Click here to Skip to main content
16,016,781 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
so straight to the point i have created a kernel driver that maps shared section to user mode. my problem is am trying to read/write memory with the driver but i have 0 experience with ReadFile , WriteFile . i have a handle that was created with CreateFileA.

now i my old project driver i used to communicate with IOCTL code something like this .

#define IO_READ_REQUEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0701 /* Our Custom Code */, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)


typedef struct _KERNEL_READ_REQUEST
{
	ULONG ProcessId;

	ULONG Address;
	ULONG Response;
	ULONG Size;

} KERNEL_READ_REQUEST, *PKERNEL_READ_REQUEST;


template <typename type>
	type ReadVirtualMemory(ULONG ProcessId, ULONG ReadAddress,
		SIZE_T Size)
	{
		if (hDriver == INVALID_HANDLE_VALUE)
			return (type)false;

		DWORD Return, Bytes;
		KERNEL_READ_REQUEST ReadRequest;

		ReadRequest.ProcessId = ProcessId;
		ReadRequest.Address = ReadAddress;
		ReadRequest.Size = Size;

		// send code to our driver with the arguments
		if (DeviceIoControl(hDriver, IO_READ_REQUEST, &ReadRequest,
			sizeof(ReadRequest), &ReadRequest, sizeof(ReadRequest), 0, 0))
			return (type)ReadRequest.Response;
		else
			return (type)false;
	}



and yeah i know this is pasted from kernelbhop but this is what my driver does the same (old one).

now how could i do the exact same process but without IOCTL code and with only ReadFile , WriteFile . and 1 more thing , before i used to call my IOCTL code from kernel
if (ControlCode == IO_READ_REQUEST)
	{
// then do something here
}


but as far as i know i can't do that now i want to know should i use ,
IRP_MJ_WRITE
or
IRP_MJ_READ
to do my stuff. because i thought about it and if i could only use both of them then i can't handle all my kernel functions so it would be impossible. thanks to anyone who will help me with this i just want a snippet or an example so i can learn from it and to solve my problem. :)

What I have tried:

i haven't tried anything yet. waiting for someone that may had this problem before and can help with it :)
Posted
Updated 7-Mar-19 8:21am

1 solution

The question is a bit unclear. Should work with memcpy to copy data.

Be clear about whom the memory belongs and that the access rights are respected. It is best, when user and kernel use OWN memory and are copying the bytes into their spaces. Else you may get strange and undebuggable errors.

tip: fetch all error codes of used functions and handle them gently.
 
Share this answer
 
Comments
Member 14130865 7-Mar-19 19:26pm    
thank you @KarstenK but i just want to show my proof of concept to see if am doing right or worng.

now in my usermode i should do this , this is my read memory function.

Hide Copy Code
template <typename type="">
type RPM(ULONG ProcessId, UINT_PTR ReadAddress)
{
if (hDriver == INVALID_HANDLE_VALUE) {
return {};
}

DWORD64 Bytes;
Ke_Read_Request ReadRequest{};

type response{};

ReadRequest.ProcessId = ProcessId;
ReadRequest.Address = ReadAddress;
ReadRequest.Size = sizeof(type);
ReadRequest.Output = &response;
if(memcpy(pBuf,&ReadRequest,sizeof(ReadRequest))){
return response;
}else {
return 1;
}



and pBuf should be the one that i have opened with
Hide Copy Code
pBuf = MapViewOfFile(hMapFile, FILE_MAP_WRITE, 0, 0, 4096);


now if that would work because i haven't tested it yet but i just want to know if it will work or if am doing something wrong please correct me.

now kernel side :

Hide Copy Code
HANDLE g_hSection = NULL;
PVOID g_pSharedSection = NULL;

VOID ReadSharedMemory()
{
	if (!g_hSection)
		return;

	if (g_pSharedSection)
		ZwUnmapViewOfSection(NtCurrentProcess(), g_pSharedSection);

	SIZE_T ulViewSize = 1024 * 10;
	NTSTATUS ntStatus = ZwMapViewOfSection(g_hSection, NtCurrentProcess(), &g_pSharedSection, 0, ulViewSize, NULL, &ulViewSize, ViewShare, 0, PAGE_READWRITE | PAGE_NOCACHE);
	if (ntStatus != STATUS_SUCCESS)
	{
		DbgPrint("ZwMapViewOfSection fail! Status: %p\n", ntStatus);
		ZwClose(g_hSection);
		return;
	}
	DbgPrint("ZwMapViewOfSection completed!\n");

	DbgPrint("Shared memory read data: %s\n",g_pSharedSection);
}



now this can read that copied section from usermode but if all this would work how could i add the read function to IRP with this ? as its only reading it with
Hide   Copy Code
DbgPrint("Shared memory read data: %s\n",g_pSharedSection);


i want to add my functions to IRP after they have been copied from usermode something like this : snippet 

Hide   Copy Code
NTSTATUS KeReadRequest(PDEVICE_OBJECT pDriverObject, PIRP pIrp){
// do whatever here ...
}


then in
Hide   Copy Code
NTSTATUS OnMajorFunctionCall(PDEVICE_OBJECT pDriverObject, PIRP pIrp){

case IRP_MJ_READ:
KeReadRequest(pDriverObject, pIrp);
break;
}


i don't know if that will work or not but i will wait for your response btw i want to know how to copy that data or process that data from Usermode to my kernel side . to sum it up i want to pass that read struct from ReadSharedMemory function to
Hide   Copy Code
NTSTATUS KeReadRequest(PDEVICE_OBJECT pDriverObject, PIRP pIrp){
// do whatever here ...
}


because i need it there .

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900