I noticed that WinDbg can read arbitrary kernel memory with local kernel debugging.
How can I get my kernel driver to do that? I looked at MmProbeAndLockPages but it doesn’t work for validating a potentially invalid pointer into kernel memory. Is there another function I can use?
Why? Is it memory you have allocated within your driver, or another drivers memory you want to high-jack? If the former, lock it down and use the addresses contained in the MDL . If the latter, why do you think you need to do that? How do you intend to synchronize access with that memory with the owner of that memory so you can avoid a system crash, because that most likely is going to be the end result.
Gary G. Little
----- Original Message -----
From: xxxxx@yahoo.com
To: “Windows System Software Devs Interest List”
Sent: Tuesday, December 14, 2010 1:18:37 PM
Subject: [ntdev] Safely reading virtual memory from kernel mode
I noticed that WinDbg can read arbitrary kernel memory with local kernel debugging.
How can I get my kernel driver to do that? I looked at MmProbeAndLockPages but it doesn’t work for validating a potentially invalid pointer into kernel memory. Is there another function I can use?
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
xxxxx@yahoo.com wrote:
I noticed that WinDbg can read arbitrary kernel memory with local kernel debugging.
How can I get my kernel driver to do that? I looked at MmProbeAndLockPages but it doesn’t work for validating a potentially invalid pointer into kernel memory. Is there another function I can use?
There is no way to validate a pointer. You need to wrap the call in a
try/except block to handle any exceptions that occur.
However, Gary’s comment is right on. There are virtually no legitimate
scenarios that require what you’re asking.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
>There is no way to validate a pointer. You need to wrap the call in a
try/except block to handle any exceptions that occur.
That only works on user mode pointers. The memory manager does not raise
structured exceptions on invalid kernel memory accesses, it just crashes
(hence the need for ProbeForRead/ProbeForWrite before accessing a user
supplied buffer).
-scott
–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com
“Tim Roberts” wrote in message news:xxxxx@ntdev…
xxxxx@yahoo.com wrote:
I noticed that WinDbg can read arbitrary kernel memory with local kernel
debugging.How can I get my kernel driver to do that? I looked at
MmProbeAndLockPages but it doesn’t work for validating a potentially
invalid pointer into kernel memory. Is there another function I can use?
There is no way to validate a pointer. You need to wrap the call in a
try/except block to handle any exceptions that occur.
However, Gary’s comment is right on. There are virtually no legitimate
scenarios that require what you’re asking.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Actually, I goofed, but am still curious. The bug that originally led me to this question was a bug in a coworker’s code that caused a BSOD on MmProbeAndLockPages passing in KernelMode. I’m familiar with how MmProbeAndLockedPages is meant to be used for validation of pointers from user mode, but it just got me thinking about how WinDbg CAN handle this case.
Closer examination of his code revealed that it was a block he allocated. Still tracking the bug, but it seems the entire ProbeAndLock is unnecessary (perhaps an attempt to hide some other bug)
This still leaves me curious though. WinDbg can obviously do it. It is also obviously feasible for ntos to implement this functionality. I’m just curious if it is implemented in some exported way.
Note that what may be ‘reliable enough’ for the debugger is not necessarily reliable enough for running a production system on. There are various pieces of kd support logic that, while they try, are not (or cannot) be 100% bulletproof because they debugger may interrupt the system at nearly any point in time.
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Tuesday, December 14, 2010 12:35 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Safely reading virtual memory from kernel mode
Actually, I goofed, but am still curious. The bug that originally led me to this question was a bug in a coworker’s code that caused a BSOD on MmProbeAndLockPages passing in KernelMode. I’m familiar with how MmProbeAndLockedPages is meant to be used for validation of pointers from user mode, but it just got me thinking about how WinDbg CAN handle this case.
Closer examination of his code revealed that it was a block he allocated. Still tracking the bug, but it seems the entire ProbeAndLock is unnecessary (perhaps an attempt to hide some other bug)
This still leaves me curious though. WinDbg can obviously do it. It is also obviously feasible for ntos to implement this functionality. I’m just curious if it is implemented in some exported way.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer