If I use MmMapLockedPagesSpecifyCache() to map a buffer to a user process, what happens when the process terminates unexpectedly? Will I be able to unmap they buffer in this case? How can I cleanup if this happens?
Thanks,
Rob
Yes you can unmap the buffer after the process fails.
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
-----Original Message-----
From: xxxxx@ocarinanetworks.com
[mailto:xxxxx@ocarinanetworks.com]
Posted At: Friday, May 28, 2010 7:42 PM
Posted To: ntfsd
Conversation: MmMapLockedPagesSpecifyCache
Subject: MmMapLockedPagesSpecifyCacheIf I use MmMapLockedPagesSpecifyCache() to map a buffer to a user
process,
what happens when the process terminates unexpectedly? Will I be able
to unmap
they buffer in this case? How can I cleanup if this happens?Thanks,
Rob__________ Information from ESET Smart Security, version of virus
signature
database 5154 (20100528) __________The message was checked by ESET Smart Security.
Do I still need to KeStackAttachProcess() giving the PKPROCESS to defuct process prior to this call? Won’t that fail?
Yes, the process is not completely defunct till everything is cleaned
up, so you still have a PKPROCESS around.
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
-----Original Message-----
From: xxxxx@ocarinanetworks.com
[mailto:xxxxx@ocarinanetworks.com]
Posted At: Friday, May 28, 2010 7:55 PM
Posted To: ntfsd
Conversation: MmMapLockedPagesSpecifyCache
Subject: RE: MmMapLockedPagesSpecifyCacheDo I still need to KeStackAttachProcess() giving the PKPROCESS to
defuct
process prior to this call? Won’t that fail?__________ Information from ESET Smart Security, version of virus
signature
database 5154 (20100528) __________The message was checked by ESET Smart Security.
Ensure that the process (the one into which you map the region) keeps a handle open to your driver. Then on IRP_MJ_CLEANUP (which is called in the context of the process) perform the unmap operation (reversing what you did with MmMapLockedPages).
Peter
OSR
> If I use MmMapLockedPagesSpecifyCache() to map a buffer to a user process,
what happens when the process terminates unexpectedly? Will I be able to
unmap the buffer in this case? How can I cleanup if this happens?
The memory manager will automatically unmap the buffer when the process
terminates, so technically you don’t have to do anything.
However, if at some point you want to free the physical pages then
things become more interesting. You can’t free the pages while they
are still mapped, so you could do what Peter suggested and manually
unmap the MDL when you receive IRP_MJ_CLEANUP. But then you’ll need
to decide what to do if the handle is duplicated into another
process (in which case you can get IRP_MJ_CLEANUP in the context of
that other process, depending on which copy of the handle is closed
first). This might seem far-fetched but there are a few cases where
it could happen. For example, debuggers and other similar tools may
duplicate remote handles into their own process, or a malicious app
might duplicate its handle into another process and close the
original in an attempt to gain unauthorized access to kernel memory,
and so on.
I think you can handle these cases by checking PsGetCurrentProcess()
when you receive IRP_MJ_CLEANUP and if it doesn’t match what you
expect, using KeStackAttachProcess to attach to the right process
before unmapping the pages.
–
Pavel Lebedinsky/Windows Fundamentals Test