what i am doing in my user mode app :
typedef struct KM_READ_REQUEST
{
ULONG ProcessId;
UINT_PTR Address;
UINT_PTR Size;
void* Output;
} KM_READ_REQUEST, *PKM_READ_REQUEST;
template <typename type>
type RPM(UINT_PTR ReadAddress)
{
if (hDriver == INVALID_HANDLE_VALUE) {
return {};
}
DWORD64 Bytes;
KM_READ_REQUEST ReadRequest{};
type response{};
ReadRequest.ProcessId = PID;
ReadRequest.Address = ReadAddress;
ReadRequest.Size = sizeof(type);
ReadRequest.Output = &response;
hMapFile = OpenFileMappingA(FILE_MAP_WRITE, FALSE, "Global\\SharedMem");
if (!hMapFile || hMapFile == INVALID_HANDLE_VALUE)
{
printf("OpenFileMappingA(write) fail! Error: %u\n", GetLastError());
return 0;
}
pBuf = (ReadRequest)MapViewOfFile(hMapFile, FILE_MAP_WRITE, 0, 0, 4096);
if (!pBuf)
{
printf("OpenFileMappingA(write) fail! Error: %u\n", GetLastError());
return 0;
}
memcpy(pBuf,&ReadRequest,sizeof(ReadRequest));
auto szMessage = std::string("");
auto dwWriteCount = 0UL;
szMessage = "read_shared_memory";
dwWriteCount = 0UL;
if (WriteFile(hDriver, szMessage.c_str(), szMessage.size() + 1, &dwWriteCount, NULL) == FALSE)
{
printf("WriteFile(read) fail! Error: %u\n", GetLastError());
return false;
}
auto hMapFile = OpenFileMappingA(FILE_MAP_READ, FALSE, "Global\\SharedMemoryTest");
if (!hMapFile || hMapFile == INVALID_HANDLE_VALUE)
{
printf("OpenFileMappingA(read) fail! Error: %u\n", GetLastError());
return 0;
}
auto pBuf = ()MapViewOfFile(hMapFile, FILE_MAP_READ, 0, 0, 4096);
if (!pBuf)
{
printf("OpenFileMappingA(read) fail! Error: %u\n", GetLastError());
return 0;
}
}
kernel mode :
KGUARDED_MUTEX g_IrpReadMutex;
PVOID SharedSection = NULL;
HANDLE Sectionhandle;
VOID ReadSharedMemory()
{
if (Sectionhandle)
return;
if (g_pSharedSection)
ZwUnmapViewOfSection(NtCurrentProcess(), SharedSection);
SIZE_T ulViewSize = 1024 * 10;
NTSTATUS ntStatus = ZwMapViewOfSection(g_hSection, NtCurrentProcess(), &SharedSection, 0, ulViewSize, NULL, &ulViewSize, ViewShare, 0, PAGE_READWRITE | PAGE_NOCACHE);
if (ntStatus != STATUS_SUCCESS)
{
DbgPrint("ZwMapViewOfSection fail! Status: %p\n", ntStatus);
ZwClose(Sectionhandle);
return;
}
DbgPrint("ZwMapViewOfSection completed!\n");
DbgPrint("Shared memory read data: %s\n", SharedSection);
}
typedef struct KM_READ_REQUEST
{
ULONG ProcessId;
UINT_PTR Address;
UINT_PTR Size;
void* Output;
} KM_READ_REQUEST, *PKM_READ_REQUEST;
NTSTATUS ReadKernelMemory(PEPROCESS Process, PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size)
{
PSIZE_T Bytes;
if (NT_SUCCESS(MmCopyVirtualMemory(Process, SourceAddress, PsGetCurrentProcess(),
TargetAddress, Size, KernelMode, &Bytes)))
return STATUS_SUCCESS;
else
return STATUS_ACCESS_DENIED;
}
NTSTATUS OnIRPWrite(PDEVICE_OBJECT pDriverObject, PIRP pIrp)
{
UNREFERENCED_PARAMETER(pDriverObject);
char szBuffer[255] = { 0 };
strcpy(szBuffer, pIrp->AssociatedIrp.SystemBuffer);
DbgPrint("User message received: %s(%u)", szBuffer, strlen(szBuffer));
if (strcmp(szBuffer, "read_shared_memory"))
{
KeAcquireGuardedMutex (&g_IrpReadMutex);
ReadSharedMemory();
PKM_READ_REQUEST ReadInput = (PKM_READ_REQUEST)SharedSection;
void* ReadOutput = ReadInput->Output;
PEPROCESS Process;
if (NT_SUCCESS(PsLookupProcessByProcessId(ReadInput->ProcessId, &Process))) {
Status = ReadKernelMemory(Process, ReadInput->Address, ReadOutput, ReadInput->Size);
}
else {
Status = STATUS_ACCESS_DENIED;
ObDereferenceObject(Process);
return Status;
}
RtlZeroMemory(SharedSection,sizeof(SharedSection));
memcpy(SharedSection,&ReadOutput,sizeof(ReadOutput));
KeReleaseGuardedMutex (&g_IrpReadMutex);
}
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = strlen(szBuffer);
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS OnMajorFunctionCall(PDEVICE_OBJECT pDriverObject, PIRP pIrp)
{
UNREFERENCED_PARAMETER(pDriverObject);
PIO_STACK_LOCATION pStack = IoGetCurrentIrpStackLocation(pIrp);
switch (pStack->MajorFunction)
{
case IRP_MJ_WRITE:
OnIRPWrite(pDriverObject, pIrp);
break;
default:
pIrp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
}
return STATUS_SUCCESS;
}
KeInitializeGuardedMutex(&g_IrpReadMutex);
What I have tried:
Of course am mapping memory and stuff but this is just what i want to achieve, but failing with 3 things
1 - its really bad code , and it will give bsod 100% because i don't wait for anything i just try to read what is in the section . (i guess a mutex is needed here)
2 - i can't send ReadOutput from my kernel driver to my user mode or i can't read it because the value of it will change so idk how to get it.
3 - it will keep creating a mapped section everytime i call RPM function (read memory)
so idk any suggestions guys is much appreciated.