Some questions

NTDEV
1

Good day to all driver gurus ;-)))

I have some questions on different aspects of driver programming.

  1. Will the information (especially ImageBase and ImageSize) passed into
    NotifyRoutine() (set by PsSetLoadImageNotifyRoutine()) function be valid
    later? If not how can I obtain ImageBase and ImageSize of a particular
    driver module using its name? I saw discussion about using KPEB technique
    but this is kinda unsafe. Does ImageSize parameter represent a continuous
    memory block into which some module loaded or not? I already tried to access
    memory at ImageBase for a specified driver from Dispatch routine of my
    driver (ImageBase and ImageSize for some other driver were previously saved
    during my driver loading at system startup) but I got BSOD with an error
    PAGED_FAULT_IN_NONPAGED_AREA. But I successfully accessed a memory block at
    ImageBase in the very NotifyRoutine() (I saved a memory block at ImageBase
    and of ImageSize using ZwWriteFile()). Can I assume that NotifyRoutine() is
    called at PASSIVE_LEVEL or I?m wrong? It?s a pity but Microsoft docs say
    nothing about this?

  2. When I call dispatch routine in my driver (IRP_MJ_DEVICE_CONTROL) with
    METHOD_BUFFERED I have two pointers to my buffer: user mode buffer pointer
    and kernel mode buffer (which is a copy of my user mode buffer) pointer. Can
    I use these pointers without any additional translation from my driver
    dispatch routine? Is memory block pointed by user mode pointer accessible
    for direct read/write operation from dispatch routine?

  3. Can I use ZwXXXFile() functions from my dispatch routine
    (IRP_MJ_DEVICE_CONTROL)?

  4. In general can I access some kernel mode addresses from my dispatch
    routine (IRP_MJ_DEVICE_CONTROL) and do I need to translate or map these
    addresses into my thread context?

Excuse me for my probably dumb questions but I rarely write drivers for my
own purposes and constantly forget many details.
Many thanks beforehand. Your replies will be much appreciated.

Konstantin Manurin
Programmer
Nival Interactive
mailto:xxxxx mailto:xxxxx@nival.com

10a bld. 5, 1st Volokolamsky proezd
Moscow 123060 Russia
Tel: +7 (095) 363-9630
Fax: +7 (095) 363-9631
http: http://www.nival.com
http: http://www.etherlords.com
http:</http:> http://www.evil-islands.com</http:></http:></mailto:xxxxx>

2

>> “Konstantin Manurin” wrote in message
news:xxxxx@ntdev…
>> Good day to all driver gurus ;-)))

>> I have some questions on different aspects of driver programming.

>> 1. Will the information (especially ImageBase and ImageSize) passed into
NotifyRoutine() (set by PsSetLoadImageNotifyRoutine())
>> function be valid later? If not how can I obtain ImageBase and ImageSize
of a particular driver module using its name? I saw discussion
>> about using KPEB technique but this is kinda unsafe. Does ImageSize
parameter represent a continuous memory block into which some
>> module loaded or not? I already tried to access memory at ImageBase for
a specified driver from Dispatch routine of my driver
>> (ImageBase and ImageSize for some other driver were previously saved
during my driver loading at system startup) but I got BSOD with
>> an error PAGED_FAULT_IN_NONPAGED_AREA. But I successfully accessed a
memory block at ImageBase in the very
>> NotifyRoutine() (I saved a memory block at ImageBase and of ImageSize
using ZwWriteFile()). Can I assume that NotifyRoutine() is
>> called at PASSIVE_LEVEL or I’m wrong? It’s a pity but Microsoft docs say
nothing about this…

The notify callbacks are at PASSIVE_LEVEL. More information would be needed
to debug your BSOD.

>> 2. When I call dispatch routine in my driver (IRP_MJ_DEVICE_CONTROL) with
METHOD_BUFFERED I have two pointers to my
>> buffer: user mode buffer pointer and kernel mode buffer (which is a copy
of my user mode buffer) pointer. Can I use these pointers
>> without any additional translation from my driver dispatch routine? Is
memory block pointed by user mode pointer accessible for direct
>> read/write operation from dispatch routine?

You can use Irp->AssociatedIrp.SystemBuffer safely in your driver at anytime
for a method buffered request, as long as the request is active.

>> 3. Can I use ZwXXXFile() functions from my dispatch routine
(IRP_MJ_DEVICE_CONTROL)?

Yes.

>> 4. In general can I access some kernel mode addresses from my dispatch
routine (IRP_MJ_DEVICE_CONTROL) and do I need to
>> translate or map these addresses into my thread context?

No, there is only one kernel address space.


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

3

Many thanks for your quick reply.

But what about Irp->UserBuffer? Can I directly read/write using this user
mode pointer from my dispatch routine during IRP_MJ_DEVICE_CONTROL? I know
that IoCompleteRequest() copies Irp->AssociatedIrp.SystemBuffer to the
Irp->UserBuffer after IRP is completed. I understand that my question is
silly but can I perform such operation by myself?

As concerns BSOD with PAGE_FAULT_IN_NONPAGED_AREA error during accessing
memory block at ImageBase from my IRP_MJ_DEVICE_CONTROL handler I examined
crash dump file and found out that memory at that address could not be read.
Strange but I supposed that ImageBase and ImageSize values passed into
LoadImageNotifyRoutine() will be valid till this module is unloaded. But if
a particular driver module is unloaded and loaded again, my
LoadImageNotifyRoutine() would update ImageBase and ImageSize values for
this particular driver. I may suppose that kernel loader can discard some
module sections (for example INIT, .reloc, .rsrc) but ImageBase points to
the EXE-header. And in this case will ImageSize describe a continuous memory
block with loaded driver module?

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Wednesday, January 19, 2005 4:19 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Some questions

> “Konstantin Manurin” wrote in message
news:xxxxx@ntdev…
>> Good day to all driver gurus ;-)))

>> I have some questions on different aspects of driver programming.

>> 1. Will the information (especially ImageBase and ImageSize) passed into
NotifyRoutine() (set by PsSetLoadImageNotifyRoutine())
>> function be valid later? If not how can I obtain ImageBase and ImageSize
of a particular driver module using its name? I saw discussion
>> about using KPEB technique but this is kinda unsafe. Does ImageSize
parameter represent a continuous memory block into which some
>> module loaded or not? I already tried to access memory at ImageBase for
a specified driver from Dispatch routine of my driver
>> (ImageBase and ImageSize for some other driver were previously saved
during my driver loading at system startup) but I got BSOD with
>> an error PAGED_FAULT_IN_NONPAGED_AREA. But I successfully accessed a
memory block at ImageBase in the very
>> NotifyRoutine() (I saved a memory block at ImageBase and of ImageSize
using ZwWriteFile()). Can I assume that NotifyRoutine() is
>> called at PASSIVE_LEVEL or I-m wrong? It-s a pity but Microsoft docs say
nothing about this-

The notify callbacks are at PASSIVE_LEVEL. More information would be needed
to debug your BSOD.

>> 2. When I call dispatch routine in my driver (IRP_MJ_DEVICE_CONTROL) with
METHOD_BUFFERED I have two pointers to my
>> buffer: user mode buffer pointer and kernel mode buffer (which is a copy
of my user mode buffer) pointer. Can I use these pointers
>> without any additional translation from my driver dispatch routine? Is
memory block pointed by user mode pointer accessible for direct
>> read/write operation from dispatch routine?

You can use Irp->AssociatedIrp.SystemBuffer safely in your driver at anytime
for a method buffered request, as long as the request is active.

>> 3. Can I use ZwXXXFile() functions from my dispatch routine
(IRP_MJ_DEVICE_CONTROL)?

Yes.

>> 4. In general can I access some kernel mode addresses from my dispatch
routine (IRP_MJ_DEVICE_CONTROL) and do I need to
>> translate or map these addresses into my thread context?

No, there is only one kernel address space.


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@nival.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

4

“Konstantin Manurin” wrote in message
news:xxxxx@ntdev…
> Many thanks for your quick reply.
>
>
> But what about Irp->UserBuffer? Can I directly read/write using this user
> mode pointer from my dispatch routine during IRP_MJ_DEVICE_CONTROL? I know
> that IoCompleteRequest() copies Irp->AssociatedIrp.SystemBuffer to the
> Irp->UserBuffer after IRP is completed. I understand that my question is
> silly but can I perform such operation by myself?

If you want to write to user space directly use something other than
METHOD_BUFFERED.

> As concerns BSOD with PAGE_FAULT_IN_NONPAGED_AREA error during accessing
> memory block at ImageBase from my IRP_MJ_DEVICE_CONTROL handler I examined
> crash dump file and found out that memory at that address could not be
read.
> Strange but I supposed that ImageBase and ImageSize values passed into
> LoadImageNotifyRoutine() will be valid till this module is unloaded. But
if
> a particular driver module is unloaded and loaded again, my
> LoadImageNotifyRoutine() would update ImageBase and ImageSize values for
> this particular driver. I may suppose that kernel loader can discard some
> module sections (for example INIT, .reloc, .rsrc) but ImageBase points to
> the EXE-header. And in this case will ImageSize describe a continuous
memory
> block with loaded driver module?
>
As I say more data is needed.


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

5

> -----Original Message-----

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
Konstantin Manurin
Sent: Wednesday, January 19, 2005 6:29 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Some questions

Many thanks for your quick reply.

But what about Irp->UserBuffer? Can I directly read/write
using this user mode pointer from my dispatch routine during
IRP_MJ_DEVICE_CONTROL? I know that IoCompleteRequest() copies
Irp->AssociatedIrp.SystemBuffer to the
Irp->UserBuffer after IRP is completed. I understand that my
question is
silly but can I perform such operation by myself?

You can but why bother. You have to assume the user-mode application
will unmap these addresses at any time, so you have to probe them
yourself then wrap any access in a __try/__except block and convert any
exceptions into errors. And since the application can modify the buffer
contents, you have to copy out any data you’re going to read into kernel
memory so you can validate it.

Much easier to just let the kernel copy everything at once.

-p

As concerns BSOD with PAGE_FAULT_IN_NONPAGED_AREA error
during accessing memory block at ImageBase from my
IRP_MJ_DEVICE_CONTROL handler I examined crash dump file and
found out that memory at that address could not be read.
Strange but I supposed that ImageBase and ImageSize values passed into
LoadImageNotifyRoutine() will be valid till this module is
unloaded. But if a particular driver module is unloaded and
loaded again, my
LoadImageNotifyRoutine() would update ImageBase and ImageSize
values for this particular driver. I may suppose that kernel
loader can discard some module sections (for example INIT,
.reloc, .rsrc) but ImageBase points to the EXE-header. And in
this case will ImageSize describe a continuous memory block
with loaded driver module?

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Wednesday, January 19, 2005 4:19 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Some questions

>> “Konstantin Manurin” wrote
> in message
> news:xxxxx@ntdev…
> >> Good day to all driver gurus ;-)))
>
> >> I have some questions on different aspects of driver programming.
>
> >> 1. Will the information (especially ImageBase and
> ImageSize) passed
> >> into
> NotifyRoutine() (set by PsSetLoadImageNotifyRoutine())
> >> function be valid later? If not how can I obtain ImageBase and
> >> ImageSize
> of a particular driver module using its name? I saw discussion
> >> about using KPEB technique but this is kinda unsafe. Does
> ImageSize
> parameter represent a continuous memory block into which some
> >> module loaded or not? I already tried to access memory at
> ImageBase
> >> for
> a specified driver from Dispatch routine of my driver
> >> (ImageBase and ImageSize for some other driver were
> previously saved
> during my driver loading at system startup) but I got BSOD with
> >> an error PAGED_FAULT_IN_NONPAGED_AREA. But I successfully
> accessed a
> memory block at ImageBase in the very
> >> NotifyRoutine() (I saved a memory block at ImageBase and of
> >> ImageSize
> using ZwWriteFile()). Can I assume that NotifyRoutine() is
> >> called at PASSIVE_LEVEL or I-m wrong? It-s a pity but
> Microsoft docs
> >> say
> nothing about this-
>
> The notify callbacks are at PASSIVE_LEVEL. More information
> would be needed to debug your BSOD.
>
> >> 2. When I call dispatch routine in my driver
> (IRP_MJ_DEVICE_CONTROL)
> >> with
> METHOD_BUFFERED I have two pointers to my
> >> buffer: user mode buffer pointer and kernel mode buffer
> (which is a
> >> copy
> of my user mode buffer) pointer. Can I use these pointers
> >> without any additional translation from my driver
> dispatch routine?
> >> Is
> memory block pointed by user mode pointer accessible for direct
> >> read/write operation from dispatch routine?
>
> You can use Irp->AssociatedIrp.SystemBuffer safely in your
> driver at anytime for a method buffered request, as long as
> the request is active.
>
> >> 3. Can I use ZwXXXFile() functions from my dispatch routine
> (IRP_MJ_DEVICE_CONTROL)?
>
> Yes.
>
> >> 4. In general can I access some kernel mode addresses from my
> >> dispatch
> routine (IRP_MJ_DEVICE_CONTROL) and do I need to
> >> translate or map these addresses into my thread context?
>
> No, there is only one kernel address space.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting Remove
> StopSpam from the email to reply
>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@nival.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
> xxxxx@windows.microsoft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

6

I can’t say how to solve the problem; however I might be able to help with figuring out why you have it. But first a disclaimer, I’ve never actually used PsSetLoadImageNotifyRoutine so this all has to be taken with a grain of salt.

That said I can think of a couple of circumstances where the address in ImageBase might be invalid.

The first case I am thinking of occurs when a driver with an INIT section is loaded. As I understand it the INIT section is unmapped from memory after the DriverEntry routine returns. Therefore if the ImageBase address refers to this section then it’s not going to be valid for long.

Secondly, and sorry if this is too simplistic, what if the image unloaded. Finally, I don’t know if the address that it gives you is in the system space. If it isn’t are you taking care of the process context before toughing the address.

I Hope that is of some help.

Richard McNally

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Thursday, 20 January 2005 1:10 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Some questions

“Konstantin Manurin” wrote in message
news:xxxxx@ntdev…
> Many thanks for your quick reply.
>
>
> But what about Irp->UserBuffer? Can I directly read/write using this user
> mode pointer from my dispatch routine during IRP_MJ_DEVICE_CONTROL? I know
> that IoCompleteRequest() copies Irp->AssociatedIrp.SystemBuffer to the
> Irp->UserBuffer after IRP is completed. I understand that my question is
> silly but can I perform such operation by myself?

If you want to write to user space directly use something other than
METHOD_BUFFERED.

> As concerns BSOD with PAGE_FAULT_IN_NONPAGED_AREA error during accessing
> memory block at ImageBase from my IRP_MJ_DEVICE_CONTROL handler I examined
> crash dump file and found out that memory at that address could not be
read.
> Strange but I supposed that ImageBase and ImageSize values passed into
> LoadImageNotifyRoutine() will be valid till this module is unloaded. But
if
> a particular driver module is unloaded and loaded again, my
> LoadImageNotifyRoutine() would update ImageBase and ImageSize values for
> this particular driver. I may suppose that kernel loader can discard some
> module sections (for example INIT, .reloc, .rsrc) but ImageBase points to
> the EXE-header. And in this case will ImageSize describe a continuous
memory
> block with loaded driver module?
>
As I say more data is needed.


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@dsto.defence.gov.au
To unsubscribe send a blank email to xxxxx@lists.osr.com

7

Thank you guys for your detailed replies.

I tried another method to query ImageBase and ImageSize of some particular
driver module. I used ZwQuerySystemInformation() call with
SystemModuleInformation class in my dispatch routine (this function and its
classes were described in “Windows 2000 Native API” book). I run my driver
on Windows XP SP1. But I received the same ImageBase and ImageSize as I do
in the LoadImageNotifyRoutine() earlier at system startup. By the way this
call returns information for kernel modules only (drivers and kernel DLLs +
NTDLL.DLL).

