I dont know of I get it right , but if you want to
mimic into your driver the functionality of
ZwWriteVirtualMemory maybe the best help you can get
is to trace this API into a system debugger. Also you
should understand execution contexts in Windows NT.
A KPROCESS also does not refere to an "application ,
DLL or whatever. A process is a system object wich
consists of an memory context , and colection of
system resources accesible from its context. a process
is not a DLL or a executable image.
There is little sense to replace the
ZwWriteVirtualMemory , if you only need that from user
mode , from process (A) , access the address space of
process (B). Youll only duplicate ZwWrite …
functionality and youll make it slower , since
ZwWrite… uses a dispatching mechanism based on
interrupts , while you will be forced to use IRPs.
On the other hand you might need to access a certain
process user mode address space from any arbitrary
context, from kernel mode.
First you should get a pointer to the KPROCESS
representing the target process. You can obtain a
pointer to a KPROCESS from a PID or a HANDLE. Once you
get a KPROCESS , attach to it by calling
KeAttachProcess(KPROCESS Target). Upon this call
return , the user mode address space is switched and
it actualy belongs to the target process. So you have
now acceess from an arbitrary execution context to the
private mappings of target process. Yo can do now the
required processing on this address space , etiher
trough MDLs or directly (yes sometimes is possible).
Once your done you should imediately call
KeDetachProcess(void) wich will reveret the lower 2Gb
mappings to the original ones. keep in mind that on NT
4.0 Process attach operations are not stackable. Once
you called KeAttachProcess() you cannot invoke it once
again until you performed an detach operation. Win2k
intruduces KeAttachProcessWithStack , but youll not be
able to use it if you want to have backward
compatibility into your driver.
Again my advice is to trace ZwWriteVirtualMemory to
see it at work.
Do You Yahoo!?
Yahoo! Auctions - Buy the things you want at great prices.
http://auctions.yahoo.com/
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com