Sharing Memory Between Drivers and Applications

OSR_Community_User · October 2, 2003, 10:28am

Hi

I’m new to filter driver and I want to hook some calls
like zwCreateFile for the file system and zwCreateKey for
the registry and change the ObjectName of the ObjectAttributes
parameter.

Correct me if I’m wrong, but I need to create a new memory
buffer for the ObjectName in the process context… for this,
I use CreateAndMapMemory() from
http://www.osr.com/ntinsider/2000/sharing_memory.htm .

Then, I need to unmap this memory with MmUnmapLockedPages.
For now, I keep one pointer by process and unmap it before
each map(in CreateAndMapMemory()). I have only one mapped
memory per process at the same time. Everything work fine
for the FileSystem, but when I hook zwCreateKey and I do
“F5”(refresh) in regedit, it crashes the system. On the other
hand, if I “forget” to unmap memory (removing the
MmUnmapLockedPages line) everything work fine too.

So, can you tell me where I’m supposed to unmap this memory
and, did I really need to unmap it? (When it will be automatically
flushed? Never? )

Thanks
Nicolas

Lyndon_J_Clarke-2 · October 3, 2003, 5:37am

Is it your wish when you hook the call to replace the ObjectName before
you pass to the real provider (file system, registry), and when the real
provider returns to you, then replace the original name back? If so, I
cant see why you cant just allocate some pool using
ExAllocatePoolWithTag(…) for your modified name as you process the call,
and free the pool using ExFreePool(), as you process the return. This sure
seems a lot easier!

OSR_Community_User · October 7, 2003, 8:37am

Hello

I have something like that

Hook_zwCreateFile(param…, ObjectAttributes OBJ, …)
{
ObjectAttributes NewOBJ;
ChangeObjectName(OBJ, NewOBJ);

return realZwCreateFile(param…, NewObj, …);
}

So, every calls to zwCreateFile are redirected to Hook_zwCreateFile, then
I change the objectname and pass everything to the real provider. The real
provider never returns to me, but return to the user. If I do what you said and test it with a little C++ (user mode) program that only opens a file, I get an error like “Cannot access memory”.

Thanks
Nicolas

-----Original Message-----
From: Lyndon J. Clarke [mailto:xxxxx@neverfailgroup.com]
Sent: October 3, 2003 5:37 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Re: Sharing Memory Between Drivers and Applications

Is it your wish when you hook the call to replace the ObjectName before
you pass to the real provider (file system, registry), and when the real
provider returns to you, then replace the original name back? If so, I
cant see why you cant just allocate some pool using
ExAllocatePoolWithTag(…) for your modified name as you process the call,
and free the pool using ExFreePool(), as you process the return. This sure
seems a lot easier!