Hi
I can NULL check every allocation that i do myself and see if it’s
valid. But is there a way i can validate pointers that i get from some
kernel functions or from hooking, that point to places in the kernel?
For example, if you hook ZwCreateFile() you get a pointer to an
OBJECT_ATTRIBUTES structure, which is one of ZwCreateFile() parameters.
Any way to check if that pointer is valid?
Any way to make sure accessing this pointer won’t cause a PAGE_FAULT ?
Does using MmIsAddressValid() is the right way to do it?
Thanks
I don’t think MmIsAddressValid would work , because the function just check
whether the page is page-in.
please refer following code.
ntoskrnl!MmIsAddressValid
0008:804E5BE1 8BFF MOV EDI,EDI
0008:804E5BE3 55 PUSH EBP
0008:804E5BE4 8BEC MOV EBP,ESP
0008:804E5BE6 8B4D08 MOV ECX,[EBP+08]
0008:804E5BE9 8BC1 MOV EAX,ECX
0008:804E5BEB C1E814 SHR EAX,14
0008:804E5BEE BAFC0F0000 MOV EDX,00000FFC
0008:804E5BF3 23C2 AND EAX,EDX
0008:804E5BF5 2D0000D03F SUB EAX,3FD00000
0008:804E5BFA 8B00 MOV EAX,[EAX] //<— Get
PageDirectory
0008:804E5BFC A801 TEST AL,01 // check page
directory’s Present bit
0008:804E5BFE 0F84E9FB0000 JZ 804F57ED //if present bit ==
NULL return false
0008:804E5C04 84C0 TEST AL,AL //check page size of
PageDirectory
0008:804E5C06 7824 JS 804E5C2C //if PageSize == 4MB
return TRUE (because it’s kernel mem)
0008:804E5C08 C1E90A SHR ECX,0A
0008:804E5C0B 81E1FCFF3F00 AND ECX,003FFFFC
0008:804E5C11 81E900000040 SUB ECX,40000000
0008:804E5C17 8BC1 MOV EAX,ECX
0008:804E5C19 8B08 MOV ECX,[EAX] //get page table
0008:804E5C1B F6C101 TEST CL,01 //check page table’s
Present bit
0008:804E5C1E 0F84C9FB0000 JZ 804F57ED // if Present == NULL,
return false
0008:804E5C24 84C9 TEST CL,CL
0008:804E5C26 0F88B2DE0300 JS 80523ADE
0008:804E5C2C B001 MOV AL,01 //if Present == TRUE
return true
0008:804E5C2E 5D POP EBP
0008:804E5C2F C20400 RET 0004
“Omer B” wrote in message news:xxxxx@ntdev…
Hi
I can NULL check every allocation that i do myself and see if it’s
valid. But is there a way i can validate pointers that i get from some
kernel functions or from hooking, that point to places in the kernel?
For example, if you hook ZwCreateFile() you get a pointer to an
OBJECT_ATTRIBUTES structure, which is one of ZwCreateFile() parameters.
Any way to check if that pointer is valid?
Any way to make sure accessing this pointer won’t cause a PAGE_FAULT ?
Does using MmIsAddressValid() is the right way to do it?
Thanks
Uh, please do not do that. That is copyrighted code and membership in this
forum does not give you the privilege to post someone else’s, Microsoft’s in
this case, code to this list. In fact I think OSR specifically asks you NOT
to post copyrighted code.
–
The personal opinion of
Gary G. Little
“Andy Jung” wrote in message news:xxxxx@ntdev…
>I don’t think MmIsAddressValid would work , because the function just check
> whether the page is page-in.
>
> please refer following code.
> ntoskrnl!MmIsAddressValid
-------- CENSORED----------
> “Omer B” wrote in message news:xxxxx@ntdev…
> Hi
>
>
> I can NULL check every allocation that i do myself and see if it’s
> valid. But is there a way i can validate pointers that i get from some
> kernel functions or from hooking, that point to places in the kernel?
>
>
> For example, if you hook ZwCreateFile() you get a pointer to an
> OBJECT_ATTRIBUTES structure, which is one of ZwCreateFile() parameters.
> Any way to check if that pointer is valid?
> Any way to make sure accessing this pointer won’t cause a PAGE_FAULT ?
> Does using MmIsAddressValid() is the right way to do it?
>
>
> Thanks
>
>
>
Gary G. Little wrote:
Uh, please do not do that. That is copyrighted code and membership in this
forum does not give you the privilege to post someone else’s, Microsoft’s in
this case, code to this list. In fact I think OSR specifically asks you NOT
to post copyrighted code.
Well, that’s true. We certainly don’t either advocate anything that’s
against the law.
On the other hand, we do and have always considered short sequences of
code or the UNassembly of code to be protected as “fair use” – Either
as education, comment, scholarship or research – on this forum. So,
short code segments from a much larger work do not concern us on this
forum… There’s no need to be paranoid.
More to the point, I think, is the specific license prohibition in
Windows that does not allow disassembly of the code. Of course, if this
listing was produced with WinDbg, it would be an “UNaseembly” 
For the purposes of NTDEV and NTFSD, the rule is: Please keep posted
code segments that don’t belong to you as short as possible consistent
with allowing you to demonstrate the point you want to make.
Thanks very much to Mr. Little for helping to remind folks about this
policy.
Peter
OSR
NOTE: I am not interested in a further discussion or debtate, or in
hearing other people’s views on: copyright law, license law, the DMCA,
US versus non-US laws, the usefulness of listservers, or whether WinDbg
does UNassembly or DISassembly. The only opinion on this matter that
I’m interested in hearing is from OSR’s Intellectual Property lawyers,
and they are not members of this forum. Let’s not let this thread
degenerate into another lively yet content-free debate.