Thank you guys for your detailed replies.
I tried another method to query ImageBase and ImageSize of some particular
driver module. I used ZwQuerySystemInformation() call with
SystemModuleInformation class in my dispatch routine (this function and its
classes were described in “Windows 2000 Native API” book). I run my driver
on Windows XP SP1. But I received the same ImageBase and ImageSize as I do
in the LoadImageNotifyRoutine() earlier at system startup. By the way this
call returns information for kernel modules only (drivers and kernel DLLs +
NTDLL.DLL).
While in the LoadImageNotifyRoutine() I successfully saved a memory block
with ImageBase and ImageSize parameters using ZwWriteFile() and saw that
this block begins with EXE-header (as I expected and I understand that a
driver module is simply loaded into memory and not initialized yet, so all
allocated memory pages for this driver are still accessible for read at
least), but if I do it later when OS is up in running the system crashes
with PAGE_FAULT_IN_NONPAGED_AREA. I understood that
PAGE_FAULT_IN_NONPAGED_AREA was caused by accessing a freed memory page. So
how can I find out that some memory page in non-paged pool is not accessible
(I read that __try…__except() method cannot be applied to non-paged
memory)? It’s strange for me that OS also most likely frees a memory page
with a driver EXE-header, but some times I successfully saved a memory page
with EXE-header for a particular driver. Then I don’t understand what
ImageBase and ImageSize values really describe.
And for my curiosity: what is the purpose of MmBuildMdlForNonPagedPool()
function, is IoAllocateMdl() not enough? What’s the difference in operations
(lock, read/write access) with paged and non-paged memory in system context
(I don’t mean accessibility at IRQL >= DISPATCH_LEVEL)?
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of McNally, Richard
Sent: Thursday, January 20, 2005 2:36 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Some questions
I can’t say how to solve the problem; however I might be able to help with
figuring out why you have it. But first a disclaimer, I’ve never actually
used PsSetLoadImageNotifyRoutine so this all has to be taken with a grain of
salt.
That said I can think of a couple of circumstances where the address in
ImageBase might be invalid.
The first case I am thinking of occurs when a driver with an INIT section is
loaded. As I understand it the INIT section is unmapped from memory after
the DriverEntry routine returns. Therefore if the ImageBase address refers
to this section then it’s not going to be valid for long.
Secondly, and sorry if this is too simplistic, what if the image unloaded.
Finally, I don’t know if the address that it gives you is in the system
space. If it isn’t are you taking care of the process context before
toughing the address.
I Hope that is of some help.
Richard McNally
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Thursday, 20 January 2005 1:10 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Some questions
“Konstantin Manurin” wrote in message
news:xxxxx@ntdev…
> Many thanks for your quick reply.
>
>
> But what about Irp->UserBuffer? Can I directly read/write using this user
> mode pointer from my dispatch routine during IRP_MJ_DEVICE_CONTROL? I know
> that IoCompleteRequest() copies Irp->AssociatedIrp.SystemBuffer to the
> Irp->UserBuffer after IRP is completed. I understand that my question is
> silly but can I perform such operation by myself?
If you want to write to user space directly use something other than
METHOD_BUFFERED.
> As concerns BSOD with PAGE_FAULT_IN_NONPAGED_AREA error during accessing
> memory block at ImageBase from my IRP_MJ_DEVICE_CONTROL handler I examined
> crash dump file and found out that memory at that address could not be
read.
> Strange but I supposed that ImageBase and ImageSize values passed into
> LoadImageNotifyRoutine() will be valid till this module is unloaded. But
if
> a particular driver module is unloaded and loaded again, my
> LoadImageNotifyRoutine() would update ImageBase and ImageSize values for
> this particular driver. I may suppose that kernel loader can discard some
> module sections (for example INIT, .reloc, .rsrc) but ImageBase points to
> the EXE-header. And in this case will ImageSize describe a continuous
memory
> block with loaded driver module?
>
As I say more data is needed.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as:
xxxxx@dsto.defence.gov.au
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@nival.com
To unsubscribe send a blank email to xxxxx@lists.osr.com