Hey, there’s a (poorly written) driver that exposes a memory copy IOCTL to usermode.
Sending a request with an input buffer pointing at a kerne address, and output buffer pointing at a UM address works, the driver reads kernel memory to UM (poorly written as said)
However, when passing a usermode address as the input buffer, and kernel mode address as the output buffer (trying to write usermode memory to kernel), the said IOCTL handler is not even invoked. So surely I/O manager detects something is bad here and drops the IRP? Anyone familiar with such check? The IOCTL is method buffered if it’s worth mentioning
You would have to provide more details. You can't literally pass a kernel address as a parameter to DeviceIoControl. Those addresses are validated. Now, if you are passing the address of a pointer (indirect), then they can't be validated at the I/O level.
I passed a kernel address (the address of a global variable in a driver), worked when passed as input buffer to DeviceIoControl (memory pointed by this global was copied). Didn’t work when passed as the output buffer (the data it points to wasn’t overwritten and as mentioned, the IOCTL handler wasn’t even hit. It failed at the I/O level).
What other details would be helpful here?
IOCTL is METHOD_BUFFERED, FILE_ANY_ACCESS