Re: ZwWriteVirtualMemory() missing in Win2K (IV)

On Friday, February 02, 2001 1:38 AM Maxim S. Shatskih wrote:

Do not do this [use ZwWriteVirtualMemory()]. Use the user buffer pointer
and write to it directly by RtlCopyMemory, but from under the
__try/__except block. The exception will mean - the user buffer pointer
is bad.

Max

Thank you for the advice, Max. But after this mail you’ve read, I’ve exchanged
a few mails and ideas on the subject with Mr. Don Burn, who kindly got me
into the real problem. You see, the point is I’m getting hold of a PID which is
not the one of the app calling the driver (that was in fact my first approach,
and it was simple enough to pass data in the Irp->AssociatedIrp.SystemBuffer).

The PID I’m receiving may be an arbitrary one (e.g. from a DLL or from
another app), and this driver I’m developing is for “testing purposes” (I’ll
be
stuying interrupts and DPC routines in the near future); I also spoke here with
some guys who corrected me and gave me a lot of help, so now I think I’m in
the right way to solve my problem.

Thank you also for the __try/__except tip :slight_smile: (I’m aware of it).

If Mr. Don Burn / Mr. Norbert Kawulski are reading this, I also want to thank
them for their kindness. You’ll be smiling to know that some of the “problems”
I was having using ZwXxxx (and other) functions were due to the fact I didn’t
knew how to force BUILD to refer to them (as they’re not exported by
ntoskrnl): it was a matter of explicitly adding a

TARGETLIBS=$(CRT_LIB_PATH)\ntdll.lib :)))

line into the ‘sources’ file and learning some skills (like using dumpbin
/exports,
how to use some of the DDK tools…) I’m still leaning the basic stuff, you
know… :wink:

Thank you all (you are the gurus!).

Miguel Monteiro
xxxxx@criticalsoftware.com
www.criticalsoftware.com

«Humour and love are God’s answers
to Human weaknesses»


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

> The PID I’m receiving may be an arbitrary one (e.g. from a DLL or from

Don Burn was right.

Surely, you can access the user mode directly only while being in the
process context which owns this user mode memory.

If you want to access it from any process - then
IoAllocateMdl/MmProbeAndLockPages/MmGetSystemAddressForMdl is the only
solution.
If you use DO_DIRECT_IO (or METHOD_xxx_DIRECT IOCTLs) - than the IO manager
will do the first 2 things for you - you will need only to call
MmGetSystemAddressForMdl. In this case, the MDL will be valid till the IRP
will be completed.

The reverse problem - how to make some driver-allocated memory accessible
for the app - is more complex.
The usual way of calling MmMapLockedPages(…UserMode…) is dangerous
because the driver will have to unmap it before the process will be
terminated, otherwise a BSOD occurs.
The good way is to have the “map the driver memory” IOCTL IRP and a cancel
routine for it. The driver’s cancel routine will be called on the process
termination, and the “map the driver memory” IRP completion routine will
need to unmap the mapping.
Using \Device\PhysicalMemory is another way - but reported to be much
slower.

Max


You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com