// // file local helper functions. // NTSTATUS InitScratchpad( IN PUSB_FDO_CONTEXT fdoContext) { NTSTATUS status; KeInitializeEvent(&fdoContext->ScratchPad.CompletionEvent, NotificationEvent, FALSE); fdoContext->ScratchPad.Buffer = ExAllocatePoolWithTag(NonPagedPool, PAGE_SIZE, XVU1); if (!fdoContext->ScratchPad.Buffer) { status = STATUS_NO_MEMORY; TraceEvents(TRACE_LEVEL_ERROR, TRACE_DEVICE, __FUNCTION__": Device %p ExAllocatePoolWithTag failed\n", fdoContext->WdfDevice); return status; } RtlZeroMemory(fdoContext->ScratchPad.Buffer, PAGE_SIZE); fdoContext->ScratchPad.Mdl = IoAllocateMdl(fdoContext->ScratchPad.Buffer, PAGE_SIZE, FALSE, FALSE, NULL); if (!fdoContext->ScratchPad.Mdl) { status = STATUS_NO_MEMORY; TraceEvents(TRACE_LEVEL_ERROR, TRACE_DEVICE, __FUNCTION__": device %p IoAllocateMdl failed\n", fdoContext->WdfDevice); return status; } MmBuildMdlForNonPagedPool(fdoContext->ScratchPad.Mdl); return STATUS_SUCCESS; }
sint _init_evt_priv(struct evt_priv *pevtpriv) { sint res=_SUCCESS; _func_enter_; #ifdef CONFIG_EVENT_THREAD_MODE _init_sema(&(pevtpriv->evt_notify), 0); _init_sema(&(pevtpriv->terminate_evtthread_sema), 0); #endif #ifdef CONFIG_H2CLBK _init_sema(&(pevtpriv->lbkevt_done), 0); pevtpriv->lbkevt_limit = 0; pevtpriv->lbkevt_num = 0; pevtpriv->cmdevt_parm = NULL; #endif //allocate DMA-able/Non-Page memory for cmd_buf and rsp_buf pevtpriv->event_seq = 0; pevtpriv->evt_allocated_buf = _malloc(MAX_EVTSZ + 4); if (pevtpriv->evt_allocated_buf == NULL){ res= _FAIL; goto exit; } pevtpriv->evt_buf = pevtpriv->evt_allocated_buf + 4 - ((unsigned int)(pevtpriv->evt_allocated_buf) & 3); pevtpriv->evt_done_cnt = 0; #ifdef CONFIG_SDIO_HCI pevtpriv->allocated_c2h_mem = _malloc(C2H_MEM_SZ +4); if (pevtpriv->allocated_c2h_mem == NULL){ res= _FAIL; goto exit; } pevtpriv->c2h_mem = pevtpriv->allocated_c2h_mem + 4\ - ( (u32)(pevtpriv->allocated_c2h_mem) & 3); #ifdef PLATFORM_OS_XP pevtpriv->pc2h_mdl= IoAllocateMdl((u8 *)pevtpriv->c2h_mem, C2H_MEM_SZ , FALSE, FALSE, NULL); if(pevtpriv->pc2h_mdl == NULL){ res= _FAIL; goto exit; } MmBuildMdlForNonPagedPool(pevtpriv->pc2h_mdl); #endif #endif exit: #ifdef CONFIG_RECV_BH _init_queue(&(pevtpriv->evt_queue)); #endif _func_exit_; return res; }
PMDL Ext2CreateMdl ( IN PVOID Buffer, IN BOOLEAN bPaged, IN ULONG Length, IN LOCK_OPERATION Operation ) { NTSTATUS Status; PMDL Mdl = NULL; ASSERT (Buffer != NULL); Mdl = IoAllocateMdl (Buffer, Length, FALSE, FALSE, NULL); if (Mdl == NULL) { Status = STATUS_INSUFFICIENT_RESOURCES; } else { __try { if (bPaged) { MmProbeAndLockPages(Mdl, KernelMode, Operation); } else { MmBuildMdlForNonPagedPool (Mdl); } Status = STATUS_SUCCESS; } __except (EXCEPTION_EXECUTE_HANDLER) { IoFreeMdl (Mdl); Mdl = NULL; DbgBreak(); Status = STATUS_INVALID_USER_BUFFER; } } return Mdl; }
NTSTATUS createcomplete(PDEVICE_OBJECT dev, PIRP irp, PVOID context) { UNREFERENCED_PARAMETER(dev); UNREFERENCED_PARAMETER(irp); UNREFERENCED_PARAMETER(context); DbgPrint("enter createcomplete\n"); PIO_STACK_LOCATION sa = IoGetCurrentIrpStackLocation(irp); PCONTEXTI info = context; DbgPrint("1\n"); TDI_ADDRESS_INFO *tai = ExAllocatePool(NonPagedPool, sizeof(TDI_ADDRESS_INFO)); DbgPrint("2\n"); PMDL mdl = IoAllocateMdl(tai, sizeof(TDI_ADDRESS_INFO), FALSE, FALSE, info->query_irp); MmBuildMdlForNonPagedPool(mdl); info->mdl = mdl; DbgPrint("3\n"); IoCopyCurrentIrpStackLocationToNext(irp); TdiBuildQueryInformation(info->query_irp, info->realdev, sa->FileObject, querycom, info, TDI_QUERY_ADDRESS_INFO, mdl); DbgPrint("4\n"); if (irp->PendingReturned) { IoMarkIrpPending(irp); DbgPrint("pending\n"); } IoCallDriver(info->realdev, info->query_irp); DbgPrint("6\n"); IoFreeMdl(info->mdl); ExFreePool(context); return STATUS_SUCCESS; }
NTSTATUS ChangeServiceTableMemoryFlags() { // Map the memory into our domain and change the permissions on the memory page by using a MDL g_MappedSystemCallTableMDL = IoAllocateMdl( KeServiceDescriptorTable.ServiceTableBase, // starting virtual address KeServiceDescriptorTable.NumberOfServices*4, // size of buffer FALSE, // not associated with an IRP FALSE, // charge quota, should be FALSE NULL // IRP * should be NULL ); if(!g_MappedSystemCallTableMDL) { DbgPrint("MDL could not be allocated..."); return STATUS_UNSUCCESSFUL; } else { DbgPrint("The MDL is at 0x%x\n", g_MappedSystemCallTableMDL); } // MmBuildMdlForNonPagedPool fills in the corresponding physical page array // of a given MDL for a buffer in nonpaged system space (pool). MmBuildMdlForNonPagedPool(g_MappedSystemCallTableMDL); // MDL's are supposed to be opaque, but this is the only way we know of getting to these flags... g_MappedSystemCallTableMDL->MdlFlags = g_MappedSystemCallTableMDL->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA; // finish off the mapping... g_MappedSystemCallTable = MmMapLockedPages(g_MappedSystemCallTableMDL, KernelMode); return STATUS_SUCCESS; }
