Memory allocated.

aurox · July 11, 2002, 6:24am

Hi,
I’ve a pointer of type PVOID from user space, someone known how can I get
the size of the memory allocated for the variable (typically a buffer)
pointed by pointer, at kernel mode?

Thank in advance, Aurox.

OSR_Community_User · July 11, 2002, 6:38am

You cannot, pass the size as one more IOCTL parameter.

Max

----- Original Message -----
From: “aurox”
To: “NT Developers Interest List”
Sent: Thursday, July 11, 2002 2:25 PM
Subject: [ntdev] Memory allocated.

> Hi,
> I’ve a pointer of type PVOID from user space, someone known how can
I get
> the size of the memory allocated for the variable (typically a
buffer)
> pointed by pointer, at kernel mode?
>
> Thank in advance, Aurox.
>
> —
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to %%email.unsub%%
>

Mark_Roddy · July 11, 2002, 6:47am

You have whoever sent you this pointer also send you the size of the
buffer. You could call KeDetermineRandomPointersBufferSizeByMagic, but
alas it is not documented.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of aurox
Sent: Thursday, July 11, 2002 6:25 AM
To: NT Developers Interest List
Subject: [ntdev] Memory allocated.

Hi,
I’ve a pointer of type PVOID from user space, someone known
how can I get the size of the memory allocated for the
variable (typically a buffer)
pointed by pointer, at kernel mode?

Thank in advance, Aurox.

You are currently subscribed to ntdev as:
xxxxx@hollistech.com To unsubscribe send a blank email to
%%email.unsub%%

Rob_Linegar · July 11, 2002, 6:49am

Create a struct with a size member, and an LPVOID member.
pass that through instead.

Rob Linegar
Software Engineer
Data Encryption Systems Limited

-----Original Message-----
From: Maxim S. Shatskih [mailto:xxxxx@storagecraft.com]
Sent: 11 July 2002 11:37
To: NT Developers Interest List
Subject: [ntdev] Re: Memory allocated.

You cannot, pass the size as one more IOCTL parameter.

Max

----- Original Message -----
From: “aurox”
> To: “NT Developers Interest List”
> Sent: Thursday, July 11, 2002 2:25 PM
> Subject: [ntdev] Memory allocated.
>
>
> > Hi,
> > I’ve a pointer of type PVOID from user space, someone known how can
> I get
> > the size of the memory allocated for the variable (typically a
> buffer)
> > pointed by pointer, at kernel mode?
> >
> > Thank in advance, Aurox.
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> > To unsubscribe send a blank email to %%email.unsub%%
> >
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@des.co.uk
> To unsubscribe send a blank email to %%email.unsub%%
>

OSR_Community_User · July 11, 2002, 7:06am

I searched KeDetermineRandomPointersBufferSizeByMagic in hal.dll,
kernel32.dll and notoskrnl.exe. where this might be preset ?

Regards,
Satish K.S
----- Original Message -----
From: “Mark Roddy”
To: “NT Developers Interest List”
Sent: Thursday, July 11, 2002 4:13 PM
Subject: [ntdev] RE: Memory allocated.

> You have whoever sent you this pointer also send you the size of the
> buffer. You could call KeDetermineRandomPointersBufferSizeByMagic, but
> alas it is not documented.
>
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of aurox
> > Sent: Thursday, July 11, 2002 6:25 AM
> > To: NT Developers Interest List
> > Subject: [ntdev] Memory allocated.
> >
> >
> > Hi,
> > I’ve a pointer of type PVOID from user space, someone known
> > how can I get the size of the memory allocated for the
> > variable (typically a buffer)
> > pointed by pointer, at kernel mode?
> >
> > Thank in advance, Aurox.
> >
> > —
> > You are currently subscribed to ntdev as:
> > xxxxx@hollistech.com To unsubscribe send a blank email to
> > %%email.unsub%%
> >
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@aalayance.com
> To unsubscribe send a blank email to %%email.unsub%%

aurox · July 11, 2002, 7:11am

Thanks all,

unfortunately it’s not my application that pass PVOID pointer to my
driver, so I can’t make any structure.

X Mark Roddy, how can I use the function that you suggest?

Aurox.

OSR_Community_User · July 11, 2002, 8:11am

> Hi,

I’ve a pointer of type PVOID from user space, someone known how can I get
the size of the memory allocated for the variable (typically a buffer)
pointed by pointer, at kernel mode?

