/* * TsmiHandleMemWrite * * Purpose: * * Patch vbox dll in memory. * * Warning: potential BSOD-generator due to nonstandard way of loading, take care with patch offsets. * */ NTSTATUS TsmiHandleMemWrite( _In_ PVOID SrcAddress, _In_ PVOID DestAddress, _In_ ULONG Size ) { PMDL mdl; NTSTATUS status = STATUS_SUCCESS; PAGED_CODE(); mdl = IoAllocateMdl(DestAddress, Size, FALSE, FALSE, NULL); if (mdl == NULL) { return STATUS_INSUFFICIENT_RESOURCES; } if (DestAddress >= MmSystemRangeStart) if (!MmIsAddressValid(DestAddress)) { return STATUS_ACCESS_VIOLATION; } MmProbeAndLockPages(mdl, KernelMode, IoReadAccess); DestAddress = MmGetSystemAddressForMdlSafe(mdl, HighPagePriority); if (DestAddress != NULL) { status = MmProtectMdlSystemAddress(mdl, PAGE_EXECUTE_READWRITE); __movsb((PUCHAR)DestAddress, (const UCHAR *)SrcAddress, Size); MmUnmapLockedPages(DestAddress, mdl); MmUnlockPages(mdl); } else { status = STATUS_ACCESS_VIOLATION; } IoFreeMdl(mdl); return status; }
NTSTATUS DumpKernelMemory(PVOID DstAddr, PVOID SrcAddr, ULONG Size) { PMDL pSrcMdl, pDstMdl; PUCHAR pAddress, pDstAddress; NTSTATUS st = STATUS_UNSUCCESSFUL; ULONG r; // Создаем MDL для буфера-источника pSrcMdl = IoAllocateMdl(SrcAddr, Size, FALSE, FALSE, NULL); if (pSrcMdl) { // Построение MDL MmBuildMdlForNonPagedPool(pSrcMdl); // Получение адреса из MDL pAddress = (PUCHAR)MmGetSystemAddressForMdlSafe(pSrcMdl, NormalPagePriority); zDbgPrint("pAddress = %x", pAddress); if (pAddress != NULL) { pDstMdl = IoAllocateMdl(DstAddr, Size, FALSE, FALSE, NULL); zDbgPrint("pDstMdl = %x", pDstMdl); if (pDstMdl != NULL) { __try { MmProbeAndLockPages(pDstMdl, KernelMode, IoWriteAccess); pDstAddress = (PUCHAR)MmGetSystemAddressForMdlSafe(pDstMdl, NormalPagePriority); zDbgPrint("pDstAddress = %x", pDstAddress); if (pDstAddress != NULL) { memset(pDstAddress, 0, Size); zDbgPrint("Copy block"); for (r = 1; r < Size; r++) { if (MmIsAddressValid(pAddress)) *pDstAddress = *pAddress; else *pDstAddress = 0; pAddress++; pDstAddress++; } st = STATUS_SUCCESS; } MmUnlockPages(pDstMdl); } __except(EXCEPTION_EXECUTE_HANDLER) { zDbgPrint("Copy block exception"); } IoFreeMdl(pDstMdl); } }
PMDL Ext2CreateMdl ( IN PVOID Buffer, IN BOOLEAN bPaged, IN ULONG Length, IN LOCK_OPERATION Operation ) { NTSTATUS Status; PMDL Mdl = NULL; ASSERT (Buffer != NULL); Mdl = IoAllocateMdl (Buffer, Length, FALSE, FALSE, NULL); if (Mdl == NULL) { Status = STATUS_INSUFFICIENT_RESOURCES; } else { __try { if (bPaged) { MmProbeAndLockPages(Mdl, KernelMode, Operation); } else { MmBuildMdlForNonPagedPool (Mdl); } Status = STATUS_SUCCESS; } __except (EXCEPTION_EXECUTE_HANDLER) { IoFreeMdl (Mdl); Mdl = NULL; DbgBreak(); Status = STATUS_INVALID_USER_BUFFER; } } return Mdl; }
NTSTATUS Ext2LockUserBuffer (IN PIRP Irp, IN ULONG Length, IN LOCK_OPERATION Operation) { NTSTATUS Status; ASSERT(Irp != NULL); if (Irp->MdlAddress != NULL) { return STATUS_SUCCESS; } IoAllocateMdl(Irp->UserBuffer, Length, FALSE, FALSE, Irp); if (Irp->MdlAddress == NULL) { return STATUS_INSUFFICIENT_RESOURCES; } __try { MmProbeAndLockPages(Irp->MdlAddress, Irp->RequestorMode, Operation); Status = STATUS_SUCCESS; } __except (EXCEPTION_EXECUTE_HANDLER) { DbgBreak(); IoFreeMdl(Irp->MdlAddress); Irp->MdlAddress = NULL; Status = STATUS_INVALID_USER_BUFFER; } return Status; }
