ZwMapViewOfSection causes access violation

NTDEV
1

folks,

I am trying to create a section and map a view of it in a Kernel driver.
creation apparantly goes fine, but mapping it causes a system crash (access
violation). details below. thanks in advance for your help.

NTSTATUS Status;
HANDLE SectionHandle;
LARGE_INTEGER SectionSize;
SectionSize.HighPart = 0;
SectionSize.LowPart = 0x1000;

Status = ZwCreateSection(&SectionHandle, SECTION_ALL_ACCESS, NULL,
&SectionSize, PAGE_EXECUTE_READWRITE, SEC_COMMIT, NULL);

I get back a handle in SenctionHandle and Satus is success, then when I go
to create a map of it…

PVOID *DesiredBaseAddress = 0;
SIZE_T pSize;
Status = ZwMapViewOfSection(SectionHandle, IoGetCurrentProcess(),
DesiredBaseAddress, 0, 0x1000, NULL, &pSize, ViewShare, 0,
PAGE_EXECUTE_READWRITE);

I get an access violation…

1: kd> !analyze -v
Connected to Windows XP 2600 x86 compatible target at (Tue Jun 2
18:02:12.503 2009 (GMT-7)), ptr64 FALSE
Loading Kernel Symbols


Loading User Symbols

Loading unloaded module list

*******************************************************************************
*
*
* Bugcheck
Analysis *
*
*
*******************************************************************************
Unknown bugcheck code (0)
Unknown bugcheck description
Arguments:
Arg1: 00000000
Arg2: 00000000
Arg3: 00000000
Arg4: 00000000
Debugging Details:

*** ERROR: Module load completed but symbols could not be loaded for
FSUtil.exe
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
PROCESS_NAME: Util.exe
FAULTING_IP:
nt!NtMapViewOfSection+100
805b0ace 8b0f mov ecx,dword ptr [edi]
EXCEPTION_RECORD: ffffffff – (.exr 0xffffffffffffffff)
ExceptionAddress: 805b0ace (nt!NtMapViewOfSection+0x00000100)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000000
Attempt to read from address 00000000
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced
memory at “0x%08lx”. The memory could not be “%s”.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx”
referenced memory at “0x%08lx”. The memory could not be “%s”.
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 00000000
READ_ADDRESS: 00000000
FOLLOWUP_IP:
DD!MapViewOfSection+7d [c:\work\devicedriver\usercv.cpp @ 77]
f70c8a0d 8945f8 mov dword ptr [ebp-8],eax
BUGCHECK_STR: ACCESS_VIOLATION
DEFAULT_BUCKET_ID: NULL_DEREFERENCE
LAST_CONTROL_TRANSFER: from 8054060c to 805b0ace
STACK_TEXT:
f6373a9c 8054060c 000007a8 82bf8318 00000000 nt!NtMapViewOfSection+0x100
f6373a9c 804ff921 000007a8 82bf8318 00000000 nt!KiFastCallEntry+0xfc
f6373b3c f70c8a0d 000007a8 82bf8318 00000000 nt!ZwMapViewOfSection+0x11
f6373b80 f70c8b5e 000007a8 00000000 f6373ba8 DD!MapViewOfSection+0x7d
[c:\work\devicedriver\usercv.cpp @ 77]
f6373bb4 f70c0b16 e1ac4e98 e1b5ef48 e1ac4e98 DD!Check+0x6e
[c:\work\devicedriver\usercv.cpp @ 116]
f6373bc8 f70c6853 829f19c8 82cb57a0 8052a858 DD!CheckRegistration+0x26
[c:\work\devicedriver\util.cpp @ 1525]
f6373c14 f70c6fd9 002220f0 829db358 00000000 DD!Entry+0x53
[c:\work\devicedriver\iorw.cpp @ 57]
f6373c40 804eeeb1 82b7ba10 829cd940 806e4410
DD!DDDeviceIoControlDispatch+0x99 [c:\work\devicedriver\iorw.cpp @ 348]
f6373c50 8057e688 829cd9d4 82cd2028 829cd940 nt!IopfCallDriver+0x31
f6373c64 8057f4eb 82b7ba10 829cd940 82cd2028
nt!IopSynchronousServiceTail+0x60
f6373d00 8057804e 000007ac 00000000 00000000 nt!IopXxxControlFile+0x5c5
f6373d34 8054060c 000007ac 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
f6373d34 7c90eb94 000007ac 00000000 00000000 nt!KiFastCallEntry+0xfc
0012fae0 7c90d8ef 7c801671 000007ac 00000000 ntdll!KiFastSystemCallRet
0012fae4 7c801671 000007ac 00000000 00000000 ntdll!ZwDeviceIoControlFile+0xc
0012fb44 0040e15f 000007ac 002220f0 00394ef0 kernel32!DeviceIoControl+0xdd
WARNING: Stack unwind information not available. Following frames may be
wrong.
0012fb94 0040e3a6 002220f0 00394ef0 00000114 Util+0xe15f
0012fbec 7c801671 000007ac 00000000 00000000 Util+0xe3a6
0012fc30 0040bc4c 003920f4 0040aae0 00000001 kernel32!DeviceIoControl+0xdd
0012fc60 7c91056d 0012fcdc 00403e30 9ac9b2a0 Util+0xbc4c
0012fd1c 00000000 6f6e6d6c 00000001 00394ec0 ntdll!RtlFreeHeap+0x647