Thank in advance, Aurox.

If memory is allocated from heap you can use HeapSize() in user mode. In
kernel mode try RtlSizeHeap() from ntdll.

vlad-ntdev

Dan_Partelly · July 11, 2002, 8:14am

Its not exported, its returned into an array of function pointers as a
result of a call to HalPrivateMagicTableDispatch. I hope youll find this
one.

----- Original Message -----
From: “int3”
To: “NT Developers Interest List”
Sent: Thursday, July 11, 2002 2:07 PM
Subject: [ntdev] RE: Memory allocated.

> I searched KeDetermineRandomPointersBufferSizeByMagic in hal.dll,
> kernel32.dll and notoskrnl.exe. where this might be preset ?
>
> Regards,
> Satish K.S
> ----- Original Message -----
> From: “Mark Roddy”
> To: “NT Developers Interest List”
> Sent: Thursday, July 11, 2002 4:13 PM
> Subject: [ntdev] RE: Memory allocated.
>
>
> > You have whoever sent you this pointer also send you the size of the
> > buffer. You could call KeDetermineRandomPointersBufferSizeByMagic, but
> > alas it is not documented.
> >
> > > -----Original Message-----
> > > From: xxxxx@lists.osr.com
> > > [mailto:xxxxx@lists.osr.com] On Behalf Of aurox
> > > Sent: Thursday, July 11, 2002 6:25 AM
> > > To: NT Developers Interest List
> > > Subject: [ntdev] Memory allocated.
> > >
> > >
> > > Hi,
> > > I’ve a pointer of type PVOID from user space, someone known
> > > how can I get the size of the memory allocated for the
> > > variable (typically a buffer)
> > > pointed by pointer, at kernel mode?
> > >
> > > Thank in advance, Aurox.
> > >
> > > —
> > > You are currently subscribed to ntdev as:
> > > xxxxx@hollistech.com To unsubscribe send a blank email to
> > > %%email.unsub%%
> > >
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@aalayance.com
> > To unsubscribe send a blank email to %%email.unsub%%
>
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>

Mark_Roddy · July 11, 2002, 8:19am

Perhaps if you explained what it is you are really trying to do then we could help. Random
applications are not in the habit of lobbing unsized pvoid pointers into the kernel.
Otherwise I will continue to exhibit anti-social behavior to the amusement of Mr. Nishimoto
and others.

-----Original Message-----
From: “aurox”
To: “NT Developers Interest List”
Date: Thu, 11 Jul 2002 07:12:24 -0400
Subject: [ntdev] Re: Memory allocated.

> Thanks all,
>
> unfortunately it’s not my application that pass PVOID pointer to my
> driver, so I can’t make any structure.
>
> X Mark Roddy, how can I use the function that you suggest?
>
> Aurox.
>
> —
> You are currently subscribed to ntdev as: xxxxx@hollistech.com
> To unsubscribe send a blank email to %%email.unsub%%

Dan_Partelly · July 11, 2002, 8:20am

>> In kernel mode try RtlSizeHeap() from ntdll.

Im not sure this heap management API even exists. And one after another ,
calling user mode APIs is generally a very bad ideea.

Dan

----- Original Message -----
From: “vlad-ntdev”
To: “NT Developers Interest List”
Sent: Thursday, July 11, 2002 3:06 PM
Subject: [ntdev] Re: Memory allocated.

>
>
> > Hi,
> > I’ve a pointer of type PVOID from user space, someone known how can I
get
> > the size of the memory allocated for the variable (typically a buffer)
> > pointed by pointer, at kernel mode?
> >
> > Thank in advance, Aurox.
> >
>
> If memory is allocated from heap you can use HeapSize() in user mode. In
> kernel mode try RtlSizeHeap() from ntdll.
>
> vlad-ntdev
>
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>

OSR_Community_User · July 11, 2002, 8:32am

HeapSize exists in win32 user space but:
* you need the heap handle - where do you get that from?
* why would one conclude that the PVOID points to a heap allocated buffer?
* its not documented as a kernel api
* this whole thread is wrong from the get-go

calling user mode APIs is generally a very bad idea
calling user mode APIs is generally a very bad idea
calling user mode APIs is generally a very bad idea

-----Original Message-----
From: Dan Partelly [mailto:xxxxx@rdsor.ro]
Sent: Thursday, July 11, 2002 8:17 AM
To: NT Developers Interest List
Subject: [ntdev] Re: Memory allocated.

