We plan to create a driver to have safety virtual address aceess functionality.
Virtual address could be any virtual address in kernel mode.
Our steps are as below:
We need to check virtual address is in paged pool or non-page pool first. But from WDK, seems no MmXXX could provide such detection? Or, do we have to develop by ourself?
if addres is in paged pool, we just skip to access to avoid BSOD.
if address is in non-paged pool, we try to create MDL and lock pages as below.
But we always got 0xc0000005 (invalid access) when we call MmProbeAndLockPages().
Anybody can give some comments?
What in the world do you want this driver for? It sounds like this is
trying to access any address requested which is a poor design if only in
the kernel or a security nightmare if you are providing user access. So
what problem are you thinking you are solving by doing something like
this?
-----Original Message-----
From: xxxxx@msa.hinet.net [mailto:xxxxx@msa.hinet.net]
Posted At: Monday, June 07, 2010 4:49 AM
Posted To: ntdev
Conversation: How to lock memory?
Subject: How to lock memory?
We plan to create a driver to have safety virtual address aceess
functionality.
Virtual address could be any virtual address in kernel mode.
Our steps are as below:
We need to check virtual address is in paged pool or non-page pool
first.
But from WDK, seems no MmXXX could provide such detection? Or, do we
have to
develop by ourself?
if addres is in paged pool, we just skip to access to avoid BSOD.
if address is in non-paged pool, we try to create MDL and lock
pages as
below.
But we always got 0xc0000005 (invalid access) when we call
MmProbeAndLockPages().
Anybody can give some comments?
The only comment I can give here is “Where is Chris - I haven’t seen
so incredible piece of nonsense for quite a while”…
Indeed, although I must admit I was a little disappointed – after all, I was hoping to see a call to KeLowerIrql() down to passive, and then some truly disturbing hack to import and call IsBadReadPtr()…
We have another application to control this driver.
And we hope to dump kernel virtual address contents to application as many as possible.
This application is expected to be a proprietary security debugging tool when windbg unavailable.
For nonpaged pool, if we don’t lock these pages, how to guarantee they always exist?
Because they could be free by other threads or processes.
And we use ioctel requested from application to access virtual address, so it will always run at PASSIVE_LEVEL.
Of course, we know users must not acceess unknown kernel virtual address.
But because users will try to read/write kernel virtual address by typing, to avoid BSOD caused by typo. Therfore, we need to implement such function.
From: xxxxx@msa.hinet.net
To: “Windows System Software Devs Interest List” Subject: RE:[ntdev] How to lock memory? Date: Mon, 7 Jun 2010 10:45:00 -0400 (EDT)
We have another application to control this driver. And we hope to dump kernel virtual address contents to application as many as possible. This application is expected to be a proprietary security debugging tool when windbg unavailable. For nonpaged pool, if we don’t lock these pages, how to guarantee they always exist? Because they could be free by other threads or processes. And we use ioctel requested from application to access virtual address, so it will always run at PASSIVE_LEVEL.
Of course, we know users must not acceess unknown kernel virtual address. But because users will try to read/write kernel virtual address by typing, to avoid BSOD caused by typo. Therfore, we need to implement such function.
See Poe’s law: *Without a winking smiley or other blatant display of humor,
it is impossible to create a parody of Fundamentalism that SOMEONE won’t
mistake for the real thing.*
Which has evolved to include: “*or, more generally, any crackpot theory*”.
