Is it safe to pass a non-paged pool buffer from kernel land to user land?
- Drew
In general non-paged memory is only accessible while executing in kernel
mode (driver).
User mode memory can be mapped to kernel using MmGetSystemAddressForMdlSafe,
etc.
Kernel can allocate memory to be shared with user space using “sections”.
Search Google for ZwCreateSection to get in the right ballpark for functions
for sharing in the direction you are inquiring about.
Good luck,
Thomas F. Divine
PCAUSA - Tools & Resources For Network Software Developers
NDIS Protocol/Intermediate/Hooking - TDI Client/Filter
http: - http:
“Drew Berkemeyer” wrote in message news:xxxxx@ntdev…
>
> Is it safe to pass a non-paged pool buffer from kernel land to user land?
>
> - Drew
>
></http:></http:>
Of course, search the ntdev archives also!
Thos
“Thomas F. Divine” wrote in message news:xxxxx@ntdev…
>
> In general non-paged memory is only accessible while executing in kernel
> mode (driver).
>
> User mode memory can be mapped to kernel using
MmGetSystemAddressForMdlSafe,
> etc.
>
> Kernel can allocate memory to be shared with user space using “sections”.
> Search Google for ZwCreateSection to get in the right ballpark for
functions
> for sharing in the direction you are inquiring about.
>
> Good luck,
> –
> Thomas F. Divine
>
> PCAUSA - Tools & Resources For Network Software Developers
> NDIS Protocol/Intermediate/Hooking - TDI Client/Filter
> http: - http:
>
>
> “Drew Berkemeyer” wrote in message
news:xxxxx@ntdev…
> >
> > Is it safe to pass a non-paged pool buffer from kernel land to user
land?
> >
> > - Drew
> >
> >
>
>
>
></http:></http:>
it would be kind of pointless - user-mode code can’t access kernel-mode
addresses which a non-paged pool buffer would, inevitably, be.
if you need to get data into user-mode you should have the app allocate
a buffer, send a request (IOCTL or read) to the driver and then have the
driver copy the data into the user-mode buffer (after appropriately
mapping it)
-p
-----Original Message-----
From: Drew Berkemeyer [mailto:xxxxx@berkemeyer.com]
Sent: Wednesday, August 28, 2002 9:22 PM
To: NT Developers Interest List
Subject: [ntdev] non-paged pool - kernel to userland
Is it safe to pass a non-paged pool buffer from kernel land to user
land?
- Drew
You are currently subscribed to ntdev as: xxxxx@microsoft.com To
unsubscribe send a blank email to %%email.unsub%%
As was posted in another thread:
http://www.osr.com/ntinsider/2000/sharing_memory.htm
–
Bill McKenzie
Windows DDK MVP
OSR - Windows System Software Development, Training, and Consulting
“Thomas F. Divine” wrote in message news:xxxxx@ntdev…
>
> Of course, search the ntdev archives also!
>
> Thos
>
> “Thomas F. Divine” wrote in message
news:xxxxx@ntdev…
> >
> > In general non-paged memory is only accessible while executing in kernel
> > mode (driver).
> >
> > User mode memory can be mapped to kernel using
> MmGetSystemAddressForMdlSafe,
> > etc.
> >
> > Kernel can allocate memory to be shared with user space using
“sections”.
> > Search Google for ZwCreateSection to get in the right ballpark for
> functions
> > for sharing in the direction you are inquiring about.
> >
> > Good luck,
> > –
> > Thomas F. Divine
> >
> > PCAUSA - Tools & Resources For Network Software Developers
> > NDIS Protocol/Intermediate/Hooking - TDI Client/Filter
> > http: - http:
> >
> >
> > “Drew Berkemeyer” wrote in message
> news:xxxxx@ntdev…
> > >
> > > Is it safe to pass a non-paged pool buffer from kernel land to user
> land?
> > >
> > > - Drew
> > >
> > >
> >
> >
> >
> >
>
>
>
></http:></http:>
Hi Thomas and Dan,
But what about the case when i send the starting address of a Memory mapped
file to the driver using an IOCTL and call MmGetSystemAddressForMdlSafe on
this ??