STACK_COMMAND: kb
FAULTING_SOURCE_CODE:
73: return Status;
74: }
75: RequestedSize = *pSize;
76:

77: Status = ZwMapViewOfSection(SectionHandle,
IoGetCurrentProcess(), DesiredBaseAddress, 0, *pSize, NULL, pSize,
ViewShare, 0, AccessFlags);
78: if (!NT_SUCCESS(Status))
79: {
80: ASSERT(0);
81: return Status;
82: }

SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: DD!MapViewOfSection+7d
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: DD
IMAGE_NAME: DD.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4a257978
FAILURE_BUCKET_ID: ACCESS_VIOLATION_DD!MapViewOfSection+7d
BUCKET_ID: ACCESS_VIOLATION_DD!MapViewOfSection+7d
Followup: MachineOwner

1: kd> .exr 0xffffffffffffffff
ExceptionAddress: 805b0ace (nt!NtMapViewOfSection+0x00000100)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000000
Attempt to read from address 00000000

2

You are passing a PEPROCESS and not a process handle. IoGetCurrentProcess returns an internal process object pointer and not a handle to a process object (as required by ZwMapViewOfSection).

Also, note that ZwMapViewOfSection can only map a section view within user mode address space. Make sure that you consider how to handle accessing the contens of that section view accordingly.

  • S

From: Bedanto
Sent: Tuesday, June 02, 2009 18:10
To: Windows System Software Devs Interest List
Subject: [ntdev] ZwMapViewOfSection causes access violation

folks,

I am trying to create a section and map a view of it in a Kernel driver. creation apparantly goes fine, but mapping it causes a system crash (access violation). details below. thanks in advance for your help.

NTSTATUS Status;
HANDLE SectionHandle;
LARGE_INTEGER SectionSize;
SectionSize.HighPart = 0;
SectionSize.LowPart = 0x1000;

Status = ZwCreateSection(&SectionHandle, SECTION_ALL_ACCESS, NULL, &SectionSize, PAGE_EXECUTE_READWRITE, SEC_COMMIT, NULL);

I get back a handle in SenctionHandle and Satus is success, then when I go to create a map of it…

PVOID DesiredBaseAddress = 0;
SIZE_T pSize;
Status = ZwMapViewOfSection(SectionHandle, IoGetCurrentProcess(), DesiredBaseAddress, 0, 0x1000, NULL, &pSize, ViewShare, 0, PAGE_EXECUTE_READWRITE);

I get an access violation…

1: kd> !analyze -v
Connected to Windows XP 2600 x86 compatible target at (Tue Jun 2 18:02:12.503 2009 (GMT-7)), ptr64 FALSE
Loading Kernel Symbols


Loading User Symbols

Loading unloaded module list
Bugcheck Analysis


Unknown bugcheck code (0)
Unknown bugcheck description
Arguments:
Arg1: 00000000
Arg2: 00000000
Arg3: 00000000
Arg4: 00000000
Debugging Details:
------------------
ERROR: Module load completed but symbols could not be loaded for FSUtil.exe
*********************************************************************
******
******
Your debugger is not using the correct symbols
******
In order for this command to work properly, your symbol path
must point to .pdb files that have full type information.
******
Certain .pdb files (such as the public OS symbols) do not
contain the required information. Contact the group that
provided you with these symbols if you need this command to
work.
******
Type referenced: kernel32!pNlsUserInfo
******


******
******
Your debugger is not using the correct symbols
******
In order for this command to work properly, your symbol path
must point to .pdb files that have full type information.
******
Certain .pdb files (such as the public OS symbols) do not
contain the required information. Contact the group that
provided you with these symbols if you need this command to
work.
******
Type referenced: kernel32!pNlsUserInfo
******
*************************************************************************
PROCESS_NAME: Util.exe
FAULTING_IP:
nt!NtMapViewOfSection+100
805b0ace 8b0f mov ecx,dword ptr [edi]
EXCEPTION_RECORD: ffffffff – (.exr 0xffffffffffffffff)
ExceptionAddress: 805b0ace (nt!NtMapViewOfSection+0x00000100)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000000
Attempt to read from address 00000000
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 00000000
READ_ADDRESS: 00000000
FOLLOWUP_IP:
DD!MapViewOfSection+7d [c:\work\devicedriver\usercv.cpp @ 77]
f70c8a0d 8945f8 mov dword ptr [ebp-8],eax
BUGCHECK_STR: ACCESS_VIOLATION
DEFAULT_BUCKET_ID: NULL_DEREFERENCE
LAST_CONTROL_TRANSFER: from 8054060c to 805b0ace
STACK_TEXT:
f6373a9c 8054060c 000007a8 82bf8318 00000000 nt!NtMapViewOfSection+0x100
f6373a9c 804ff921 000007a8 82bf8318 00000000 nt!KiFastCallEntry+0xfc
f6373b3c f70c8a0d 000007a8 82bf8318 00000000 nt!ZwMapViewOfSection+0x11
f6373b80 f70c8b5e 000007a8 00000000 f6373ba8 DD!MapViewOfSection+0x7d [c:\work\devicedriver\usercv.cpp @ 77]
f6373bb4 f70c0b16 e1ac4e98 e1b5ef48 e1ac4e98 DD!Check+0x6e [c:\work\devicedriver\usercv.cpp @ 116]
f6373bc8 f70c6853 829f19c8 82cb57a0 8052a858 DD!CheckRegistration+0x26 [c:\work\devicedriver\util.cpp @ 1525]
f6373c14 f70c6fd9 002220f0 829db358 00000000 DD!Entry+0x53 [c:\work\devicedriver\iorw.cpp @ 57]
f6373c40 804eeeb1 82b7ba10 829cd940 806e4410 DD!DDDeviceIoControlDispatch+0x99 [c:\work\devicedriver\iorw.cpp @ 348]
f6373c50 8057e688 829cd9d4 82cd2028 829cd940 nt!IopfCallDriver+0x31
f6373c64 8057f4eb 82b7ba10 829cd940 82cd2028 nt!IopSynchronousServiceTail+0x60
f6373d00 8057804e 000007ac 00000000 00000000 nt!IopXxxControlFile+0x5c5
f6373d34 8054060c 000007ac 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
f6373d34 7c90eb94 000007ac 00000000 00000000 nt!KiFastCallEntry+0xfc
0012fae0 7c90d8ef 7c801671 000007ac 00000000 ntdll!KiFastSystemCallRet
0012fae4 7c801671 000007ac 00000000 00000000 ntdll!ZwDeviceIoControlFile+0xc
0012fb44 0040e15f 000007ac 002220f0 00394ef0 kernel32!DeviceIoControl+0xdd
WARNING: Stack unwind information not available. Following frames may be wrong.
0012fb94 0040e3a6 002220f0 00394ef0 00000114 Util+0xe15f
0012fbec 7c801671 000007ac 00000000 00000000 Util+0xe3a6
0012fc30 0040bc4c 003920f4 0040aae0 00000001 kernel32!DeviceIoControl+0xdd
0012fc60 7c91056d 0012fcdc 00403e30 9ac9b2a0 Util+0xbc4c
0012fd1c 00000000 6f6e6d6c 00000001 00394ec0 ntdll!RtlFreeHeap+0x647