While in the LoadImageNotifyRoutine() I successfully saved a memory block
with ImageBase and ImageSize parameters using ZwWriteFile() and saw that
this block begins with EXE-header (as I expected and I understand that a
driver module is simply loaded into memory and not initialized yet, so all
allocated memory pages for this driver are still accessible for read at
least), but if I do it later when OS is up in running the system crashes
with PAGE_FAULT_IN_NONPAGED_AREA. I understood that
PAGE_FAULT_IN_NONPAGED_AREA was caused by accessing a freed memory page. So
how can I find out that some memory page in non-paged pool is not accessible
(I read that __try…__except() method cannot be applied to non-paged
memory)? It’s strange for me that OS also most likely frees a memory page
with a driver EXE-header, but some times I successfully saved a memory page
with EXE-header for a particular driver. Then I don’t understand what
ImageBase and ImageSize values really describe.

And for my curiosity: what is the purpose of MmBuildMdlForNonPagedPool()
function, is IoAllocateMdl() not enough? What’s the difference in operations
(lock, read/write access) with paged and non-paged memory in system context
(I don’t mean accessibility at IRQL >= DISPATCH_LEVEL)?

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of McNally, Richard
Sent: Thursday, January 20, 2005 2:36 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Some questions

I can’t say how to solve the problem; however I might be able to help with
figuring out why you have it. But first a disclaimer, I’ve never actually
used PsSetLoadImageNotifyRoutine so this all has to be taken with a grain of
salt.

That said I can think of a couple of circumstances where the address in
ImageBase might be invalid.

The first case I am thinking of occurs when a driver with an INIT section is
loaded. As I understand it the INIT section is unmapped from memory after
the DriverEntry routine returns. Therefore if the ImageBase address refers
to this section then it’s not going to be valid for long.

Secondly, and sorry if this is too simplistic, what if the image unloaded.
Finally, I don’t know if the address that it gives you is in the system
space. If it isn’t are you taking care of the process context before
toughing the address.

I Hope that is of some help.

Richard McNally

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Thursday, 20 January 2005 1:10 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Some questions

“Konstantin Manurin” wrote in message
news:xxxxx@ntdev…
> Many thanks for your quick reply.
>
>
> But what about Irp->UserBuffer? Can I directly read/write using this user
> mode pointer from my dispatch routine during IRP_MJ_DEVICE_CONTROL? I know
> that IoCompleteRequest() copies Irp->AssociatedIrp.SystemBuffer to the
> Irp->UserBuffer after IRP is completed. I understand that my question is
> silly but can I perform such operation by myself?

If you want to write to user space directly use something other than
METHOD_BUFFERED.

> As concerns BSOD with PAGE_FAULT_IN_NONPAGED_AREA error during accessing
> memory block at ImageBase from my IRP_MJ_DEVICE_CONTROL handler I examined
> crash dump file and found out that memory at that address could not be
read.
> Strange but I supposed that ImageBase and ImageSize values passed into
> LoadImageNotifyRoutine() will be valid till this module is unloaded. But
if
> a particular driver module is unloaded and loaded again, my
> LoadImageNotifyRoutine() would update ImageBase and ImageSize values for
> this particular driver. I may suppose that kernel loader can discard some
> module sections (for example INIT, .reloc, .rsrc) but ImageBase points to
> the EXE-header. And in this case will ImageSize describe a continuous
memory
> block with loaded driver module?
>
As I say more data is needed.


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as:
xxxxx@dsto.defence.gov.au
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@nival.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

8

IIRC ImageBase is a field in the DRIVER_OBJECT structure.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Konstantin Manurin”
To: “Windows System Software Devs Interest List”
Sent: Friday, January 21, 2005 2:09 PM
Subject: RE: [ntdev] Some questions