Will it give me the simple leniear adress to be used in the kernel mode
driver (as it is usually used in the user mode applications…)…
– Subodh
----- Original Message -----
From: “Bill McKenzie”
Newsgroups: ntdev
To: “NT Developers Interest List”
Sent: Thursday, August 29, 2002 8:57 PM
Subject: [ntdev] Re: non-paged pool - kernel to userland
> As was posted in another thread:
>
> http://www.osr.com/ntinsider/2000/sharing_memory.htm
>
> –
> Bill McKenzie
> Windows DDK MVP
> OSR - Windows System Software Development, Training, and Consulting
>
>
> “Thomas F. Divine” wrote in message
news:xxxxx@ntdev…
> >
> > Of course, search the ntdev archives also!
> >
> > Thos
> >
> > “Thomas F. Divine” wrote in message
> news:xxxxx@ntdev…
> > >
> > > In general non-paged memory is only accessible while executing in
kernel
> > > mode (driver).
> > >
> > > User mode memory can be mapped to kernel using
> > MmGetSystemAddressForMdlSafe,
> > > etc.
> > >
> > > Kernel can allocate memory to be shared with user space using
> “sections”.
> > > Search Google for ZwCreateSection to get in the right ballpark for
> > functions
> > > for sharing in the direction you are inquiring about.
> > >
> > > Good luck,
> > > –
> > > Thomas F. Divine
> > >
> > > PCAUSA - Tools & Resources For Network Software Developers
> > > NDIS Protocol/Intermediate/Hooking - TDI Client/Filter
> > > http: - http:
> > >
> > >
> > > “Drew Berkemeyer” wrote in message
> > news:xxxxx@ntdev…
> > > >
> > > > Is it safe to pass a non-paged pool buffer from kernel land to user
> > land?
> > > >
> > > > - Drew
> > > >
> > > >
> > >
> > >
> > >
> > >
> >
> >
> >
> >
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@leadbyte.com
> To unsubscribe send a blank email to %%email.unsub%%
></http:></http:>
Yes, what do you write in user mode can be read on kernel mode and
vice-versa. Normally do you need synchronize access to this area using
events.
Heldai
----- Original Message -----
From: “Subodh Gupta”
To: “NT Developers Interest List”
Sent: Thursday, August 29, 2002 2:45 PM
Subject: [ntdev] Re: non-paged pool - kernel to userland
> Hi Thomas and Dan,
>
> But what about the case when i send the starting address of a Memory
mapped
> file to the driver using an IOCTL and call MmGetSystemAddressForMdlSafe on
> this ??
> Will it give me the simple leniear adress to be used in the kernel mode
> driver (as it is usually used in the user mode applications…)…
>
> – Subodh
>
> ----- Original Message -----
> From: “Bill McKenzie”
> Newsgroups: ntdev
> To: “NT Developers Interest List”
> Sent: Thursday, August 29, 2002 8:57 PM
> Subject: [ntdev] Re: non-paged pool - kernel to userland
>
>
> > As was posted in another thread:
> >
> > http://www.osr.com/ntinsider/2000/sharing_memory.htm
> >
> > –
> > Bill McKenzie
> > Windows DDK MVP
> > OSR - Windows System Software Development, Training, and Consulting
> >
> >
> > “Thomas F. Divine” wrote in message
> news:xxxxx@ntdev…
> > >
> > > Of course, search the ntdev archives also!
> > >
> > > Thos
> > >
> > > “Thomas F. Divine” wrote in message
> > news:xxxxx@ntdev…
> > > >
> > > > In general non-paged memory is only accessible while executing in
> kernel
> > > > mode (driver).
> > > >
> > > > User mode memory can be mapped to kernel using
> > > MmGetSystemAddressForMdlSafe,
> > > > etc.
> > > >
> > > > Kernel can allocate memory to be shared with user space using
> > “sections”.
> > > > Search Google for ZwCreateSection to get in the right ballpark for
> > > functions
> > > > for sharing in the direction you are inquiring about.