NTSTATUS TdiQueryAddress( PFILE_OBJECT AddressObject, PTDI_ADDRESS_INFO AddressInfo, PULONG pInfoLength ) { NTSTATUS ntStatus; PIRP Irp; PMDL Mdl; PDEVICE_OBJECT DeviceObject = IoGetRelatedDeviceObject(AddressObject); IO_STATUS_BLOCK IoStatus; if (!(Irp = TdiBuildInternalDeviceControlIrp(TDI_QUERY_INFORMATION, DeviceObject, FileObject, NULL, &IoStatus))) return STATUS_INSUFFICIENT_RESOURCES; if (!(Mdl = IoAllocateMdl(AddressInfo, *pInfoLength, FALSE, FALSE, Irp))) { IoFreeIrp(Irp); return STATUS_INSUFFICIENT_RESOURCES; } MmProbeAndLockPages(Mdl, KernelMode, IoModifyAccess); TdiBuildQueryInformation(Irp, DeviceObject, AddressObject, NULL, NULL, TDI_QUERY_ADDRESS_INFO, Mdl); ntStatus = IoCallDriver(DeviceObject, Irp); return(ntStatus == STATUS_SUCCESS ? IoStatus.Status : ntStatus); }
NTSTATUS createcomplete(PDEVICE_OBJECT dev, PIRP irp, PVOID context) { UNREFERENCED_PARAMETER(dev); UNREFERENCED_PARAMETER(irp); UNREFERENCED_PARAMETER(context); DbgPrint("enter createcomplete\n"); PIO_STACK_LOCATION sa = IoGetCurrentIrpStackLocation(irp); PCONTEXTI info = context; DbgPrint("1\n"); TDI_ADDRESS_INFO *tai = ExAllocatePool(NonPagedPool, sizeof(TDI_ADDRESS_INFO)); DbgPrint("2\n"); PMDL mdl = IoAllocateMdl(tai, sizeof(TDI_ADDRESS_INFO), FALSE, FALSE, info->query_irp); MmBuildMdlForNonPagedPool(mdl); info->mdl = mdl; DbgPrint("3\n"); IoCopyCurrentIrpStackLocationToNext(irp); TdiBuildQueryInformation(info->query_irp, info->realdev, sa->FileObject, querycom, info, TDI_QUERY_ADDRESS_INFO, mdl); DbgPrint("4\n"); if (irp->PendingReturned) { IoMarkIrpPending(irp); DbgPrint("pending\n"); } IoCallDriver(info->realdev, info->query_irp); DbgPrint("6\n"); IoFreeMdl(info->mdl); ExFreePool(context); return STATUS_SUCCESS; }
// // file local helper functions. // NTSTATUS InitScratchpad( IN PUSB_FDO_CONTEXT fdoContext) { NTSTATUS status; KeInitializeEvent(&fdoContext->ScratchPad.CompletionEvent, NotificationEvent, FALSE); fdoContext->ScratchPad.Buffer = ExAllocatePoolWithTag(NonPagedPool, PAGE_SIZE, XVU1); if (!fdoContext->ScratchPad.Buffer) { status = STATUS_NO_MEMORY; TraceEvents(TRACE_LEVEL_ERROR, TRACE_DEVICE, __FUNCTION__": Device %p ExAllocatePoolWithTag failed\n", fdoContext->WdfDevice); return status; } RtlZeroMemory(fdoContext->ScratchPad.Buffer, PAGE_SIZE); fdoContext->ScratchPad.Mdl = IoAllocateMdl(fdoContext->ScratchPad.Buffer, PAGE_SIZE, FALSE, FALSE, NULL); if (!fdoContext->ScratchPad.Mdl) { status = STATUS_NO_MEMORY; TraceEvents(TRACE_LEVEL_ERROR, TRACE_DEVICE, __FUNCTION__": device %p IoAllocateMdl failed\n", fdoContext->WdfDevice); return status; } MmBuildMdlForNonPagedPool(fdoContext->ScratchPad.Mdl); return STATUS_SUCCESS; }
sint _init_evt_priv(struct evt_priv *pevtpriv) { sint res=_SUCCESS; _func_enter_; #ifdef CONFIG_EVENT_THREAD_MODE _init_sema(&(pevtpriv->evt_notify), 0); _init_sema(&(pevtpriv->terminate_evtthread_sema), 0); #endif #ifdef CONFIG_H2CLBK _init_sema(&(pevtpriv->lbkevt_done), 0); pevtpriv->lbkevt_limit = 0; pevtpriv->lbkevt_num = 0; pevtpriv->cmdevt_parm = NULL; #endif //allocate DMA-able/Non-Page memory for cmd_buf and rsp_buf pevtpriv->event_seq = 0; pevtpriv->evt_allocated_buf = _malloc(MAX_EVTSZ + 4); if (pevtpriv->evt_allocated_buf == NULL){ res= _FAIL; goto exit; } pevtpriv->evt_buf = pevtpriv->evt_allocated_buf + 4 - ((unsigned int)(pevtpriv->evt_allocated_buf) & 3); pevtpriv->evt_done_cnt = 0; #ifdef CONFIG_SDIO_HCI pevtpriv->allocated_c2h_mem = _malloc(C2H_MEM_SZ +4); if (pevtpriv->allocated_c2h_mem == NULL){ res= _FAIL; goto exit; } pevtpriv->c2h_mem = pevtpriv->allocated_c2h_mem + 4\ - ( (u32)(pevtpriv->allocated_c2h_mem) & 3); #ifdef PLATFORM_OS_XP pevtpriv->pc2h_mdl= IoAllocateMdl((u8 *)pevtpriv->c2h_mem, C2H_MEM_SZ , FALSE, FALSE, NULL); if(pevtpriv->pc2h_mdl == NULL){ res= _FAIL; goto exit; } MmBuildMdlForNonPagedPool(pevtpriv->pc2h_mdl); #endif #endif exit: #ifdef CONFIG_RECV_BH _init_queue(&(pevtpriv->evt_queue)); #endif _func_exit_; return res; }