Mark Roddy
On Mon, Jun 7, 2010 at 11:17 AM, Gregory G Dyess wrote:
> Unless I am completely asleep, did he just state that he must “LOCK” > NON-paged pool pages so they will always exist? > > Uh, NON-Paged pool pages are ALWAYS locked into physical memory, hence the > name NON-Paged Pool… > > > > > — xxxxx@msa.hinet.net wrote: > > From: xxxxx@msa.hinet.net > To: “Windows System Software Devs Interest List” > Subject: RE:[ntdev] How to lock memory? > Date: Mon, 7 Jun 2010 10:45:00 -0400 (EDT) > > We have another application to control this driver. > And we hope to dump kernel virtual address contents to application as many > as possible. > This application is expected to be a proprietary security debugging tool > when windbg unavailable. > For nonpaged pool, if we don’t lock these pages, how to guarantee they > always exist? > Because they could be free by other threads or processes. > And we use ioctel requested from application to access virtual address, so > it will always run at PASSIVE_LEVEL. > > Of course, we know users must not acceess unknown kernel virtual address. > But because users will try to read/write kernel virtual address by typing, > to avoid BSOD caused by typo. Therfore, we need to implement such function. > > > > > > — > NTDEV is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer > > > > — > NTDEV is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer >
On Mon, Jun 7, 2010 at 11:40 AM, Mark Roddy wrote:
> See Poe’s law: Without a winking smiley or other blatant display of > humor, it is impossible to create a parody of Fundamentalism that SOMEONE > won’t mistake for the real thing. > > Which has evolved to include: “or, more generally, any crackpot theory”. > > > Mark Roddy > > > On Mon, Jun 7, 2010 at 11:17 AM, Gregory G Dyess wrote: > >> Unless I am completely asleep, did he just state that he must “LOCK” >> NON-paged pool pages so they will always exist? >> >> Uh, NON-Paged pool pages are ALWAYS locked into physical memory, hence the >> name NON-Paged Pool… >> >> >> >> >> — xxxxx@msa.hinet.net wrote: >> >> From: xxxxx@msa.hinet.net >> To: “Windows System Software Devs Interest List” >> Subject: RE:[ntdev] How to lock memory? >> Date: Mon, 7 Jun 2010 10:45:00 -0400 (EDT) >> >> We have another application to control this driver. >> And we hope to dump kernel virtual address contents to application as many >> as possible. >> This application is expected to be a proprietary security debugging tool >> when windbg unavailable. >> For nonpaged pool, if we don’t lock these pages, how to guarantee they >> always exist? >> Because they could be free by other threads or processes. >> And we use ioctel requested from application to access virtual address, so >> it will always run at PASSIVE_LEVEL. >> >> Of course, we know users must not acceess unknown kernel virtual address. >> But because users will try to read/write kernel virtual address by typing, >> to avoid BSOD caused by typo. Therfore, we need to implement such function. >> >> >> >> >> >> — >> NTDEV is sponsored by OSR >> >> For our schedule of WDF, WDM, debugging and other seminars visit: >> http://www.osr.com/seminars >> >> To unsubscribe, visit the List Server section of OSR Online at >> http://www.osronline.com/page.cfm?name=ListServer >> >> >> >> — >> NTDEV is sponsored by OSR >> >> For our schedule of WDF, WDM, debugging and other seminars visit: >> http://www.osr.com/seminars >> >> To unsubscribe, visit the List Server section of OSR Online at >> http://www.osronline.com/page.cfm?name=ListServer >> > > — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and > other seminars visit: http://www.osr.com/seminars To unsubscribe, visit > the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer
We have another application to control this driver.
And we hope to dump kernel virtual address contents to application as many
as possible.
This application is expected to be a proprietary security debugging tool
when windbg unavailable.
For nonpaged pool, if we don’t lock these pages, how to guarantee they
always exist?
Because they could be free by other threads or processes.
And we use ioctel requested from application to access virtual address, so
it will always run at PASSIVE_LEVEL.
Of course, we know users must not acceess unknown kernel virtual address.
But because users will try to read/write kernel virtual address by typing,
to avoid BSOD caused by typo. Therfore, we need to implement such function.
Ahhhh… NO. Sorry, but you’re on the wrong track here Mr. Chang.
Non-paged pool blocks always DO exist and they ALWAYS ARE non-paged. Locking them doesn’t do ANYTHING to prevent them from being allocated to another use, “plain and simple.” Locking them just gratuitously increments the reference count in the PFN.
I think you should read the replies again. And learn some more about Windows OS architecture. Seriously.
…unless the Driver Verifier has Special Pool enabled… Actually, been hit by the special pool just yesterday; turned out to be some my code accessing some memory just after it was freed.
Your statement has nothing to do with the previous one. NP pool blocks always DO exist == there is always a physical backing for allocated memory (unlike paged pool). Once you free memory, there is no such guarantee (results are undefined). Your bug has nothing to do with paged or NP pool, it has to do with undefined behavior using freed memory
…unless the Driver Verifier has Special Pool enabled… Actually, been hit by the special pool just yesterday; turned out to be some my code accessing some memory just after it was freed.
wrote in message news:xxxxx@ntdev… >>Non-paged pool blocks always DO exist > > …unless the Driver Verifier has Special Pool enabled… Actually, been > hit by the special pool just yesterday; turned out to be some my code > accessing some memory just after it was freed. >
Driver verifier is our friend (so it was a friendly hit) –pa