Tracking memory allocations by a driver

Hi,

I want to track the memory allocations by a target driver and then monitor what other drivers access these memories over data transfer and control message exchanges. To track memory allocations, I hook the system functions “ExAllocatePool, ExAllocatePoolWithQuota, ExAllocatePoolWithQuotaTag, ExAllocatePoolWithTag, ExAllocatePoolWithTagPriority” and collect log when these functions are called by the target driver. Can you please tell me whether these are the only functions used by the drivers (more specifically, ps2, xhci, etc.) for allocating data and control buffers? Or I have to hook other functions like MmAllocateContiguousMemory, etc.?

Thanks.

xxxxx@gmail.com wrote:

I want to track the memory allocations by a target driver and then monitor what other drivers access these memories over data transfer and control message exchanges

How do you expect to track memory accesses by other drivers? There are
certainly no APIs to do so.

To track memory allocations, I hook the system functions “ExAllocatePool, ExAllocatePoolWithQuota, ExAllocatePoolWithQuotaTag, ExAllocatePoolWithTag, ExAllocatePoolWithTagPriority” and collect log when these functions are called by the target driver.

How are you going to know which driver called these functions? In many
cases, drivers call kernel APIs that in turn call these functions. Are
you going to catch those?

Can you please tell me whether these are the only functions used by the drivers (more specifically, ps2, xhci, etc.) for allocating data and control buffers? Or I have to hook other functions like MmAllocateContiguousMemory, etc.?

How do you define “data and control buffers”? As opposed to what?

How anal do you want to be? There’s also ExAllocateFromLookasideListEx
and ExAllocateFromPagedLookasideListEx. They will call the ExAllocate
primitive to allocate big chunks, then hand out smaller pieces. APIs
like IoAllocateMdl and IoAllocateIrp also allocate memory.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

To add to what Tim said, there are drivers that allocate memory with
ZwAllocateVirtualMemory, setup buffers for some item in device extensions,
in WDF contexts, or even in statically allocated memory in the driver. You
are not going to be able to track the memory usage, let alone the access.

It’s time to go back to the standard question that we ask on this group,
when we get requests that are ridiculous, namely “What are you really trying
to do?” Right now your question falls into the category described here:
http://www.osronline.com/downloads/pp_asking.pdf

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: Thursday, January 22, 2015 1:38 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Tracking memory allocations by a driver

xxxxx@gmail.com wrote:

I want to track the memory allocations by a target driver and then
monitor what other drivers access these memories over data transfer
and control message exchanges

How do you expect to track memory accesses by other drivers? There are
certainly no APIs to do so.

To track memory allocations, I hook the system functions “ExAllocatePool,
ExAllocatePoolWithQuota, ExAllocatePoolWithQuotaTag, ExAllocatePoolWithTag,
ExAllocatePoolWithTagPriority” and collect log when these functions are
called by the target driver.

How are you going to know which driver called these functions? In many
cases, drivers call kernel APIs that in turn call these functions. Are you
going to catch those?

Can you please tell me whether these are the only functions used by the
drivers (more specifically, ps2, xhci, etc.) for allocating data and control
buffers? Or I have to hook other functions like MmAllocateContiguousMemory,
etc.?

How do you define “data and control buffers”? As opposed to what?

How anal do you want to be? There’s also ExAllocateFromLookasideListEx and
ExAllocateFromPagedLookasideListEx. They will call the ExAllocate primitive
to allocate big chunks, then hand out smaller pieces. APIs like
IoAllocateMdl and IoAllocateIrp also allocate memory.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Thanks for your reply Tim.

How do you expect to track memory accesses by other drivers? There are certainly no APIs to do so.
How are you going to know which driver called these functions?

I am utilizing a VMM based mechanism to hook a system function, memory range, etc. In the callback function, I get information like caller module, accessed memory address within the range, etc. Maybe I should have asked a more concise and pointed question. Sorry for the confusion.

In many cases, drivers call kernel APIs that in turn call these functions. Are you going to catch those?
There’s also ExAllocateFromLookasideListEx and ExAllocateFromPagedLookasideListEx. They will call the ExAllocate primitive to allocate big chunks, then hand out smaller pieces. APIs like IoAllocateMdl and IoAllocateIrp also allocate memory.

I actually wanted to know this kind of information. I found a number of memory allocation functions (Memory manager routines, Executive Library Support Routines) in MSDN but am not sure whether I have to hook all these functions. Or what are the kernel APIs, as you mentioned, that a driver may use to allocate memories?

How do you define “data and control buffers”? As opposed to what?

By data buffer, I mean the memory used by a driver to send data to/receive data from the device.

Thanks.