NTSTATUS ChangeServiceTableMemoryFlags() { // Map the memory into our domain and change the permissions on the memory page by using a MDL g_MappedSystemCallTableMDL = IoAllocateMdl( KeServiceDescriptorTable.ServiceTableBase, // starting virtual address KeServiceDescriptorTable.NumberOfServices*4, // size of buffer FALSE, // not associated with an IRP FALSE, // charge quota, should be FALSE NULL // IRP * should be NULL ); if(!g_MappedSystemCallTableMDL) { DbgPrint("MDL could not be allocated..."); return STATUS_UNSUCCESSFUL; } else { DbgPrint("The MDL is at 0x%x\n", g_MappedSystemCallTableMDL); } // MmBuildMdlForNonPagedPool fills in the corresponding physical page array // of a given MDL for a buffer in nonpaged system space (pool). MmBuildMdlForNonPagedPool(g_MappedSystemCallTableMDL); // MDL's are supposed to be opaque, but this is the only way we know of getting to these flags... g_MappedSystemCallTableMDL->MdlFlags = g_MappedSystemCallTableMDL->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA; // finish off the mapping... g_MappedSystemCallTable = MmMapLockedPages(g_MappedSystemCallTableMDL, KernelMode); return STATUS_SUCCESS; }
NTSTATUS tdi_recv_stream(PFILE_OBJECT connectionFileObject, char *buf, int len, ULONG flags) { PDEVICE_OBJECT devObj; KEVENT event; PIRP irp; PMDL mdl; IO_STATUS_BLOCK iosb; NTSTATUS status; devObj = IoGetRelatedDeviceObject(connectionFileObject); KeInitializeEvent(&event, NotificationEvent, FALSE); irp = TdiBuildInternalDeviceControlIrp(TDI_RECEIVE, devObj, connectionFileObject, &event, &iosb); if (irp == NULL) { return STATUS_INSUFFICIENT_RESOURCES; } if (len) { mdl = IoAllocateMdl((void*) buf, len, FALSE, FALSE, NULL); if (mdl == NULL) { IoFreeIrp(irp); return STATUS_INSUFFICIENT_RESOURCES; } __try { MmProbeAndLockPages(mdl, KernelMode, IoWriteAccess); status = STATUS_SUCCESS; } __except (EXCEPTION_EXECUTE_HANDLER) { IoFreeMdl(mdl); IoFreeIrp(irp); status = STATUS_INVALID_USER_BUFFER; } if (!NT_SUCCESS(status)) { return status; } } TdiBuildReceive(irp, devObj, connectionFileObject, NULL, NULL, len ? mdl : 0, flags, len); status = IoCallDriver(devObj, irp); if (status == STATUS_PENDING) { KeWaitForSingleObject(&event, Executive, KernelMode, FALSE, NULL); status = iosb.Status; } return NT_SUCCESS(status) ? iosb.Information : status; }
NTSTATUS InitWskBuffer( __in PVOID Buffer, __in ULONG BufferSize, __out PWSK_BUF WskBuffer ) { NTSTATUS Status = STATUS_SUCCESS; ASSERT(Buffer); ASSERT(BufferSize); ASSERT(WskBuffer); WskBuffer->Offset = 0; WskBuffer->Length = BufferSize; WskBuffer->Mdl = IoAllocateMdl(Buffer, BufferSize, FALSE, FALSE, NULL); if (!WskBuffer->Mdl) { return STATUS_INSUFFICIENT_RESOURCES; } try { MmProbeAndLockPages(WskBuffer->Mdl, KernelMode, IoWriteAccess); } except(EXCEPTION_EXECUTE_HANDLER) { if (WskBuffer->Mdl != NULL) { IoFreeMdl(WskBuffer->Mdl); } WDRBD_ERROR("MmProbeAndLockPages failed. exception code=0x%x\n", GetExceptionCode()); return STATUS_INSUFFICIENT_RESOURCES; } return Status; }
static PVOID MapAndLockUserBuffer( _In_ _Out_ PIRP Irp, _In_ ULONG BufferLength) { PMDL Mdl; if (Irp->MdlAddress == NULL) { Mdl = IoAllocateMdl(Irp->UserBuffer, BufferLength, FALSE, FALSE, Irp); if (Mdl == NULL) { return NULL; } _SEH2_TRY { MmProbeAndLockPages(Mdl, Irp->RequestorMode, IoWriteAccess); } _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) { IoFreeMdl(Mdl); Irp->MdlAddress = NULL; _SEH2_YIELD(return NULL); } _SEH2_END; }
int hax_pin_user_pages(uint64 start_uva, uint64 size, hax_memdesc_user *memdesc) { PMDL pmdl = NULL; if (!memdesc) { hax_error("%s: memdesc == NULL\n", __func__); return -EINVAL; } // TODO: Check whether [start_uva, start_uva + size) is a valid UVA range pmdl = IoAllocateMdl((PVOID)start_uva, size, FALSE, FALSE, NULL); if (!pmdl) { hax_error("Failed to allocate MDL for va: 0x%llx, size: 0x%llx.\n", start_uva, size); return -EFAULT; } try { MmProbeAndLockPages(pmdl, UserMode, IoWriteAccess); } except (EXCEPTION_EXECUTE_HANDLER) { hax_error("Failed to probe pages for guest's memory! va: 0x%llx\n", start_uva); IoFreeMdl(pmdl); return -ENOMEM; } memdesc->pmdl = pmdl; return 0; }
NTSTATUS SafeCopyMemory(PVOID SrcAddr, PVOID DstAddr, ULONG Size) { PMDL pSrcMdl, pDstMdl; PUCHAR pSrcAddress, pDstAddress; NTSTATUS st = STATUS_UNSUCCESSFUL; ULONG r; BOOL bInit = FALSE; pSrcMdl = IoAllocateMdl(SrcAddr, Size, FALSE, FALSE, NULL); if (MmIsAddressValidEx(pSrcMdl)) { MmBuildMdlForNonPagedPool(pSrcMdl); pSrcAddress = (PUCHAR)MmGetSystemAddressForMdlSafe(pSrcMdl, NormalPagePriority); if (MmIsAddressValidEx(pSrcAddress)) { pDstMdl = IoAllocateMdl(DstAddr, Size, FALSE, FALSE, NULL); if (MmIsAddressValidEx(pDstMdl)) { __try { MmProbeAndLockPages(pDstMdl, KernelMode, IoWriteAccess); pDstAddress = (PUCHAR)MmGetSystemAddressForMdlSafe(pDstMdl, NormalPagePriority); if (MmIsAddressValidEx(pDstAddress)) { RtlZeroMemory(pDstAddress,Size); RtlCopyMemory(pDstAddress, pSrcAddress, Size); st = STATUS_SUCCESS; } MmUnlockPages(pDstMdl); } __except(EXCEPTION_EXECUTE_HANDLER) { if (pDstMdl) MmUnlockPages(pDstMdl); if (pDstMdl) IoFreeMdl(pDstMdl); if (pSrcMdl) IoFreeMdl(pSrcMdl); return GetExceptionCode(); } IoFreeMdl(pDstMdl); } } IoFreeMdl(pSrcMdl); } return st; }
NTSTATUS NTAPI USBPORT_ValidateTransferParametersURB(IN PURB Urb) { struct _URB_CONTROL_TRANSFER *UrbRequest; PMDL Mdl; DPRINT_URB("USBPORT_ValidateTransferParametersURB: Urb - %p\n", Urb); UrbRequest = &Urb->UrbControlTransfer; if (UrbRequest->TransferBuffer == NULL && UrbRequest->TransferBufferMDL == NULL && UrbRequest->TransferBufferLength > 0) { DPRINT1("USBPORT_ValidateTransferParametersURB: Not valid parameter\n"); USBPORT_DumpingURB(Urb); return STATUS_INVALID_PARAMETER; } if ((UrbRequest->TransferBuffer != NULL) && (UrbRequest->TransferBufferMDL != NULL) && UrbRequest->TransferBufferLength == 0) { DPRINT1("USBPORT_ValidateTransferParametersURB: Not valid parameter\n"); USBPORT_DumpingURB(Urb); return STATUS_INVALID_PARAMETER; } if (UrbRequest->TransferBuffer != NULL && UrbRequest->TransferBufferMDL == NULL && UrbRequest->TransferBufferLength != 0) { DPRINT_URB("USBPORT_ValidateTransferParametersURB: TransferBuffer - %p, TransferBufferLength - %x\n", UrbRequest->TransferBuffer, UrbRequest->TransferBufferLength); Mdl = IoAllocateMdl(UrbRequest->TransferBuffer, UrbRequest->TransferBufferLength, FALSE, FALSE, NULL); if (!Mdl) { DPRINT1("USBPORT_ValidateTransferParametersURB: Not allocated Mdl\n"); return STATUS_INSUFFICIENT_RESOURCES; } MmBuildMdlForNonPagedPool(Mdl); UrbRequest->TransferBufferMDL = Mdl; Urb->UrbHeader.UsbdFlags |= USBD_FLAG_ALLOCATED_MDL; DPRINT_URB("USBPORT_ValidateTransferParametersURB: Mdl - %p\n", Mdl); } return STATUS_SUCCESS; }