>> In kernel mode try RtlSizeHeap() from ntdll.

Im not sure this heap management API even exists. And one
after another , calling user mode APIs is generally a very bad ideea.

Dan

----- Original Message -----
From: “vlad-ntdev”
> To: “NT Developers Interest List”
> Sent: Thursday, July 11, 2002 3:06 PM
> Subject: [ntdev] Re: Memory allocated.
>
>
> >
> >
> > > Hi,
> > > I’ve a pointer of type PVOID from user space, someone
> known how can
> > > I
> get
> > > the size of the memory allocated for the variable (typically a
> > > buffer) pointed by pointer, at kernel mode?
> > >
> > > Thank in advance, Aurox.
> > >
> >
> > If memory is allocated from heap you can use HeapSize() in
> user mode.
> > In kernel mode try RtlSizeHeap() from ntdll.
> >
> > vlad-ntdev
> >
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@rdsor.ro To
> > unsubscribe send a blank email to %%email.unsub%%
> >
>
>
>
> —
> You are currently subscribed to ntdev as:
> xxxxx@stratus.com To unsubscribe send a blank email to
> %%email.unsub%%
>

OSR_Community_User · July 11, 2002, 8:44am

> >> In kernel mode try RtlSizeHeap() from ntdll.

Im not sure this heap management API even exists. And one after another ,
calling user mode APIs is generally a very bad ideea.

Yes I was wrong. You must know heap handle calling RtlSizeHeap but you
don’t. And yes, calling undocumented API is a very bad idea.

vlad-ntdev

aurox · July 11, 2002, 8:56am

Yes, you’ve reason.

I put an hook on the NtReadFile function, I must check that memory size
allocated for Buffer is >= of the Length to read from file for trap
buffer-overflow.

Thanks, Aurox.

Dan_Partelly · July 11, 2002, 9:00am

Huh ?

----- Original Message -----
From: “aurox”
To: “NT Developers Interest List”
Sent: Thursday, July 11, 2002 3:57 PM
Subject: [ntdev] Re: Memory allocated.

> Yes, you’ve reason.
>
> I put an hook on the NtReadFile function, I must check that memory size
> allocated for Buffer is >= of the Length to read from file for trap
> buffer-overflow.
>
> Thanks, Aurox.
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>

Dan_Partelly · July 11, 2002, 9:08am

If you want to probe that memory for validity , just use the LENGTH
parameter passed to your hook and the Buffer,
passing them to ProbeForRead() or ProbeForWrite() . Just dont forget about
SEH.

Hooking system calls is a bad ideea. You want to intercept IO , write a
filter driver.

Ciao

----- Original Message -----
From: “aurox”
To: “NT Developers Interest List”
Sent: Thursday, July 11, 2002 3:57 PM
Subject: [ntdev] Re: Memory allocated.

> Yes, you’ve reason.
>
> I put an hook on the NtReadFile function, I must check that memory size
> allocated for Buffer is >= of the Length to read from file for trap
> buffer-overflow.
>
> Thanks, Aurox.
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>

aurox · July 11, 2002, 9:11am

Yes, you’ve reason.

I put an hook on the NtReadFile function, I must check that memory size
allocated for Buffer is >= of the Length to read from file for trap
buffer-overflow.

typedef NTSTATUS (*NTREADFILE)( IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,

OUT PVOID Buffer,
IN ULONG Length,

IN PLARGE_INTEGER ByteOffset OPTIONAL,
IN PULONG Key OPTIONAL
);

Thanks, Aurox.

OSR_Community_User · July 11, 2002, 9:24am

> Yes, you’ve reason.

I put an hook on the NtReadFile function, I must check that memory size
allocated for Buffer is >= of the Length to read from file for trap
buffer-overflow.

I think there’s no universal solution for it. Buffer can be in stack or
inside heap block (not from beginning of it). You can try to solve this
problem in particular cases but solution will not much better of using
undocumented user mode functions in kernel mode

By the way what is the reason to don’t trust Length parameter?

vlad-ntdev

Dan_Partelly · July 11, 2002, 9:28am

>> By the way what is the reason to don’t trust Length parameter?

Because inded can be wrong , and can lead to exceptions. It must be probed,
and I told him how.