STACK_COMMAND: kb
FAULTING_SOURCE_CODE:
73: return Status;
74: }
75: RequestedSize = *pSize;
76:
> 77: Status = ZwMapViewOfSection(SectionHandle, IoGetCurrentProcess(), DesiredBaseAddress, 0, *pSize, NULL, pSize, ViewShare, 0, AccessFlags);
78: if (!NT_SUCCESS(Status))
79: {
80: ASSERT(0);
81: return Status;
82: }

SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: DD!MapViewOfSection+7d
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: DD
IMAGE_NAME: DD.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4a257978
FAILURE_BUCKET_ID: ACCESS_VIOLATION_DD!MapViewOfSection+7d
BUCKET_ID: ACCESS_VIOLATION_DD!MapViewOfSection+7d
Followup: MachineOwner
---------
1: kd> .exr 0xffffffffffffffff
ExceptionAddress: 805b0ace (nt!NtMapViewOfSection+0x00000100)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000000
Attempt to read from address 00000000

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

3

skywing,

thanks for the clue. I used zwCurrentProcess and the crash has stopped. But
I still get STATUS_MAPPED_ALIGNMENT.

Below is how i call the functions NOW…

HANDLE SectionHandle;
LARGE_INTEGER SectionSize;
SectionSize.HighPart = 0;
SectionSize.LowPart = 0x1000;

OBJECT_ATTRIBUTES ObjectAttributes;
InitializeObjectAttributes(&ObjectAttributes, NULL, OBJ_KERNEL_HANDLE, NULL,
NULL);
Status = ZwCreateSection(&SectionHandle, SECTION_ALL_ACCESS,
&ObjectAttributes, &SectionSize, PAGE_EXECUTE_READWRITE, SEC_COMMIT, NULL);
PVOID DA;
SIZE_T CommitSize = 0x1000;
SIZE_T ViewSize = 0;
Status = ZwMapViewOfSection(SectionHandle, ZwCurrentProcess(), &DA, 0,
CommitSize, NULL, &ViewSize, ViewShare, 0, PAGE_EXECUTE_READWRITE);

am i getting this wrong?

Also, note that ZwMapViewOfSection can only map a section view within user
mode address space. Make sure that you consider how to handle accessing >the
contens of that section view accordingly.

also, can you help me by letting me know how to achieve the above. I am in a
kernel driver trying to map the current user process calling me.

thanks

b

On Tue, Jun 2, 2009 at 7:39 PM, Skywing wrote:

> You are passing a PEPROCESS and not a process handle. IoGetCurrentProcess
> returns an internal process object pointer and not a handle to a process
> object (as required by ZwMapViewOfSection).
>
> Also, note that ZwMapViewOfSection can only map a section view within user
> mode address space. Make sure that you consider how to handle accessing the
> contens of that section view accordingly.
>
> - S
>
> ------------------------------
> From: Bedanto
> Sent: Tuesday, June 02, 2009 18:10
> To: Windows System Software Devs Interest List
> Subject: [ntdev] ZwMapViewOfSection causes access violation
>
> folks,
>
> I am trying to create a section and map a view of it in a Kernel driver.
> creation apparantly goes fine, but mapping it causes a system crash (access
> violation). details below. thanks in advance for your help.
>
> NTSTATUS Status;
> HANDLE SectionHandle;
> LARGE_INTEGER SectionSize;
> SectionSize.HighPart = 0;
> SectionSize.LowPart = 0x1000;
>
> Status = ZwCreateSection(&SectionHandle, SECTION_ALL_ACCESS, NULL,
> &SectionSize, PAGE_EXECUTE_READWRITE, SEC_COMMIT, NULL);
>
> I get back a handle in SenctionHandle and Satus is success, then when I go
> to create a map of it…
>
>
> PVOID DesiredBaseAddress = 0;
> SIZE_T pSize;
> Status = ZwMapViewOfSection(SectionHandle, IoGetCurrentProcess(),
> DesiredBaseAddress, 0, 0x1000, NULL, &pSize, ViewShare, 0,
> PAGE_EXECUTE_READWRITE);
>
> I get an access violation…
>
>
> 1: kd> !analyze -v
> Connected to Windows XP 2600 x86 compatible target at (Tue Jun 2
> 18:02:12.503 2009 (GMT-7)), ptr64 FALSE
> Loading Kernel Symbols
> …
> …
> Loading User Symbols
> …
> Loading unloaded module list
> …
>
>
>
>
> * Bugcheck
> Analysis
>
>
>
>
> Unknown bugcheck code (0)
> Unknown bugcheck description
> Arguments:
> Arg1: 00000000
> Arg2: 00000000
> Arg3: 00000000
> Arg4: 00000000
> Debugging Details:
> ------------------
> ERROR: Module load completed but symbols could not be loaded for
> FSUtil.exe
>****************************************************************
> ******
> ******
> Your debugger is not using the correct symbols
> ******
> In order for this command to work properly, your symbol path
> must point to .pdb files that have full type information.
> ******
> Certain .pdb files (such as the public OS symbols) do not
> contain the required information. Contact the group that
> provided you with these symbols if you need this command to
> work.
> ******
> Type referenced: kernel32!pNlsUserInfo
> ******
>
>
> ******
> ******
> Your debugger is not using the correct symbols
> ******
> In order for this command to work properly, your symbol path
> must point to .pdb files that have full type information.
> ******
> Certain .pdb files (such as the public OS symbols) do not
> contain the required information. Contact the group that
> provided you with these symbols if you need this command to
> work.
> ******
> Type referenced: kernel32!pNlsUserInfo
> ******
> *************************************************************************
> PROCESS_NAME: Util.exe
> FAULTING_IP:
> nt!NtMapViewOfSection+100
> 805b0ace 8b0f mov ecx,dword ptr [edi]
> EXCEPTION_RECORD: ffffffff – (.exr 0xffffffffffffffff)
> ExceptionAddress: 805b0ace (nt!NtMapViewOfSection+0x00000100)
> ExceptionCode: c0000005 (Access violation)
> ExceptionFlags: 00000000
> NumberParameters: 2
> Parameter[0]: 00000000
> Parameter[1]: 00000000
> Attempt to read from address 00000000
> ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced
> memory at “0x%08lx”. The memory could not be “%s”.
> EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx”
> referenced memory at “0x%08lx”. The memory could not be “%s”.
> EXCEPTION_PARAMETER1: 00000000
> EXCEPTION_PARAMETER2: 00000000
> READ_ADDRESS: 00000000
> FOLLOWUP_IP:
> DD!MapViewOfSection+7d [c:\work\devicedriver\usercv.cpp @ 77]
> f70c8a0d 8945f8 mov dword ptr [ebp-8],eax
> BUGCHECK_STR: ACCESS_VIOLATION
> DEFAULT_BUCKET_ID: NULL_DEREFERENCE
> LAST_CONTROL_TRANSFER: from 8054060c to 805b0ace
> STACK_TEXT:
> f6373a9c 8054060c 000007a8 82bf8318 00000000 nt!NtMapViewOfSection+0x100
> f6373a9c 804ff921 000007a8 82bf8318 00000000 nt!KiFastCallEntry+0xfc
> f6373b3c f70c8a0d 000007a8 82bf8318 00000000 nt!ZwMapViewOfSection+0x11
> f6373b80 f70c8b5e 000007a8 00000000 f6373ba8 DD!MapViewOfSection+0x7d
> [c:\work\devicedriver\usercv.cpp @ 77]
> f6373bb4 f70c0b16 e1ac4e98 e1b5ef48 e1ac4e98 DD!Check+0x6e
> [c:\work\devicedriver\usercv.cpp @ 116]
> f6373bc8 f70c6853 829f19c8 82cb57a0 8052a858 DD!CheckRegistration+0x26
> [c:\work\devicedriver\util.cpp @ 1525]
> f6373c14 f70c6fd9 002220f0 829db358 00000000 DD!Entry+0x53
> [c:\work\devicedriver\iorw.cpp @ 57]
> f6373c40 804eeeb1 82b7ba10 829cd940 806e4410
> DD!DDDeviceIoControlDispatch+0x99 [c:\work\devicedriver\iorw.cpp @ 348]
> f6373c50 8057e688 829cd9d4 82cd2028 829cd940 nt!IopfCallDriver+0x31
> f6373c64 8057f4eb 82b7ba10 829cd940 82cd2028
> nt!IopSynchronousServiceTail+0x60
> f6373d00 8057804e 000007ac 00000000 00000000 nt!IopXxxControlFile+0x5c5
> f6373d34 8054060c 000007ac 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
> f6373d34 7c90eb94 000007ac 00000000 00000000 nt!KiFastCallEntry+0xfc
> 0012fae0 7c90d8ef 7c801671 000007ac 00000000 ntdll!KiFastSystemCallRet
> 0012fae4 7c801671 000007ac 00000000 00000000
> ntdll!ZwDeviceIoControlFile+0xc
> 0012fb44 0040e15f 000007ac 002220f0 00394ef0 kernel32!DeviceIoControl+0xdd
> WARNING: Stack unwind information not available. Following frames may be
> wrong.
> 0012fb94 0040e3a6 002220f0 00394ef0 00000114 Util+0xe15f
> 0012fbec 7c801671 000007ac 00000000 00000000 Util+0xe3a6
> 0012fc30 0040bc4c 003920f4 0040aae0 00000001 kernel32!DeviceIoControl+0xdd
> 0012fc60 7c91056d 0012fcdc 00403e30 9ac9b2a0 Util+0xbc4c
> 0012fd1c 00000000 6f6e6d6c 00000001 00394ec0 ntdll!RtlFreeHeap+0x647
>
> STACK_COMMAND: kb
> FAULTING_SOURCE_CODE:
> 73: return Status;
> 74: }
> 75: RequestedSize = *pSize;
> 76:
> > 77: Status = ZwMapViewOfSection(SectionHandle,
> IoGetCurrentProcess(), DesiredBaseAddress, 0, *pSize, NULL, pSize,
> ViewShare, 0, AccessFlags);
> 78: if (!NT_SUCCESS(Status))
> 79: {
> 80: ASSERT(0);
> 81: return Status;
> 82: }
>
> SYMBOL_STACK_INDEX: 3
> SYMBOL_NAME: DD!MapViewOfSection+7d
> FOLLOWUP_NAME: MachineOwner
> MODULE_NAME: DD
> IMAGE_NAME: DD.sys
> DEBUG_FLR_IMAGE_TIMESTAMP: 4a257978
> FAILURE_BUCKET_ID: ACCESS_VIOLATION_DD!MapViewOfSection+7d
> BUCKET_ID: ACCESS_VIOLATION_DD!MapViewOfSection+7d
> Followup: MachineOwner
> ---------
> 1: kd> .exr 0xffffffffffffffff
> ExceptionAddress: 805b0ace (nt!NtMapViewOfSection+0x00000100)
> ExceptionCode: c0000005 (Access violation)
> ExceptionFlags: 00000000
> NumberParameters: 2
> Parameter[0]: 00000000
> Parameter[1]: 00000000
> Attempt to read from address 00000000
>
>
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

4

Bedanto wrote:


OBJECT_ATTRIBUTES ObjectAttributes;
InitializeObjectAttributes(&ObjectAttributes, NULL, OBJ_KERNEL_HANDLE,
NULL, NULL);
Status = ZwCreateSection(&SectionHandle, SECTION_ALL_ACCESS,
&ObjectAttributes, &SectionSize, PAGE_EXECUTE_READWRITE, SEC_COMMIT,
NULL);
PVOID DA;
SIZE_T CommitSize = 0x1000;
SIZE_T ViewSize = 0;
Status = ZwMapViewOfSection(SectionHandle, ZwCurrentProcess(), &DA, 0,
CommitSize, NULL, &ViewSize, ViewShare, 0, PAGE_EXECUTE_READWRITE);

am i getting this wrong?

I believe you need to initialize DA to NULL to tell it that you don’t
care about the base address. Otherwise, it assumes DA contains the
address you want it to use, and of course in your code DA contains garbage.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.