//------------------------------------------------------------------------------ tOplkError drv_mapPdoMem(UINT8** ppKernelMem_p, UINT8** ppUserMem_p, size_t* pMemSize_p) { tOplkError ret; // Get PDO memory ret = pdokcal_getPdoMemRegion((UINT8**)&pdoMemInfo_l.pKernelVa, &pdoMemInfo_l.memSize); if (ret != kErrorOk || pdoMemInfo_l.pKernelVa == NULL) return kErrorNoResource; if (*pMemSize_p > pdoMemInfo_l.memSize) { DEBUG_LVL_ERROR_TRACE("%s() Higher Memory requested (Kernel-%d User-%d) !\n", __func__, pdoMemInfo_l.memSize, *pMemSize_p); *pMemSize_p = 0; return kErrorNoResource; } // Allocate new MDL pointing to PDO memory pdoMemInfo_l.pMdl = IoAllocateMdl(pdoMemInfo_l.pKernelVa, pdoMemInfo_l.memSize, FALSE, FALSE, NULL); if (pdoMemInfo_l.pMdl == NULL) { DEBUG_LVL_ERROR_TRACE("%s() Error allocating MDL !\n", __func__); return kErrorNoResource; } // Update the MDL with physical addresses MmBuildMdlForNonPagedPool(pdoMemInfo_l.pMdl); // Map the memory in user space and get the address pdoMemInfo_l.pUserVa = MmMapLockedPagesSpecifyCache(pdoMemInfo_l.pMdl, // MDL UserMode, // Mode MmCached, // Caching NULL, // Address FALSE, // Bug-check? NormalPagePriority); // Priority if (pdoMemInfo_l.pUserVa == NULL) { MmUnmapLockedPages(pdoMemInfo_l.pUserVa, pdoMemInfo_l.pMdl); IoFreeMdl(pdoMemInfo_l.pMdl); DEBUG_LVL_ERROR_TRACE("%s() Error mapping MDL !\n", __func__); return kErrorNoResource; } *ppKernelMem_p = pdoMemInfo_l.pKernelVa; *ppUserMem_p = pdoMemInfo_l.pUserVa; *pMemSize_p = pdoMemInfo_l.memSize; TRACE("Mapped memory info U:%p K:%p size %x", pdoMemInfo_l.pUserVa, (UINT8*)pdoMemInfo_l.pKernelVa, pdoMemInfo_l.memSize); return kErrorOk; }
//----------------------------------------------------------------------------- // MAIN //----------------------------------------------------------------------------- NTSTATUS DriverEntry(PDRIVER_OBJECT driver_object, PUNICODE_STRING registry_path) { NTSTATUS ret; if (!driver_object) { DbgPrint("\n!!! ERROR: invalid driver_object in DriverEntry()\n"); return STATUS_UNSUCCESSFUL; } driver_object->DriverUnload = OnUnload; DbgPrint("---------------- Driver Loaded\n"); // routine allocates a memory descriptor list (MDL) mdl_sys_call = IoAllocateMdl(KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices * 4, FALSE, FALSE, NULL); if (!mdl_sys_call ) { DbgPrint("\n!!! ERROR: invalid mdl in DriverEntry()\n"); return STATUS_UNSUCCESSFUL; } MmBuildMdlForNonPagedPool(mdl_sys_call); mdl_sys_call->MdlFlags = mdl_sys_call->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA; // map the physical pages syscall_tbl = MmMapLockedPagesSpecifyCache(mdl_sys_call, KernelMode, MmNonCached, NULL, FALSE, HighPagePriority); if (!syscall_tbl) { DbgPrint("\n!!! ERROR: invalid mapped syscall table in DriverEntry()\n"); return STATUS_UNSUCCESSFUL; } hook_syscalls(); debug("register our callback for when our target proc is loaded:\n %ws\n\n", target_file_loc); #if BREAK_POINT // register a callback func that is invoked when our target proc is loaded ret = PsSetLoadImageNotifyRoutine(add_one_time_bp); #endif #if DATA_MINING ret = PsSetLoadImageNotifyRoutine(add_hooks_for_data_mining); #endif if (ret != STATUS_SUCCESS) DbgPrint("\n!!! ERROR: PsSetLoadImageNotifyRoutine()\n\n"); return STATUS_SUCCESS; }
CMdl::CMdl( __in void* virtualAddress, __in size_t size ) : m_locked(false), m_mem(NULL) { m_lockOperation = IoModifyAccess; m_mdl = IoAllocateMdl(virtualAddress, (ULONG)size, FALSE, FALSE, NULL); }
CMdl::CMdl( __in const void* virtualAddress, __in size_t size ) : m_locked(false), m_mem(NULL) { m_lockOperation = IoReadAccess; m_mdl = IoAllocateMdl(const_cast<void*>(virtualAddress), (ULONG)size, FALSE, FALSE, NULL); }