NTSTATUS NTAPI USBPORT_ValidateTransferParametersURB(IN PURB Urb) { struct _URB_CONTROL_TRANSFER *UrbRequest; PMDL Mdl; DPRINT_URB("USBPORT_ValidateTransferParametersURB: Urb - %p\n", Urb); UrbRequest = &Urb->UrbControlTransfer; if (UrbRequest->TransferBuffer == NULL && UrbRequest->TransferBufferMDL == NULL && UrbRequest->TransferBufferLength > 0) { DPRINT1("USBPORT_ValidateTransferParametersURB: Not valid parameter\n"); USBPORT_DumpingURB(Urb); return STATUS_INVALID_PARAMETER; } if ((UrbRequest->TransferBuffer != NULL) && (UrbRequest->TransferBufferMDL != NULL) && UrbRequest->TransferBufferLength == 0) { DPRINT1("USBPORT_ValidateTransferParametersURB: Not valid parameter\n"); USBPORT_DumpingURB(Urb); return STATUS_INVALID_PARAMETER; } if (UrbRequest->TransferBuffer != NULL && UrbRequest->TransferBufferMDL == NULL && UrbRequest->TransferBufferLength != 0) { DPRINT_URB("USBPORT_ValidateTransferParametersURB: TransferBuffer - %p, TransferBufferLength - %x\n", UrbRequest->TransferBuffer, UrbRequest->TransferBufferLength); Mdl = IoAllocateMdl(UrbRequest->TransferBuffer, UrbRequest->TransferBufferLength, FALSE, FALSE, NULL); if (!Mdl) { DPRINT1("USBPORT_ValidateTransferParametersURB: Not allocated Mdl\n"); return STATUS_INSUFFICIENT_RESOURCES; } MmBuildMdlForNonPagedPool(Mdl); UrbRequest->TransferBufferMDL = Mdl; Urb->UrbHeader.UsbdFlags |= USBD_FLAG_ALLOCATED_MDL; DPRINT_URB("USBPORT_ValidateTransferParametersURB: Mdl - %p\n", Mdl); } return STATUS_SUCCESS; }
//------------------------------------------------------------------------------ tOplkError drv_mapPdoMem(UINT8** ppKernelMem_p, UINT8** ppUserMem_p, size_t* pMemSize_p) { tOplkError ret; // Get PDO memory ret = pdokcal_getPdoMemRegion((UINT8**)&pdoMemInfo_l.pKernelVa, &pdoMemInfo_l.memSize); if (ret != kErrorOk || pdoMemInfo_l.pKernelVa == NULL) return kErrorNoResource; if (*pMemSize_p > pdoMemInfo_l.memSize) { DEBUG_LVL_ERROR_TRACE("%s() Higher Memory requested (Kernel-%d User-%d) !\n", __func__, pdoMemInfo_l.memSize, *pMemSize_p); *pMemSize_p = 0; return kErrorNoResource; } // Allocate new MDL pointing to PDO memory pdoMemInfo_l.pMdl = IoAllocateMdl(pdoMemInfo_l.pKernelVa, pdoMemInfo_l.memSize, FALSE, FALSE, NULL); if (pdoMemInfo_l.pMdl == NULL) { DEBUG_LVL_ERROR_TRACE("%s() Error allocating MDL !\n", __func__); return kErrorNoResource; } // Update the MDL with physical addresses MmBuildMdlForNonPagedPool(pdoMemInfo_l.pMdl); // Map the memory in user space and get the address pdoMemInfo_l.pUserVa = MmMapLockedPagesSpecifyCache(pdoMemInfo_l.pMdl, // MDL UserMode, // Mode MmCached, // Caching NULL, // Address FALSE, // Bug-check? NormalPagePriority); // Priority if (pdoMemInfo_l.pUserVa == NULL) { MmUnmapLockedPages(pdoMemInfo_l.pUserVa, pdoMemInfo_l.pMdl); IoFreeMdl(pdoMemInfo_l.pMdl); DEBUG_LVL_ERROR_TRACE("%s() Error mapping MDL !\n", __func__); return kErrorNoResource; } *ppKernelMem_p = pdoMemInfo_l.pKernelVa; *ppUserMem_p = pdoMemInfo_l.pUserVa; *pMemSize_p = pdoMemInfo_l.memSize; TRACE("Mapped memory info U:%p K:%p size %x", pdoMemInfo_l.pUserVa, (UINT8*)pdoMemInfo_l.pKernelVa, pdoMemInfo_l.memSize); return kErrorOk; }
//----------------------------------------------------------------------------- // MAIN //----------------------------------------------------------------------------- NTSTATUS DriverEntry(PDRIVER_OBJECT driver_object, PUNICODE_STRING registry_path) { NTSTATUS ret; if (!driver_object) { DbgPrint("\n!!! ERROR: invalid driver_object in DriverEntry()\n"); return STATUS_UNSUCCESSFUL; } driver_object->DriverUnload = OnUnload; DbgPrint("---------------- Driver Loaded\n"); // routine allocates a memory descriptor list (MDL) mdl_sys_call = IoAllocateMdl(KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices * 4, FALSE, FALSE, NULL); if (!mdl_sys_call ) { DbgPrint("\n!!! ERROR: invalid mdl in DriverEntry()\n"); return STATUS_UNSUCCESSFUL; } MmBuildMdlForNonPagedPool(mdl_sys_call); mdl_sys_call->MdlFlags = mdl_sys_call->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA; // map the physical pages syscall_tbl = MmMapLockedPagesSpecifyCache(mdl_sys_call, KernelMode, MmNonCached, NULL, FALSE, HighPagePriority); if (!syscall_tbl) { DbgPrint("\n!!! ERROR: invalid mapped syscall table in DriverEntry()\n"); return STATUS_UNSUCCESSFUL; } hook_syscalls(); debug("register our callback for when our target proc is loaded:\n %ws\n\n", target_file_loc); #if BREAK_POINT // register a callback func that is invoked when our target proc is loaded ret = PsSetLoadImageNotifyRoutine(add_one_time_bp); #endif #if DATA_MINING ret = PsSetLoadImageNotifyRoutine(add_hooks_for_data_mining); #endif if (ret != STATUS_SUCCESS) DbgPrint("\n!!! ERROR: PsSetLoadImageNotifyRoutine()\n\n"); return STATUS_SUCCESS; }
NTSTATUS AsyncReadWriteSec( IN PDEVICE_OBJECT DeviceObject, IN PIRP ParentIrp, IN ULONG ulStartSec, IN ULONG ulSectors, IN PVOID pBuffer, IN UCHAR MajorFunction ) { PMDL MDL; KEVENT event; PIRP Irp; ULONG ulBytes; LARGE_INTEGER Start; IO_STATUS_BLOCK ioStatus; NTSTATUS status = STATUS_SUCCESS; PIO_STACK_LOCATION NextIrpStack; PDEVICE_EXTENSION deviceExtension = DeviceObject->DeviceExtension; ulBytes = ulSectors * SECTOR_SIZE; Start.QuadPart = ((LONGLONG)ulStartSec)*SECTOR_SIZE; Irp = IoAllocateIrp(LOBYTE(LOWORD(deviceExtension->TargetDeviceObject->StackSize+1)),FALSE); //Irp = IoBuildSynchronousFsdRequest( MajorFunction, // deviceExtension->TargetDeviceObject, // pBuffer,ulBytes, // &Start,&event, // &ioStatus ); ASSERT(Irp); if (!Irp) { return STATUS_INSUFFICIENT_RESOURCES; } MDL = IoAllocateMdl(pBuffer,ulBytes,FALSE,FALSE,Irp); if (!MDL) return STATUS_INSUFFICIENT_RESOURCES; MmBuildMdlForNonPagedPool(MDL); IoSetNextIrpStackLocation(Irp); NextIrpStack = IoGetNextIrpStackLocation(Irp); NextIrpStack->DeviceObject = deviceExtension->TargetDeviceObject; NextIrpStack->MajorFunction = MajorFunction; NextIrpStack->MinorFunction = 0; NextIrpStack->Parameters.Read.Length = ulBytes; NextIrpStack->Parameters.Read.Key = 0; NextIrpStack->Parameters.Read.ByteOffset.QuadPart = Start.QuadPart; RtlCopyMemory(&(NextIrpStack->Parameters.Write),&(NextIrpStack->Parameters.Read),sizeof(NextIrpStack->Parameters.Read)); IoSetCompletionRoutine(Irp,AsyncCompletion,ParentIrp,TRUE,TRUE,TRUE); status = IoCallDriver(deviceExtension->TargetDeviceObject,Irp); return status; } // end SyncReadWriteSec()
int dump_hook_init(PDRIVER_OBJECT drv_obj) { PLDR_DATA_TABLE_ENTRY table; PHYSICAL_ADDRESS high_addr; PLIST_ENTRY entry; NTSTATUS status; int resl = 0; ExInitializeFastMutex(&dump_sync); ExAcquireFastMutex(&dump_sync); /* find PsLoadedModuleListHead */ entry = ((PLIST_ENTRY)(drv_obj->DriverSection))->Flink; while (entry != drv_obj->DriverSection) { table = CONTAINING_RECORD(entry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); entry = entry->Flink; if ( (table->BaseDllName.Length == 0x18) && (p32(table->BaseDllName.Buffer)[0] == 0x0074006E) ) { ps_loaded_mod_list = pv(table->InLoadOrderLinks.Blink); break; } } ExReleaseFastMutex(&dump_sync); do { if (ps_loaded_mod_list == NULL) break; status = PsSetLoadImageNotifyRoutine(load_img_routine); if (NT_SUCCESS(status) == FALSE) break; high_addr.HighPart = 0; high_addr.LowPart = 0xFFFFFFFF; dump_mem = MmAllocateContiguousMemory(DUMP_MEM_SIZE, high_addr); if (dump_mem == NULL) break; dump_mdl = IoAllocateMdl(dump_mem, DUMP_MEM_SIZE, FALSE, FALSE, NULL); if (dump_mdl == NULL) break; MmBuildMdlForNonPagedPool(dump_mdl); memset(dump_mem, 0, DUMP_MEM_SIZE); resl = 1; } while (0); if (resl == 0) { if (dump_mdl != NULL) IoFreeMdl(dump_mdl); if (dump_mem != NULL) MmFreeContiguousMemory(dump_mem); } return resl; }
NTSTATUS DumpKernelMemory(PVOID DstAddr, PVOID SrcAddr, ULONG Size) { PMDL pSrcMdl, pDstMdl; PUCHAR pAddress, pDstAddress; NTSTATUS st = STATUS_UNSUCCESSFUL; ULONG r; // Создаем MDL для буфера-источника pSrcMdl = IoAllocateMdl(SrcAddr, Size, FALSE, FALSE, NULL); if (pSrcMdl) { // Построение MDL MmBuildMdlForNonPagedPool(pSrcMdl); // Получение адреса из MDL pAddress = (PUCHAR)MmGetSystemAddressForMdlSafe(pSrcMdl, NormalPagePriority); zDbgPrint("pAddress = %x", pAddress); if (pAddress != NULL) { pDstMdl = IoAllocateMdl(DstAddr, Size, FALSE, FALSE, NULL); zDbgPrint("pDstMdl = %x", pDstMdl); if (pDstMdl != NULL) { __try { MmProbeAndLockPages(pDstMdl, KernelMode, IoWriteAccess); pDstAddress = (PUCHAR)MmGetSystemAddressForMdlSafe(pDstMdl, NormalPagePriority); zDbgPrint("pDstAddress = %x", pDstAddress); if (pDstAddress != NULL) { memset(pDstAddress, 0, Size); zDbgPrint("Copy block"); for (r = 1; r < Size; r++) { if (MmIsAddressValid(pAddress)) *pDstAddress = *pAddress; else *pDstAddress = 0; pAddress++; pDstAddress++; } st = STATUS_SUCCESS; } MmUnlockPages(pDstMdl); } __except(EXCEPTION_EXECUTE_HANDLER) { zDbgPrint("Copy block exception"); } IoFreeMdl(pDstMdl); } }
BOOLEAN AllocateSharedMemory(PSHARED_MEMORY lpSharedMemory, POOL_TYPE PoolType, ULONG dwSizeRegion) { if (!_MmIsAddressValid(lpSharedMemory)) return FALSE; if (!dwSizeRegion) return FALSE; memset(lpSharedMemory, 0, sizeof(SHARED_MEMORY)); #ifndef __MISC_USE_KHEAP lpSharedMemory->m_lpKernelMemory = ExAllocatePool(PoolType, dwSizeRegion); #else lpSharedMemory->m_lpKernelMemory = (CHAR*) _AllocatePoolFromKHeap(hKHeapMiscDefault, dwSizeRegion); #endif //!__MISC_USE_KHEAP if (!lpSharedMemory->m_lpKernelMemory) return FALSE; lpSharedMemory->m_Mdl = IoAllocateMdl(lpSharedMemory->m_lpKernelMemory, dwSizeRegion, FALSE, FALSE, NULL); if (!lpSharedMemory->m_Mdl) { #ifndef __MISC_USE_KHEAP ExFreePool(lpSharedMemory->m_lpKernelMemory); #else FreePoolToKHeap(hKHeapMiscDefault, lpSharedMemory->m_lpKernelMemory); #endif //!__MISC_USE_KHEAP memset(lpSharedMemory, 0, sizeof(SHARED_MEMORY)); return FALSE; } MmBuildMdlForNonPagedPool(lpSharedMemory->m_Mdl); lpSharedMemory->m_lpUserPage = MmMapLockedPages(lpSharedMemory->m_Mdl, UserMode); lpSharedMemory->m_lpUserMemory = (PVOID) (((ULONG)PAGE_ALIGN(lpSharedMemory->m_lpUserPage))+MmGetMdlByteOffset(lpSharedMemory->m_Mdl)); if (!_MmIsAddressValid(lpSharedMemory->m_lpUserMemory)) { MmUnmapLockedPages(lpSharedMemory->m_lpUserPage, lpSharedMemory->m_Mdl); IoFreeMdl(lpSharedMemory->m_Mdl); #ifndef __MISC_USE_KHEAP ExFreePool(lpSharedMemory->m_lpKernelMemory); #else FreePoolToKHeap(hKHeapMiscDefault, lpSharedMemory->m_lpKernelMemory); #endif //!__MISC_USE_KHEAP memset(lpSharedMemory, 0, sizeof(SHARED_MEMORY)); return FALSE; } lpSharedMemory->m_dwSizeRegion = dwSizeRegion; return TRUE; }
void __ConsPacket(OUT PPACKET_BASE pPacket) { PVOID Va; PMDL pMdl; Va = ExAllocatePoolWithTag( NonPagedPool, MDL_BUFFER_SIZE, (ULONG)'TTWH'); RtlZeroMemory(Va, MDL_BUFFER_SIZE); pMdl = IoAllocateMdl(Va, MDL_BUFFER_SIZE, FALSE, FALSE, NULL); MmBuildMdlForNonPagedPool(pMdl); pPacket->pMdl = pMdl; }
NTSTATUS SafeCopyMemory(PVOID SrcAddr, PVOID DstAddr, ULONG Size) { PMDL pSrcMdl, pDstMdl; PUCHAR pSrcAddress, pDstAddress; NTSTATUS st = STATUS_UNSUCCESSFUL; ULONG r; BOOL bInit = FALSE; pSrcMdl = IoAllocateMdl(SrcAddr, Size, FALSE, FALSE, NULL); if (MmIsAddressValidEx(pSrcMdl)) { MmBuildMdlForNonPagedPool(pSrcMdl); pSrcAddress = (PUCHAR)MmGetSystemAddressForMdlSafe(pSrcMdl, NormalPagePriority); if (MmIsAddressValidEx(pSrcAddress)) { pDstMdl = IoAllocateMdl(DstAddr, Size, FALSE, FALSE, NULL); if (MmIsAddressValidEx(pDstMdl)) { __try { MmProbeAndLockPages(pDstMdl, KernelMode, IoWriteAccess); pDstAddress = (PUCHAR)MmGetSystemAddressForMdlSafe(pDstMdl, NormalPagePriority); if (MmIsAddressValidEx(pDstAddress)) { RtlZeroMemory(pDstAddress,Size); RtlCopyMemory(pDstAddress, pSrcAddress, Size); st = STATUS_SUCCESS; } MmUnlockPages(pDstMdl); } __except(EXCEPTION_EXECUTE_HANDLER) { if (pDstMdl) MmUnlockPages(pDstMdl); if (pDstMdl) IoFreeMdl(pDstMdl); if (pSrcMdl) IoFreeMdl(pSrcMdl); return GetExceptionCode(); } IoFreeMdl(pDstMdl); } } IoFreeMdl(pSrcMdl); } return st; }
//---------------------------------------------------------------------- // // RegmonMapServiceTable // // If we are running on Whistler then we have // to double map the system service table to get around the // fact that the system service table is write-protected on systems // with > 128MB memory. Since there's no harm in always double mapping, // we always do it, regardless of whether or not we are on Whistler. // //---------------------------------------------------------------------- PVOID * RegmonMapServiceTable( SERVICE_HOOK_DESCRIPTOR **HookDescriptors ) { // // Allocate an array to store original function addresses in. This // makes us play well with other hookers. // *HookDescriptors = (SERVICE_HOOK_DESCRIPTOR *) ExAllocatePool( NonPagedPool, KeServiceDescriptorTable->Limit * sizeof(SERVICE_HOOK_DESCRIPTOR)); if( !*HookDescriptors ) { return NULL; } memset( *HookDescriptors, 0, KeServiceDescriptorTable->Limit * sizeof(SERVICE_HOOK_DESCRIPTOR)); // // Build an MDL that describes the system service table function // pointers array. // KdPrint(("Reglib: KeServiceDescriptorTable: %I64x Pointers: %I64x Limit: %d\n", KeServiceDescriptorTable, KeServiceDescriptorTable->ServicePointers, KeServiceDescriptorTable->Limit )); KeServiceTableMdl = MmCreateMdl( NULL, KeServiceDescriptorTable->ServicePointers, KeServiceDescriptorTable->Limit * sizeof(PVOID)); if( !KeServiceTableMdl ) { return NULL; } // // Fill in the physical pages and then double-map the description. Note // that MmMapLockedPages is obsolete as of Win2K and has been replaced // with MmMapLockedPagesSpecifyCache. However, we use the same driver // on all NT platforms, so we use it anyway. // MmBuildMdlForNonPagedPool( KeServiceTableMdl ); KeServiceTableMdl->MdlFlags |= MDL_MAPPED_TO_SYSTEM_VA; #if defined(_M_IA64) return MmMapLockedPagesSpecifyCache( KeServiceTableMdl, KernelMode, MmCached, NULL, FALSE, NormalPagePriority ); #else return MmMapLockedPages( KeServiceTableMdl, KernelMode ); #endif }
NTSTATUS initMDL() { // map memory into our domain g_pmdlSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices*4); if(!g_pmdlSystemCall) return STATUS_UNSUCCESSFUL; MmBuildMdlForNonPagedPool(g_pmdlSystemCall); // change MDL permissions g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA; MappedSystemCallTable = MmMapLockedPages(g_pmdlSystemCall, KernelMode); MDLinit = TRUE; return STATUS_SUCCESS; }
// Does memcpy safely even if Destination is a read only region. _Use_decl_annotations_ EXTERN_C NTSTATUS UtilForceMemCpy(void *Destination, const void *Source, SIZE_T Length) { auto mdl = std::experimental::make_unique_resource( IoAllocateMdl(Destination, static_cast<ULONG>(Length), FALSE, FALSE, nullptr), &IoFreeMdl); if (!mdl) { return STATUS_INSUFFICIENT_RESOURCES; } MmBuildMdlForNonPagedPool(mdl.get()); #pragma warning(push) #pragma warning(disable : 28145) // // Following MmMapLockedPagesSpecifyCache() call causes bug check in case // you are using Driver Verifier. The reason is explained as follows: // // A driver must not try to create more than one system-address-space // mapping for an MDL. Additionally, because an MDL that is built by the // MmBuildMdlForNonPagedPool routine is already mapped to the system // address space, a driver must not try to map this MDL into the system // address space again by using the MmMapLockedPagesSpecifyCache routine. // -- MSDN // // This flag modification hacks Driver Verifier's check and prevent leading // bug check. // mdl.get()->MdlFlags &= ~MDL_SOURCE_IS_NONPAGED_POOL; mdl.get()->MdlFlags |= MDL_PAGES_LOCKED; #pragma warning(pop) auto writableDest = MmMapLockedPagesSpecifyCache( mdl.get(), KernelMode, MmCached, nullptr, FALSE, NormalPagePriority); if (!writableDest) { return STATUS_INSUFFICIENT_RESOURCES; } memcpy(writableDest, Source, Length); MmUnmapLockedPages(writableDest, mdl.get()); return STATUS_SUCCESS; }
/** * 设置钩子函数 * */ NTSTATUS sstHook_OpenProcess() { if(m_MDL == NULL) { m_MDL = MmCreateMdl(NULL,KeServiceDescriptorTable->ServiceTableBase,KeServiceDescriptorTable->NumberOfService*4); if(!m_MDL) return STATUS_UNSUCCESSFUL; MmBuildMdlForNonPagedPool(m_MDL); m_MDL->MdlFlags = m_MDL->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA; m_Mapped = (PVOID *)MmMapLockedPages(m_MDL, KernelMode); HOOK_SYSCALL(ZwOpenProcess,MyNtOpenProcess,pOriNtOpenProcess); g_openProcessId = (ULONG)SYSTEMSERVICE(ZwOpenProcess); return STATUS_SUCCESS; } UpdateService(SYSCALL_INDEX(ZwOpenProcess),(PVOID)MyNtOpenProcess); return STATUS_SUCCESS; }
DECLHIDDEN(int) rtR0MemObjNativeAllocPage(PPRTR0MEMOBJINTERNAL ppMem, size_t cb, bool fExecutable) { AssertMsgReturn(cb <= _1G, ("%#x\n", cb), VERR_OUT_OF_RANGE); /* for safe size_t -> ULONG */ /* * Try allocate the memory and create an MDL for them so * we can query the physical addresses and do mappings later * without running into out-of-memory conditions and similar problems. */ int rc = VERR_NO_PAGE_MEMORY; void *pv = ExAllocatePoolWithTag(NonPagedPool, cb, IPRT_NT_POOL_TAG); if (pv) { PMDL pMdl = IoAllocateMdl(pv, (ULONG)cb, FALSE, FALSE, NULL); if (pMdl) { MmBuildMdlForNonPagedPool(pMdl); #ifdef RT_ARCH_AMD64 MmProtectMdlSystemAddress(pMdl, PAGE_EXECUTE_READWRITE); #endif /* * Create the IPRT memory object. */ PRTR0MEMOBJNT pMemNt = (PRTR0MEMOBJNT)rtR0MemObjNew(sizeof(*pMemNt), RTR0MEMOBJTYPE_PAGE, pv, cb); if (pMemNt) { pMemNt->cMdls = 1; pMemNt->apMdls[0] = pMdl; *ppMem = &pMemNt->Core; return VINF_SUCCESS; } rc = VERR_NO_MEMORY; IoFreeMdl(pMdl); } ExFreePool(pv); } return rc; }
//---------------------------------------------------------------------- // // RegmonMapMem // // Double maps memory for writing. // //---------------------------------------------------------------------- PVOID RegmonMapMem( PVOID Pointer, ULONG Length, PMDL *MapMdl ) { *MapMdl = MmCreateMdl( NULL, Pointer, Length ); if( !(*MapMdl)) { return NULL; } MmBuildMdlForNonPagedPool( *MapMdl ); (*MapMdl)->MdlFlags |= MDL_MAPPED_TO_SYSTEM_VA; #if defined(_M_IA64) return MmMapLockedPagesSpecifyCache( *MapMdl, KernelMode, MmCached, NULL, FALSE, NormalPagePriority ); #else return MmMapLockedPages( *MapMdl, KernelMode ); #endif }
//------------------------------------------------------------------------------------ NTSTATUS UnProtectSSDT(PVOID **MappedSystemCallTable) { PMDL g_pmdlSystemCall ; g_pmdlSystemCall = IoAllocateMdl(KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices*4 , FALSE , FALSE ,NULL); if(!g_pmdlSystemCall) return STATUS_UNSUCCESSFUL; MmBuildMdlForNonPagedPool(g_pmdlSystemCall); // Change the flags of the MDL g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA; *MappedSystemCallTable = MmMapLockedPages(g_pmdlSystemCall, KernelMode); IoFreeMdl(g_pmdlSystemCall); return STATUS_SUCCESS; }
co_rc_t co_os_userspace_map(void *address, unsigned int pages, void **user_address_out, void **handle_out) { void *user_address; unsigned long memory_size = ((unsigned long)pages) << CO_ARCH_PAGE_SHIFT; PMDL mdl; mdl = IoAllocateMdl(address, memory_size, FALSE, FALSE, NULL); if (!mdl) return CO_RC(ERROR); MmBuildMdlForNonPagedPool(mdl); user_address = MmMapLockedPagesSpecifyCache(mdl, UserMode, MmCached, NULL, FALSE, HighPagePriority); if (!user_address) { IoFreeMdl(mdl); return CO_RC(ERROR); } *handle_out = (void *)mdl; *user_address_out = PAGE_ALIGN(user_address) + MmGetMdlByteOffset(mdl); return CO_RC(OK); }
static FORCEINLINE NTSTATUS xTdiAllocateInternalMdl( __in PVOID Buffer, __in ULONG BufferLen, __out PMDL* Mdl) { PMDL localMdl; ASSERT(NULL != Mdl); localMdl = IoAllocateMdl( Buffer, BufferLen, FALSE, FALSE, NULL); if (NULL == localMdl) { NTSTATUS status = STATUS_INSUFFICIENT_RESOURCES; xTdiTrace(XTDI_GENERAL, TRACE_LEVEL_ERROR, "xTdiAllocateInternalMdl failed to allocate MDL, status=%x\n", status); return status; } MmBuildMdlForNonPagedPool(localMdl); xTdiTrace(XTDI_GENERAL, TRACE_LEVEL_VERBOSE, "Allocated Buffer=%p, Length=0x%X, Mdl=%p\n", Buffer, BufferLen, localMdl); *Mdl = localMdl; return STATUS_SUCCESS; }
NTSTATUS senddata(PWSK_SOCKET sock, PVOID data, ULONG datal) { WSK_BUF wskbuf; NTSTATUS status; KEVENT event; PIRP irp; irp = IoAllocateIrp(1, FALSE); if(!irp){ return STATUS_INSUFFICIENT_RESOURCES; } KeInitializeEvent(&event, NotificationEvent, FALSE); IoSetCompletionRoutine(irp, senddatacomplete, &event, TRUE, TRUE, TRUE); wskbuf.Mdl = IoAllocateMdl(data, datal, FALSE, FALSE, NULL); if(!wskbuf.Mdl){ DbgPrint("Failed to allocate MDL!\n"); return STATUS_MORE_PROCESSING_REQUIRED; } MmBuildMdlForNonPagedPool(wskbuf.Mdl); wskbuf.Offset = 0; wskbuf.Length = datal; status = ((PWSK_PROVIDER_CONNECTION_DISPATCH)(sock->Dispatch))->WskSend(sock, &wskbuf, 0, irp); if(status == STATUS_PENDING){ KeWaitForSingleObject(&event, Executive, KernelMode, FALSE, NULL); status = irp->IoStatus.Status; } IoFreeIrp(irp); return status; }
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING theRegistryPath) { DriverObject->DriverUnload = OnUnload; DbgPrint("Driver cargado"); ZwOpenProcessIni =(TypZwOpenProc)(SYSTEMSERVICE(ZwOpenProcess)); //Creamos la MDL para deshabilitar la protección de memoria g_pmdlSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices*4); if(!g_pmdlSystemCall) return STATUS_UNSUCCESSFUL; MmBuildMdlForNonPagedPool(g_pmdlSystemCall); g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA; MappedSystemCallTable = MmMapLockedPages(g_pmdlSystemCall, KernelMode); DbgPrint("Hookeando..."); HOOK_SYSCALL( ZwOpenProcess, NewZwOpenProcess, ZwOpenProcessIni ); return STATUS_SUCCESS; }
NTSTATUS LpxTdiSendDataGram( IN PFILE_OBJECT AddressFileObject, PLPX_ADDRESS LpxRemoteAddress, IN PUCHAR SendBuffer, IN ULONG SendLength, IN ULONG Flags, OUT PLONG Result ) { KEVENT event; PDEVICE_OBJECT deviceObject; PIRP irp; IO_STATUS_BLOCK ioStatusBlock; NTSTATUS ntStatus; PMDL mdl; TDI_CONNECTION_INFORMATION SendDatagramInfo; UCHAR AddrBuffer[256]; PTRANSPORT_ADDRESS RemoteAddress = (PTRANSPORT_ADDRESS)AddrBuffer; UNREFERENCED_PARAMETER(Flags); LtDebugPrint (3, ("LpxTdiSendDataGram: Entered\n")); // // Make Event. // KeInitializeEvent(&event, NotificationEvent, FALSE); deviceObject = IoGetRelatedDeviceObject(AddressFileObject); // // Make IRP. // irp = TdiBuildInternalDeviceControlIrp( TDI_SEND_DATAGRAM, deviceObject, AddressFileObject, &event, &ioStatusBlock ); if(irp == NULL) { LtDebugPrint(1, ("[LpxTdi]LpxTdiSendDataGram: Can't Build IRP.\n")); return STATUS_INSUFFICIENT_RESOURCES; } // // Make MDL. // mdl = IoAllocateMdl( SendBuffer, SendLength, FALSE, FALSE, irp ); if(mdl == NULL) { LtDebugPrint(1, ("[LpxTdi]LpxTdiSendDataGram: Can't Allocate MDL.\n")); return STATUS_INSUFFICIENT_RESOURCES; } MmBuildMdlForNonPagedPool(mdl); mdl->Next = NULL; // MmProbeAndLockPages( // mdl, // KernelMode, // IoReadAccess // ); RemoteAddress->TAAddressCount = 1; RemoteAddress->Address[0].AddressType = TDI_ADDRESS_TYPE_LPX; RemoteAddress->Address[0].AddressLength = TDI_ADDRESS_LENGTH_LPX; RtlCopyMemory(RemoteAddress->Address[0].Address, LpxRemoteAddress, sizeof(LPX_ADDRESS)); SendDatagramInfo.UserDataLength = 0; SendDatagramInfo.UserData = NULL; SendDatagramInfo.OptionsLength = 0; SendDatagramInfo.Options = NULL; SendDatagramInfo.RemoteAddressLength = TPADDR_LPX_LENGTH; SendDatagramInfo.RemoteAddress = RemoteAddress; TdiBuildSendDatagram( irp, deviceObject, AddressFileObject, LpxTdiSendCompletionRoutine, NULL, mdl, SendLength, &SendDatagramInfo ); ntStatus = LpxTdiIoCallDriver( deviceObject, irp, &ioStatusBlock, &event, NULL ); if(!NT_SUCCESS(ntStatus)) { LtDebugPrint(1, ("[LpxTdi]LpxTdiSendDataGram: Failed.\n")); *Result = -1; return ntStatus; } *Result = ioStatusBlock.Information; return ntStatus; }
NTSTATUS LpxTdiRecvWithCompletionEvent_TimeOut( IN PFILE_OBJECT ConnectionFileObject, IN PTDI_RECEIVE_CONTEXT TdiReceiveContext, OUT PUCHAR RecvBuffer, IN ULONG RecvLength, IN ULONG Flags, IN PLARGE_INTEGER TimeOut ) { PDEVICE_OBJECT deviceObject; PIRP irp; NTSTATUS ntStatus; PMDL mdl; ASSERT(ConnectionFileObject); LtDebugPrint (3, ("LpxTdiRecvWithCompletionEvent: Entered\n")); if((RecvBuffer == NULL) || (RecvLength == 0)) { LtDebugPrint(1, ("[LpxTdi]TdiReceive: Rcv buffer == NULL or RcvLen == 0.\n")); return STATUS_NOT_IMPLEMENTED; } deviceObject = IoGetRelatedDeviceObject(ConnectionFileObject); // // Make IRP. // irp = TdiBuildInternalDeviceControlIrp( TDI_RECEIVE, deviceObject, connectionFileObject, NULL, NULL ); if(irp == NULL) { LtDebugPrint(1, ("[LpxTdi]TdiReceive: Can't Build IRP.\n")); return STATUS_INSUFFICIENT_RESOURCES; } mdl = IoAllocateMdl( RecvBuffer, RecvLength, FALSE, FALSE, irp ); if(mdl == NULL) { LtDebugPrint(1, ("[LpxTdi]TdiReceive: Can't Allocate MDL.\n")); IoFreeIrp(irp); return STATUS_INSUFFICIENT_RESOURCES; } mdl->Next = NULL; MmBuildMdlForNonPagedPool(mdl); TdiBuildReceive( irp, deviceObject, ConnectionFileObject, LpxTdiRecvWithCompletionEventCompletionRoutine, TdiReceiveContext, mdl, Flags, RecvLength ); if(TimeOut) SET_IRP_EXPTIME(irp, CurrentTime().QuadPart + TimeOut->QuadPart); else SET_IRP_EXPTIME(irp, 0); ntStatus = IoCallDriver( deviceObject, irp ); if(!NT_SUCCESS(ntStatus)) { TdiReceiveContext->Irp = NULL; LtDebugPrint(1, ("[LpxTdi]LpxTdiRecv: Failed.\n")); return ntStatus; } TdiReceiveContext->Irp = irp; return ntStatus; }
NTSTATUS LpxTdiRecv_TimeOut( IN PFILE_OBJECT ConnectionFileObject, OUT PUCHAR RecvBuffer, IN ULONG RecvLength, IN ULONG Flags, IN PLONG Result, IN PLARGE_INTEGER TimeOut ) { KEVENT event; PDEVICE_OBJECT deviceObject; PIRP irp; IO_STATUS_BLOCK ioStatusBlock; NTSTATUS ntStatus; PMDL mdl; if((RecvBuffer == NULL) || (RecvLength == 0)) { LtDebugPrint(1, ("[LpxTdi]TdiReceive: Rcv buffer == NULL or RcvLen == 0.\n")); return STATUS_INSUFFICIENT_RESOURCES; } LtDebugPrint (3, ("LpxTdiRecv: Entered\n")); // // Make Event. // KeInitializeEvent(&event, NotificationEvent, FALSE); deviceObject = IoGetRelatedDeviceObject(ConnectionFileObject); // // Make IRP. // irp = TdiBuildInternalDeviceControlIrp( TDI_RECEIVE, deviceObject, connectionFileObject, &event, &ioStatusBlock ); if(irp == NULL) { LtDebugPrint(1, ("[LpxTdi]TdiReceive: Can't Build IRP.