> Thank you guys for your detailed replies.
>
>
> I tried another method to query ImageBase and ImageSize of some particular
> driver module. I used ZwQuerySystemInformation() call with
> SystemModuleInformation class in my dispatch routine (this function and its
> classes were described in “Windows 2000 Native API” book). I run my driver
> on Windows XP SP1. But I received the same ImageBase and ImageSize as I do
> in the LoadImageNotifyRoutine() earlier at system startup. By the way this
> call returns information for kernel modules only (drivers and kernel DLLs +
> NTDLL.DLL).
>
> While in the LoadImageNotifyRoutine() I successfully saved a memory block
> with ImageBase and ImageSize parameters using ZwWriteFile() and saw that
> this block begins with EXE-header (as I expected and I understand that a
> driver module is simply loaded into memory and not initialized yet, so all
> allocated memory pages for this driver are still accessible for read at
> least), but if I do it later when OS is up in running the system crashes
> with PAGE_FAULT_IN_NONPAGED_AREA. I understood that
> PAGE_FAULT_IN_NONPAGED_AREA was caused by accessing a freed memory page. So
> how can I find out that some memory page in non-paged pool is not accessible
> (I read that try… except() method cannot be applied to non-paged
> memory)? It’s strange for me that OS also most likely frees a memory page
> with a driver EXE-header, but some times I successfully saved a memory page
> with EXE-header for a particular driver. Then I don’t understand what
> ImageBase and ImageSize values really describe.
>
> And for my curiosity: what is the purpose of MmBuildMdlForNonPagedPool()
> function, is IoAllocateMdl() not enough? What’s the difference in operations
> (lock, read/write access) with paged and non-paged memory in system context
> (I don’t mean accessibility at IRQL >= DISPATCH_LEVEL)?
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of McNally, Richard
> Sent: Thursday, January 20, 2005 2:36 AM
> To: Windows System Software Devs Interest List
> Subject: RE: [ntdev] Some questions
>
> I can’t say how to solve the problem; however I might be able to help with
> figuring out why you have it. But first a disclaimer, I’ve never actually
> used PsSetLoadImageNotifyRoutine so this all has to be taken with a grain of
> salt.
>
> That said I can think of a couple of circumstances where the address in
> ImageBase might be invalid.
>
> The first case I am thinking of occurs when a driver with an INIT section is
> loaded. As I understand it the INIT section is unmapped from memory after
> the DriverEntry routine returns. Therefore if the ImageBase address refers
> to this section then it’s not going to be valid for long.
>
> Secondly, and sorry if this is too simplistic, what if the image unloaded.
> Finally, I don’t know if the address that it gives you is in the system
> space. If it isn’t are you taking care of the process context before
> toughing the address.
>
> I Hope that is of some help.
>
> Richard McNally
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
> Sent: Thursday, 20 January 2005 1:10 AM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] Some questions
>
>
> “Konstantin Manurin” wrote in message
> news:xxxxx@ntdev…
> > Many thanks for your quick reply.
> >
> >
> > But what about Irp->UserBuffer? Can I directly read/write using this user
> > mode pointer from my dispatch routine during IRP_MJ_DEVICE_CONTROL? I know
> > that IoCompleteRequest() copies Irp->AssociatedIrp.SystemBuffer to the
> > Irp->UserBuffer after IRP is completed. I understand that my question is
> > silly but can I perform such operation by myself?
>
> If you want to write to user space directly use something other than
> METHOD_BUFFERED.
>
> > As concerns BSOD with PAGE_FAULT_IN_NONPAGED_AREA error during accessing
> > memory block at ImageBase from my IRP_MJ_DEVICE_CONTROL handler I examined
> > crash dump file and found out that memory at that address could not be
> read.
> > Strange but I supposed that ImageBase and ImageSize values passed into
> > LoadImageNotifyRoutine() will be valid till this module is unloaded. But
> if
> > a particular driver module is unloaded and loaded again, my
> > LoadImageNotifyRoutine() would update ImageBase and ImageSize values for
> > this particular driver. I may suppose that kernel loader can discard some
> > module sections (for example INIT, .reloc, .rsrc) but ImageBase points to
> > the EXE-header. And in this case will ImageSize describe a continuous
> memory
> > block with loaded driver module?
> >
> As I say more data is needed.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Remove StopSpam from the email to reply
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
> xxxxx@dsto.defence.gov.au
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@nival.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com