NTSTATUS AsyncReadWriteSec( IN PDEVICE_OBJECT DeviceObject, IN PIRP ParentIrp, IN ULONG ulStartSec, IN ULONG ulSectors, IN PVOID pBuffer, IN UCHAR MajorFunction ) { PMDL MDL; KEVENT event; PIRP Irp; ULONG ulBytes; LARGE_INTEGER Start; IO_STATUS_BLOCK ioStatus; NTSTATUS status = STATUS_SUCCESS; PIO_STACK_LOCATION NextIrpStack; PDEVICE_EXTENSION deviceExtension = DeviceObject->DeviceExtension; ulBytes = ulSectors * SECTOR_SIZE; Start.QuadPart = ((LONGLONG)ulStartSec)*SECTOR_SIZE; Irp = IoAllocateIrp(LOBYTE(LOWORD(deviceExtension->TargetDeviceObject->StackSize+1)),FALSE); //Irp = IoBuildSynchronousFsdRequest( MajorFunction, // deviceExtension->TargetDeviceObject, // pBuffer,ulBytes, // &Start,&event, // &ioStatus ); ASSERT(Irp); if (!Irp) { return STATUS_INSUFFICIENT_RESOURCES; } MDL = IoAllocateMdl(pBuffer,ulBytes,FALSE,FALSE,Irp); if (!MDL) return STATUS_INSUFFICIENT_RESOURCES; MmBuildMdlForNonPagedPool(MDL); IoSetNextIrpStackLocation(Irp); NextIrpStack = IoGetNextIrpStackLocation(Irp); NextIrpStack->DeviceObject = deviceExtension->TargetDeviceObject; NextIrpStack->MajorFunction = MajorFunction; NextIrpStack->MinorFunction = 0; NextIrpStack->Parameters.Read.Length = ulBytes; NextIrpStack->Parameters.Read.Key = 0; NextIrpStack->Parameters.Read.ByteOffset.QuadPart = Start.QuadPart; RtlCopyMemory(&(NextIrpStack->Parameters.Write),&(NextIrpStack->Parameters.Read),sizeof(NextIrpStack->Parameters.Read)); IoSetCompletionRoutine(Irp,AsyncCompletion,ParentIrp,TRUE,TRUE,TRUE); status = IoCallDriver(deviceExtension->TargetDeviceObject,Irp); return status; } // end SyncReadWriteSec()
int dump_hook_init(PDRIVER_OBJECT drv_obj) { PLDR_DATA_TABLE_ENTRY table; PHYSICAL_ADDRESS high_addr; PLIST_ENTRY entry; NTSTATUS status; int resl = 0; ExInitializeFastMutex(&dump_sync); ExAcquireFastMutex(&dump_sync); /* find PsLoadedModuleListHead */ entry = ((PLIST_ENTRY)(drv_obj->DriverSection))->Flink; while (entry != drv_obj->DriverSection) { table = CONTAINING_RECORD(entry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); entry = entry->Flink; if ( (table->BaseDllName.Length == 0x18) && (p32(table->BaseDllName.Buffer)[0] == 0x0074006E) ) { ps_loaded_mod_list = pv(table->InLoadOrderLinks.Blink); break; } } ExReleaseFastMutex(&dump_sync); do { if (ps_loaded_mod_list == NULL) break; status = PsSetLoadImageNotifyRoutine(load_img_routine); if (NT_SUCCESS(status) == FALSE) break; high_addr.HighPart = 0; high_addr.LowPart = 0xFFFFFFFF; dump_mem = MmAllocateContiguousMemory(DUMP_MEM_SIZE, high_addr); if (dump_mem == NULL) break; dump_mdl = IoAllocateMdl(dump_mem, DUMP_MEM_SIZE, FALSE, FALSE, NULL); if (dump_mdl == NULL) break; MmBuildMdlForNonPagedPool(dump_mdl); memset(dump_mem, 0, DUMP_MEM_SIZE); resl = 1; } while (0); if (resl == 0) { if (dump_mdl != NULL) IoFreeMdl(dump_mdl); if (dump_mem != NULL) MmFreeContiguousMemory(dump_mem); } return resl; }
/* * TsmiHandleMemWrite * * Purpose: * * Patch vbox dll in memory. * * Warning: If compiled not in ReleaseSigned configuration this function is a * potential BSOD-generator due to nonstandard way of loading, take care with patch offsets. * */ NTSTATUS TsmiHandleMemWrite( _In_ PVOID SrcAddress, _In_ PVOID DestAddress, _In_ ULONG Size ) { PMDL mdl; NTSTATUS status = STATUS_SUCCESS; PAGED_CODE(); mdl = IoAllocateMdl(DestAddress, Size, FALSE, FALSE, NULL); if (mdl == NULL) { #ifdef _DEBUGMSG DbgPrint("[TSMI] Failed to create MDL at write\n"); #endif return STATUS_INSUFFICIENT_RESOURCES; } #ifdef _SIGNED_BUILD __try { #endif //_SIGNED_BUILD if (DestAddress >= MmSystemRangeStart) if (!MmIsAddressValid(DestAddress)) { #ifdef _DEBUGMSG DbgPrint("[TSMI] Invalid address\n"); #endif //_DEBUGMSG return STATUS_ACCESS_VIOLATION; } MmProbeAndLockPages(mdl, KernelMode, IoReadAccess); DestAddress = MmGetSystemAddressForMdlSafe(mdl, HighPagePriority); if (DestAddress != NULL) { status = MmProtectMdlSystemAddress(mdl, PAGE_EXECUTE_READWRITE); __movsb((PUCHAR)DestAddress, (const UCHAR *)SrcAddress, Size); MmUnmapLockedPages(DestAddress, mdl); MmUnlockPages(mdl); } else { status = STATUS_ACCESS_VIOLATION; } #ifdef _SIGNED_BUILD } __except (EXCEPTION_EXECUTE_HANDLER) { status = STATUS_ACCESS_VIOLATION; #ifdef _DEBUGMSG DbgPrint("[TSMI] MmProbeAndLockPages failed at write DestAddress = %p\n", DestAddress); #endif //_DEBUGMSG } #endif //_SIGNED_BUILD IoFreeMdl(mdl); return status; }
NTSTATUS xixfs_PinCallersBuffer( PIRP PtrIrp, BOOLEAN IsReadOperation, uint32 Length ) { NTSTATUS RC = STATUS_SUCCESS; PMDL PtrMdl = NULL; PAGED_CODE(); DebugTrace(DEBUG_LEVEL_TRACE, (DEBUG_TARGET_READ|DEBUG_TARGET_WRITE), ("Enter xixfs_PinCallersBuffer \n")); ASSERT(PtrIrp); try { // Is a MDL already present in the IRP if (!(PtrIrp->MdlAddress)) { DebugTrace(DEBUG_LEVEL_ERROR, DEBUG_TARGET_ALL, ("PtrIrp->MdlAddress is NULL!!!\n")); // Allocate a MDL if (!(PtrMdl = IoAllocateMdl(PtrIrp->UserBuffer, Length, FALSE, FALSE, PtrIrp))) { DebugTrace(DEBUG_LEVEL_ERROR, DEBUG_TARGET_ALL, ("Fail Allocate Mdl!!!\n")); RC = STATUS_INSUFFICIENT_RESOURCES; try_return(RC); } // Probe and lock the pages described by the MDL // We could encounter an exception doing so, swallow the exception // NOTE: The exception could be due to an unexpected (from our // perspective), invalidation of the virtual addresses that comprise // the passed in buffer try { MmProbeAndLockPages(PtrMdl, PtrIrp->RequestorMode, (IsReadOperation ? IoReadAccess : IoWriteAccess)); } except(EXCEPTION_EXECUTE_HANDLER) { DebugTrace(DEBUG_LEVEL_ERROR, DEBUG_TARGET_ALL, ("Fail Mdl Lock Page Fail!!!\n")); RC = STATUS_INVALID_USER_BUFFER; } } ; } finally {
PMDL mm_allocate_mdl_success(void *data, u32 size) { PMDL mdl; int timeout; for (timeout = DC_MEM_RETRY_TIMEOUT; timeout > 0; timeout -= DC_MEM_RETRY_TIME) { if (mdl = IoAllocateMdl(data, size, FALSE, FALSE, NULL)) break; if (KeGetCurrentIrql() >= DISPATCH_LEVEL) break; dc_delay(DC_MEM_RETRY_TIME); } return mdl; }
NTSTATUS TdiQueryMaxDatagramLength( PFILE_OBJECT FileObject, PUINT MaxDatagramLength) { PMDL Mdl; PTDI_MAX_DATAGRAM_INFO Buffer; NTSTATUS Status = STATUS_SUCCESS; Buffer = ExAllocatePool(NonPagedPool, sizeof(TDI_MAX_DATAGRAM_INFO)); if (!Buffer) return STATUS_NO_MEMORY; Mdl = IoAllocateMdl(Buffer, sizeof(TDI_MAX_DATAGRAM_INFO), FALSE, FALSE, NULL); if (!Mdl) { ExFreePool(Buffer); return STATUS_NO_MEMORY; } _SEH2_TRY { MmProbeAndLockPages(Mdl, KernelMode, IoModifyAccess); } _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) { Status = _SEH2_GetExceptionCode(); } _SEH2_END; if (!NT_SUCCESS(Status)) { AFD_DbgPrint(MIN_TRACE,("Failed to lock pages\n")); IoFreeMdl(Mdl); ExFreePool(Buffer); return Status; } Status = TdiQueryInformation(FileObject, TDI_QUERY_MAX_DATAGRAM_INFO, Mdl); if (!NT_SUCCESS(Status)) { ExFreePool(Buffer); return Status; } *MaxDatagramLength = Buffer->MaxDatagramSize; ExFreePool(Buffer); return STATUS_SUCCESS; }