Dan

“vlad-ntdev” wrote in message news:xxxxx@ntdev…
>
> > Yes, you’ve reason.
> >
> > I put an hook on the NtReadFile function, I must check that memory size
> > allocated for Buffer is >= of the Length to read from file for trap
> > buffer-overflow.
> >
>
> I think there’s no universal solution for it. Buffer can be in stack or
> inside heap block (not from beginning of it). You can try to solve this
> problem in particular cases but solution will not much better of using
> undocumented user mode functions in kernel mode
>
> By the way what is the reason to don’t trust Length parameter?
>
> vlad-ntdev
>
>
>
>
>

OSR_Community_User · July 11, 2002, 9:33am

See the ddk documentation for:

VOID
ProbeForWrite(
IN CONST VOID *Address,
IN SIZE_T Length,
IN ULONG Alignment
);

But this does not entirely solve your problem. ‘Hooking’ is the wrong way to
go. Write a filter driver and let the IoManager figure out the buffer
validity for you.

-----Original Message-----
From: aurox [mailto:xxxxx@inwind.it]
Sent: Thursday, July 11, 2002 9:12 AM
To: NT Developers Interest List
Subject: [ntdev] Re: Memory allocated.

Yes, you’ve reason.

I put an hook on the NtReadFile function, I must check that
memory size allocated for Buffer is >= of the Length to read
from file for trap buffer-overflow.

typedef NTSTATUS (*NTREADFILE)(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,

OUT PVOID Buffer,
IN ULONG Length,

IN PLARGE_INTEGER ByteOffset OPTIONAL,
IN PULONG Key OPTIONAL
);

Thanks, Aurox.

You are currently subscribed to ntdev as:
xxxxx@stratus.com To unsubscribe send a blank email to
%%email.unsub%%

OSR_Community_User · July 11, 2002, 11:26am

I got 2 HalDispatchTable and HalPrivateDispatchTable in ntoskrnl.exe, but i
didnt get again any KeDetermineRandomPointersBufferSizeByMagic… name is
changed ?

Regards,
Satish K.S

----- Original Message -----
From: “Dan Partelly”
To: “NT Developers Interest List”
Sent: Thursday, July 11, 2002 5:41 PM
Subject: [ntdev] RE: Memory allocated.

> Its not exported, its returned into an array of function pointers as a
> result of a call to HalPrivateMagicTableDispatch. I hope youll find this
> one.
>
> ----- Original Message -----
> From: “int3”
> To: “NT Developers Interest List”
> Sent: Thursday, July 11, 2002 2:07 PM
> Subject: [ntdev] RE: Memory allocated.
>
>
> > I searched KeDetermineRandomPointersBufferSizeByMagic in hal.dll,
> > kernel32.dll and notoskrnl.exe. where this might be preset ?
> >
> > Regards,
> > Satish K.S
> > ----- Original Message -----
> > From: “Mark Roddy”
> > To: “NT Developers Interest List”
> > Sent: Thursday, July 11, 2002 4:13 PM
> > Subject: [ntdev] RE: Memory allocated.
> >
> >
> > > You have whoever sent you this pointer also send you the size of the
> > > buffer. You could call KeDetermineRandomPointersBufferSizeByMagic, but
> > > alas it is not documented.
> > >
> > > > -----Original Message-----
> > > > From: xxxxx@lists.osr.com
> > > > [mailto:xxxxx@lists.osr.com] On Behalf Of aurox
> > > > Sent: Thursday, July 11, 2002 6:25 AM
> > > > To: NT Developers Interest List
> > > > Subject: [ntdev] Memory allocated.
> > > >
> > > >
> > > > Hi,
> > > > I’ve a pointer of type PVOID from user space, someone known
> > > > how can I get the size of the memory allocated for the
> > > > variable (typically a buffer)
> > > > pointed by pointer, at kernel mode?
> > > >
> > > > Thank in advance, Aurox.
> > > >
> > > > —
> > > > You are currently subscribed to ntdev as:
> > > > xxxxx@hollistech.com To unsubscribe send a blank email to
> > > > %%email.unsub%%
> > > >
> > >
> > >
> > >
> > > —
> > > You are currently subscribed to ntdev as: xxxxx@aalayance.com
> > > To unsubscribe send a blank email to %%email.unsub%%
> >
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> > To unsubscribe send a blank email to %%email.unsub%%
> >
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@aalayance.com
> To unsubscribe send a blank email to %%email.unsub%%