NULL && pbi.PebBaseAddress->ProcessParameters != NULL )
{
// DO NOTHING. We are just forcing a probe on memory
}
}
except( EXCEPTION_EXECUTE_HANDLER )
{
// Just close the token and return… memory not yet available
ZwClose( hProcess );
return STATUS_SUCCESS;
}

The next line of code is another check, exactly as it was in the try/except:

if( pbi.PebBaseAddress != NULL && pbi.PebBaseAddress->ProcessParameters != NULL )

Anyways, on W2K touching “ProcessParameters” causes a “Memory access error”. What can I do to check to see if the memory can be read yet without accessing it? How can I probe to see if I am able to read that memory?


Regards,
Dana Epp
[Blog: http://silverstr.ufies.org/blog/]

No, since there is no need to validate the kmode pointers, they are
trusted.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Dana Epp”
To: “Windows File Systems Devs Interest List”
Sent: Wednesday, June 22, 2005 11:50 PM
Subject: [ntfsd] Equivalent of ProbeForRead for Kernelmode memory

> Does anyone know if there is an equivalent for ProbeForRead for kernel mode
buffers?
>
> In my Create, I am trying to open a process as its loading with
ZwOpenProcess(). I then grab the ProcessBasicInformation block and check to see
if the memory is accessable yet. (As it initially loads it is not, and I cannot
use Ps* callbacks in this situation). What I tried to do was create a
try/except block to check the memory, and if its not available to fail out
cleanly… ie:
>
> try
> {
> if( pbi.PebBaseAddress != NULL && pbi.PebBaseAddress->ProcessParameters
!= NULL )
> {
> // DO NOTHING. We are just forcing a probe on memory
> }
> }
> except( EXCEPTION_EXECUTE_HANDLER )
> {
> // Just close the token and return… memory not yet available
> ZwClose( hProcess );
> return STATUS_SUCCESS;
> }
>
> The next line of code is another check, exactly as it was in the try/except:
>
> if( pbi.PebBaseAddress != NULL && pbi.PebBaseAddress->ProcessParameters !=
NULL )
>
> Anyways, on W2K touching “ProcessParameters” causes a “Memory access error”.
What can I do to check to see if the memory can be read yet without accessing
it? How can I probe to see if I am able to read that memory?
>
> –
> Regards,
> Dana Epp
> [Blog: http://silverstr.ufies.org/blog/]
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

Hey Maxim,

Thanks for the info. Although the memory may be trusted, my issue is that as a process is loading up, I am not yet able to read the ProcessParameters of the struct. (Memory Access Error). How can I probe it without triggering an access violation?

Maxim S. Shatskih wrote:

No, since there is no need to validate the kmode pointers, they are
trusted.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Dana Epp”
> To: “Windows File Systems Devs Interest List”
> Sent: Wednesday, June 22, 2005 11:50 PM
> Subject: [ntfsd] Equivalent of ProbeForRead for Kernelmode memory
>
>
>
>>Does anyone know if there is an equivalent for ProbeForRead for kernel mode
>
> buffers?
>
>>In my Create, I am trying to open a process as its loading with
>
> ZwOpenProcess(). I then grab the ProcessBasicInformation block and check to see
> if the memory is accessable yet. (As it initially loads it is not, and I cannot
> use Ps* callbacks in this situation). What I tried to do was create a
> try/except block to check the memory, and if its not available to fail out
> cleanly… ie:
>
>>try
>>{
>> if( pbi.PebBaseAddress != NULL && pbi.PebBaseAddress->ProcessParameters
>
> != NULL )
>
>> {
>> // DO NOTHING. We are just forcing a probe on memory
>> }
>>}
>>except( EXCEPTION_EXECUTE_HANDLER )
>>{
>> // Just close the token and return… memory not yet available
>> ZwClose( hProcess );
>> return STATUS_SUCCESS;
>>}
>>
>>The next line of code is another check, exactly as it was in the try/except:
>>
>>if( pbi.PebBaseAddress != NULL && pbi.PebBaseAddress->ProcessParameters !=
>
> NULL )
>
>>Anyways, on W2K touching “ProcessParameters” causes a “Memory access error”.
>
> What can I do to check to see if the memory can be read yet without accessing
> it? How can I probe to see if I am able to read that memory?
>
>>–
>>Regards,
>>Dana Epp
>>[Blog: http://silverstr.ufies.org/blog/]
>>
>>—
>>Questions? First check the IFS FAQ at
>
> https://www.osronline.com/article.cfm?id=17
>
>>You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
>>To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> —
> Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@vulscan.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com


Regards,
Dana Epp
[Blog: http://silverstr.ufies.org/blog/]