> > > >
> > > > Good luck,
> > > > –
> > > > Thomas F. Divine
> > > >
> > > > PCAUSA - Tools & Resources For Network Software Developers
> > > > NDIS Protocol/Intermediate/Hooking - TDI Client/Filter
> > > > http: - http:
> > > >
> > > >
> > > > “Drew Berkemeyer” wrote in message
> > > news:xxxxx@ntdev…
> > > > >
> > > > > Is it safe to pass a non-paged pool buffer from kernel land to
user
> > > land?
> > > > >
> > > > > - Drew
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > >
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@leadbyte.com
> > To unsubscribe send a blank email to %%email.unsub%%
> >
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@scuasecurity.com.br
> To unsubscribe send a blank email to %%email.unsub%%</http:></http:>
You are on the right track.
Be sure to read the DDK Help Topic “Defining I/O Control Codes”.
Look for DDK samples that illustrate using this function. For example, the
Windows XP DDK NDISUIO sample is one that uses it.
Reading books about DDK programming will also help a lot.
Good luck,
Thomas F. Divine
PCAUSA - Tools & Resources For Network Software Developers
NDIS Protocol/Intermediate/Hooking - TDI Client/Filter
http: - http:
“Subodh Gupta” wrote in message news:xxxxx@ntdev…
>
> Hi Thomas and Dan,
>
> But what about the case when i send the starting address of a Memory
mapped
> file to the driver using an IOCTL and call MmGetSystemAddressForMdlSafe on
> this ??
> Will it give me the simple leniear adress to be used in the kernel mode
> driver (as it is usually used in the user mode applications…)…
>
> – Subodh
>
> ----- Original Message -----
> From: “Bill McKenzie”
> Newsgroups: ntdev
> To: “NT Developers Interest List”
> Sent: Thursday, August 29, 2002 8:57 PM
> Subject: [ntdev] Re: non-paged pool - kernel to userland
>
>
> > As was posted in another thread:
> >
> > http://www.osr.com/ntinsider/2000/sharing_memory.htm
> >
> > –
> > Bill McKenzie
> > Windows DDK MVP
> > OSR - Windows System Software Development, Training, and Consulting
> >
> >
> > “Thomas F. Divine” wrote in message
> news:xxxxx@ntdev…
> > >
> > > Of course, search the ntdev archives also!
> > >
> > > Thos
> > >
> > > “Thomas F. Divine” wrote in message
> > news:xxxxx@ntdev…
> > > >
> > > > In general non-paged memory is only accessible while executing in
> kernel
> > > > mode (driver).
> > > >
> > > > User mode memory can be mapped to kernel using
> > > MmGetSystemAddressForMdlSafe,
> > > > etc.
> > > >
> > > > Kernel can allocate memory to be shared with user space using
> > “sections”.
> > > > Search Google for ZwCreateSection to get in the right ballpark for
> > > functions
> > > > for sharing in the direction you are inquiring about.
> > > >
> > > > Good luck,
> > > > –
> > > > Thomas F. Divine
> > > >
> > > > PCAUSA - Tools & Resources For Network Software Developers
> > > > NDIS Protocol/Intermediate/Hooking - TDI Client/Filter
> > > > http: - http:
> > > >
> > > >
> > > > “Drew Berkemeyer” wrote in message
> > > news:xxxxx@ntdev…
> > > > >
> > > > > Is it safe to pass a non-paged pool buffer from kernel land to
user
> > > land?
> > > > >
> > > > > - Drew
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > >
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@leadbyte.com
> > To unsubscribe send a blank email to %%email.unsub%%
> >
>
>
>
></http:></http:></http:></http:>
Sorry… I was asleep all last week and didn’t get a chance to comment on
this.
There are some interesting security issues involved in mapping non-paged
pool back to user-mode. Knowing that now, and having time to consider the
issue fully, I sort of really wish I hadn’t written the article to
demonstrate that technique.
A much better idea is to create a section, map a view of that section in
kernel mode, and then share that mapping back to user mode.
Peter
OSR
“Thomas F. Divine” wrote in message news:xxxxx@ntdev…
>
> You are on the right track.
>
> Be sure to read the DDK Help Topic “Defining I/O Control Codes”.
>
> Look for DDK samples that illustrate using this function. For example, the
> Windows XP DDK NDISUIO sample is one that uses it.