\n")); return STATUS_INSUFFICIENT_RESOURCES; } /* try { // // Make MDL. // */ mdl = IoAllocateMdl( RecvBuffer, RecvLength, FALSE, FALSE, irp ); if(mdl == NULL) { LtDebugPrint(1, ("[LpxTdi]TdiReceive: Can't Allocate MDL.\n")); return STATUS_INSUFFICIENT_RESOURCES; } mdl->Next = NULL; MmBuildMdlForNonPagedPool(mdl); /* MmProbeAndLockPages( mdl, KernelMode, IoWriteAccess ); } except (EXCEPTION_EXECUTE_HANDLER) { LtDebugPrint(1, ("[LpxTdi]TdiReceive: Can't Convert Non-Paged Memory MDL.\n")); if(mdl){ IoFreeMdl(mdl); //IoFreeIrp(irp); } return STATUS_INSUFFICIENT_RESOURCES; } */ TdiBuildReceive( irp, deviceObject, ConnectionFileObject, LpxTdiRcvCompletionRoutine, NULL, mdl, Flags, RecvLength ); ntStatus = LpxTdiIoCallDriver( deviceObject, irp, &ioStatusBlock, &event, TimeOut ); if(!NT_SUCCESS(ntStatus)) { LtDebugPrint(1, ("[LpxTdi]LpxTdiRecv: Failed.\n")); *Result = -1; return ntStatus; } *Result = ioStatusBlock.Information; return ntStatus; }
NTSTATUS LpxTdiSendEx( IN PFILE_OBJECT ConnectionFileObject, IN PUCHAR SendBuffer, IN ULONG SendLength, IN ULONG Flags, IN PKEVENT CompEvent, IN PLARGE_INTEGER TimeOut, IN OUT PVOID CompletionContext, OUT PIO_STATUS_BLOCK IoStatusBlock ) { PDEVICE_OBJECT deviceObject; PIRP irp; NTSTATUS ntStatus; PMDL mdl; LtDebugPrint (3, ("[LPXTDI]LpxTdiSendEx: Entered\n")); deviceObject = IoGetRelatedDeviceObject(ConnectionFileObject); // // Make IRP. // irp = TdiBuildInternalDeviceControlIrp( TDI_SEND, deviceObject, ConnectionFileObject, CompEvent, IoStatusBlock ); if(irp == NULL) { LtDebugPrint(1, ("[LpxTdi]LpxTdiSendEx: Can't Build IRP.\n")); return STATUS_INSUFFICIENT_RESOURCES; } mdl = IoAllocateMdl( SendBuffer, SendLength, FALSE, FALSE, irp ); if(mdl == NULL) { LtDebugPrint(1, ("[LpxTdi]LpxTdiSendEx: Can't Allocate MDL.\n")); return STATUS_INSUFFICIENT_RESOURCES; } mdl->Next = NULL; MmBuildMdlForNonPagedPool(mdl); if(CompletionContext) { TdiBuildSend( irp, deviceObject, ConnectionFileObject, LpxTdiSendCompletionRoutine, CompletionContext, mdl, Flags, SendLength ); } else { TdiBuildSend( irp, deviceObject, ConnectionFileObject, NULL, NULL, mdl, Flags, SendLength ); } ntStatus = LpxTdiIoCallDriver( deviceObject, irp, IoStatusBlock, CompEvent, TimeOut ); if(!NT_SUCCESS(ntStatus)) { LtDebugPrint(1, ("[LpxTdi]LpxTdiSendEx: Failed.\n")); } return ntStatus; }
NTSTATUS LpxTdiSend_TimeOut( IN PFILE_OBJECT ConnectionFileObject, IN PUCHAR SendBuffer, IN ULONG SendLength, IN ULONG Flags, OUT PLONG Result, IN PLARGE_INTEGER TimeOut ) { KEVENT event; PDEVICE_OBJECT deviceObject; PIRP irp; IO_STATUS_BLOCK ioStatusBlock; NTSTATUS ntStatus; PMDL mdl; LtDebugPrint (3, ("LpxTdiSend: Entered\n")); // // Send bytes is restricted below 64 KBytes. // Removed. // Now NDAS service will control request data size. // Write size will be controlled by retransmits // SendLength = SendLength > LPXTDI_BYTEPERPACKET?LPXTDI_BYTEPERPACKET:SendLength; // // Make Event. // KeInitializeEvent(&event, NotificationEvent, FALSE); deviceObject = IoGetRelatedDeviceObject(ConnectionFileObject); // // Make IRP. // irp = TdiBuildInternalDeviceControlIrp( TDI_SEND, deviceObject, ConnectionFileObject, &event, &ioStatusBlock ); if(irp == NULL) { LtDebugPrint(1, ("[LpxTdi]TdiSend: Can't Build IRP.\n")); return STATUS_INSUFFICIENT_RESOURCES; } /* try { // // Make MDL. // */ mdl = IoAllocateMdl( SendBuffer, SendLength, FALSE, FALSE, irp ); if(mdl == NULL) { LtDebugPrint(1, ("[LpxTdi]TdiSend: Can't Allocate MDL.\n")); return STATUS_INSUFFICIENT_RESOURCES; } mdl->Next = NULL; MmBuildMdlForNonPagedPool(mdl); /* MmProbeAndLockPages( mdl, KernelMode, IoReadAccess ); } except (EXCEPTION_EXECUTE_HANDLER) { LtDebugPrint(1, ("[LpxTdi]TdiSend: Can't Convert Non-Paged Memory MDL.\n")); if(mdl){ IoFreeMdl(mdl); } return STATUS_INSUFFICIENT_RESOURCES; } if(!MmIsNonPagedSystemAddressValid(MmGetMdlVirtualAddress(mdl))) { if(mdl){ IoFreeMdl(mdl); }; return STATUS_INSUFFICIENT_RESOURCES; } */ TdiBuildSend( irp, deviceObject, ConnectionFileObject, LpxTdiSendCompletionRoutine, NULL, mdl, Flags, SendLength ); ntStatus = LpxTdiIoCallDriver( deviceObject, irp, &ioStatusBlock, &event, TimeOut ); if(!NT_SUCCESS(ntStatus)) { LtDebugPrint(1, ("[LpxTdi]LpxTdiSend: Failed.\n")); *Result = -1; return ntStatus; } *Result = ioStatusBlock.Information; return ntStatus; }