>
> Reading books about DDK programming will also help a lot.
>
> Good luck,
> –
> Thomas F. Divine
>
> PCAUSA - Tools & Resources For Network Software Developers
> NDIS Protocol/Intermediate/Hooking - TDI Client/Filter
> http: - http:
>
>
> “Subodh Gupta” wrote in message news:xxxxx@ntdev…
> >
> > Hi Thomas and Dan,
> >
> > But what about the case when i send the starting address of a Memory
> mapped
> > file to the driver using an IOCTL and call MmGetSystemAddressForMdlSafe
on
> > this ??
> > Will it give me the simple leniear adress to be used in the kernel mode
> > driver (as it is usually used in the user mode applications…)…
> >
> > – Subodh
> >
> > ----- Original Message -----
> > From: “Bill McKenzie”
> > Newsgroups: ntdev
> > To: “NT Developers Interest List”
> > Sent: Thursday, August 29, 2002 8:57 PM
> > Subject: [ntdev] Re: non-paged pool - kernel to userland
> >
> >
> > > As was posted in another thread:
> > >
> > > http://www.osr.com/ntinsider/2000/sharing_memory.htm
> > >
> > > –
> > > Bill McKenzie
> > > Windows DDK MVP
> > > OSR - Windows System Software Development, Training, and Consulting
> > >
> > >
> > > “Thomas F. Divine” wrote in message
> > news:xxxxx@ntdev…
> > > >
> > > > Of course, search the ntdev archives also!
> > > >
> > > > Thos
> > > >
> > > > “Thomas F. Divine” wrote in message
> > > news:xxxxx@ntdev…
> > > > >
> > > > > In general non-paged memory is only accessible while executing in
> > kernel
> > > > > mode (driver).
> > > > >
> > > > > User mode memory can be mapped to kernel using
> > > > MmGetSystemAddressForMdlSafe,
> > > > > etc.
> > > > >
> > > > > Kernel can allocate memory to be shared with user space using
> > > “sections”.
> > > > > Search Google for ZwCreateSection to get in the right ballpark for
> > > > functions
> > > > > for sharing in the direction you are inquiring about.
> > > > >
> > > > > Good luck,
> > > > > –
> > > > > Thomas F. Divine
> > > > >
> > > > > PCAUSA - Tools & Resources For Network Software Developers
> > > > > NDIS Protocol/Intermediate/Hooking - TDI Client/Filter
> > > > > http: - http:
> > > > >
> > > > >
> > > > > “Drew Berkemeyer” wrote in message
> > > > news:xxxxx@ntdev…
> > > > > >
> > > > > > Is it safe to pass a non-paged pool buffer from kernel land to
> user
> > > > land?
> > > > > >
> > > > > > - Drew
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > > —
> > > You are currently subscribed to ntdev as: xxxxx@leadbyte.com
> > > To unsubscribe send a blank email to %%email.unsub%%
> > >
> >
> >
> >
> >
>
>
>
></http:></http:></http:></http:>
Hi Peter,
Could you please elaborate on the security issues
involved when using this method?
Thanks!
Mike
— Peter Viscarola wrote:
> Sorry… I was asleep all last week and didn’t get a
> chance to comment on
> this.
>
> There are some interesting security issues involved
> in mapping non-paged
> pool back to user-mode. Knowing that now, and
> having time to consider the
> issue fully, I sort of really wish I hadn’t written
> the article to
> demonstrate that technique.
>
> A much better idea is to create a section, map a
> view of that section in
> kernel mode, and then share that mapping back to
> user mode.
>
> Peter
> OSR
>
>
> “Thomas F. Divine” wrote in
> message news:xxxxx@ntdev…
> >
> > You are on the right track.
> >
> > Be sure to read the DDK Help Topic “Defining I/O
> Control Codes”.
> >
> > Look for DDK samples that illustrate using this
> function. For example, the
> > Windows XP DDK NDISUIO sample is one that uses it.
> >
> > Reading books about DDK programming will also help
> a lot.
> >
> > Good luck,
> > –
> > Thomas F. Divine
> >
> > PCAUSA - Tools & Resources For Network Software
> Developers
> > NDIS Protocol/Intermediate/Hooking - TDI
> Client/Filter
> > http: -
> http:
> >
> >
> > “Subodh Gupta” wrote in
> message news:xxxxx@ntdev…
> > >
> > > Hi Thomas and Dan,
> > >
> > > But what about the case when i send the starting
> address of a Memory
> > mapped
> > > file to the driver using an IOCTL and call
> MmGetSystemAddressForMdlSafe
> on
> > > this ??
> > > Will it give me the simple leniear adress to be
> used in the kernel mode
> > > driver (as it is usually used in the user mode
> applications…)…
> > >
> > > – Subodh
> > >
> > > ----- Original Message -----
> > > From: “Bill McKenzie”
> > > Newsgroups: ntdev
> > > To: “NT Developers Interest List”
>
> > > Sent: Thursday, August 29, 2002 8:57 PM
> > > Subject: [ntdev] Re: non-paged pool - kernel to
> userland
> > >
> > >
> > > > As was posted in another thread:
> > > >
> > > >
> http://www.osr.com/ntinsider/2000/sharing_memory.htm
> > > >
> > > > –
> > > > Bill McKenzie
> > > > Windows DDK MVP
> > > > OSR - Windows System Software Development,
> Training, and Consulting
> > > >
> > > >
> > > > “Thomas F. Divine” wrote
> in message
> > > news:xxxxx@ntdev…
> > > > >
> > > > > Of course, search the ntdev archives also!
> > > > >
> > > > > Thos
> > > > >
> > > > > “Thomas F. Divine”
> wrote in message
> > > > news:xxxxx@ntdev…
> > > > > >
> > > > > > In general non-paged memory is only
> accessible while executing in
> > > kernel
> > > > > > mode (driver).
> > > > > >
> > > > > > User mode memory can be mapped to kernel
> using
> > > > > MmGetSystemAddressForMdlSafe,
> > > > > > etc.
> > > > > >
> > > > > > Kernel can allocate memory to be shared
> with user space using
> > > > “sections”.
> > > > > > Search Google for ZwCreateSection to get
> in the right ballpark for
> > > > > functions
> > > > > > for sharing in the direction you are
> inquiring about.
> > > > > >
> > > > > > Good luck,
> > > > > > –
> > > > > > Thomas F. Divine
> > > > > >
> > > > > > PCAUSA - Tools & Resources For Network
> Software Developers
> > > > > > NDIS Protocol/Intermediate/Hooking - TDI
> Client/Filter
> > > > > > http: -
> http:
> > > > > >
> > > > > >
> > > > > > “Drew Berkemeyer”
> wrote in message
> > > > > news:xxxxx@ntdev…
> > > > > > >
> > > > > > > Is it safe to pass a non-paged pool
> buffer from kernel land to
> > user
> > > > > land?
> > > > > > >
> > > > > > > - Drew
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > —
> > > > You are currently subscribed to ntdev as:
> xxxxx@leadbyte.com
> > > > To unsubscribe send a blank email to
> %%email.unsub%%
> > > >
> > >
> > >
> > >
> > >
> >
> >
> >
> >
>
>
>
> —
> You are currently subscribed to ntdev as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
%%email.unsub%%
__________________________________________________
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com</http:></http:></http:></http:>
“Mike Malgin” wrote in message news:xxxxx@ntdev…
>
> Hi Peter,
>
> Could you please elaborate on the security issues
> involved when using this method?
>
It’s subtle, but definitely there. I didn’t see it myself until the Memory
Manager pointed it out to me.
You allocate a block of non-paged and map it into a user-app’s address
space. Let’s say you’re appropriately careful and keep an open handle to
the driver that did the mapping, and do an un-map operation when the handle
is closed.
Now let’s say a malicious app duplicates the address space of the app into
which you mapped the non-paged pool block. Now, the malicious app has a
mapping into non-paged pool, and no handle to account for that mapping.
The original app exits or closes his handle. As a result, you unmap the
original app (which does not affect the malicious process), and return the
allocated non-paged pool block.
Now the malicious app has a view into a random hunk of non-paged pool. What
this will contain over time is anybody’s guess.
Peter
OSR