BOOLEAN AllocateSharedMemory(PSHARED_MEMORY lpSharedMemory, POOL_TYPE PoolType, ULONG dwSizeRegion) { if (!_MmIsAddressValid(lpSharedMemory)) return FALSE; if (!dwSizeRegion) return FALSE; memset(lpSharedMemory, 0, sizeof(SHARED_MEMORY)); #ifndef __MISC_USE_KHEAP lpSharedMemory->m_lpKernelMemory = ExAllocatePool(PoolType, dwSizeRegion); #else lpSharedMemory->m_lpKernelMemory = (CHAR*) _AllocatePoolFromKHeap(hKHeapMiscDefault, dwSizeRegion); #endif //!__MISC_USE_KHEAP if (!lpSharedMemory->m_lpKernelMemory) return FALSE; lpSharedMemory->m_Mdl = IoAllocateMdl(lpSharedMemory->m_lpKernelMemory, dwSizeRegion, FALSE, FALSE, NULL); if (!lpSharedMemory->m_Mdl) { #ifndef __MISC_USE_KHEAP ExFreePool(lpSharedMemory->m_lpKernelMemory); #else FreePoolToKHeap(hKHeapMiscDefault, lpSharedMemory->m_lpKernelMemory); #endif //!__MISC_USE_KHEAP memset(lpSharedMemory, 0, sizeof(SHARED_MEMORY)); return FALSE; } MmBuildMdlForNonPagedPool(lpSharedMemory->m_Mdl); lpSharedMemory->m_lpUserPage = MmMapLockedPages(lpSharedMemory->m_Mdl, UserMode); lpSharedMemory->m_lpUserMemory = (PVOID) (((ULONG)PAGE_ALIGN(lpSharedMemory->m_lpUserPage))+MmGetMdlByteOffset(lpSharedMemory->m_Mdl)); if (!_MmIsAddressValid(lpSharedMemory->m_lpUserMemory)) { MmUnmapLockedPages(lpSharedMemory->m_lpUserPage, lpSharedMemory->m_Mdl); IoFreeMdl(lpSharedMemory->m_Mdl); #ifndef __MISC_USE_KHEAP ExFreePool(lpSharedMemory->m_lpKernelMemory); #else FreePoolToKHeap(hKHeapMiscDefault, lpSharedMemory->m_lpKernelMemory); #endif //!__MISC_USE_KHEAP memset(lpSharedMemory, 0, sizeof(SHARED_MEMORY)); return FALSE; } lpSharedMemory->m_dwSizeRegion = dwSizeRegion; return TRUE; }
NTSTATUS TdiRecvfrom( PFILE_OBJECT AddressObject, PVOID Data, ULONG Length, ULONG Addr, USHORT Port, PULONG pRead, PKEVENT ReadEvent ) { KEVENT Event; PIRP Irp; PMDL Mdl; NTSTATUS ntStatus; IO_STATUS_BLOCK IoStatus; PDEVICE_OBJECT DeviceObject = IoGetRelatedDeviceObject(AddressObject); TA_IP_ADDRESS SrcAddr = {1, {TDI_ADDRESS_LENGTH_IP, TDI_ADDRESS_TYPE_IP, {Port, Addr}}}; TDI_CONNECTION_INFORMATION Src = {0, 0, 0, 0, sizeof SrcAddr, &SrcAddr}; PKEVENT pEvent = ReadEvent; if (!ReadEvent) { KeInitializeEvent(&Event, NotificationEvent, FALSE); pEvent = &Event; } if (!(Irp = TdiBuildInternalDeviceControlIrp(TDI_RECEIVE_DATAGRAM, DeviceObject, AddressObject, pEvent, &IoStatus))) return STATUS_INSUFFICIENT_RESOURCES; if (!(Mdl = IoAllocateMdl(Data, Length, FALSE, FALSE, Irp))) return STATUS_INSUFFICIENT_RESOURCES; MmProbeAndLockPages(Mdl, KernelMode, IoModifyAccess); TdiBuildReceiveDatagram(Irp, DeviceObject, AddressObject, 0, 0, Mdl, Length, &Src, &Src, TDI_RECEIVE_NORMAL); ntStatus = IoCallDriver(DeviceObject, Irp); if ((ntStatus == STATUS_PENDING) && (!ReadEvent)) ntStatus = KeWaitForSingleObject(pEvent, UserRequest, KernelMode, FALSE, 0); if (ntStatus == STATUS_SUCCESS) { *pRead = IoStatus.Status; } return(ntStatus); }
PMDL NTAPI CcpBuildCacheMdl (PFILE_OBJECT FileObject, PLARGE_INTEGER FileOffset, ULONG Length, PIO_STATUS_BLOCK IOSB) { PMDL Mdl; PVOID Bcb, Buffer; BOOLEAN Result = CcMapData (FileObject, FileOffset, Length, PIN_WAIT, &Bcb, &Buffer); if (!Result) { IOSB->Information = 0; IOSB->Status = STATUS_UNSUCCESSFUL; return NULL; } IOSB->Information = Length; IOSB->Status = STATUS_SUCCESS; Mdl = IoAllocateMdl (Buffer, Length, FALSE, FALSE, NULL); if (!Mdl) { IOSB->Information = 0; IOSB->Status = STATUS_NO_MEMORY; return NULL; } IOSB->Information = Length; IOSB->Status = STATUS_SUCCESS; return Mdl; }
void __ConsPacket(OUT PPACKET_BASE pPacket) { PVOID Va; PMDL pMdl; Va = ExAllocatePoolWithTag( NonPagedPool, MDL_BUFFER_SIZE, (ULONG)'TTWH'); RtlZeroMemory(Va, MDL_BUFFER_SIZE); pMdl = IoAllocateMdl(Va, MDL_BUFFER_SIZE, FALSE, FALSE, NULL); MmBuildMdlForNonPagedPool(pMdl); pPacket->pMdl = pMdl; }
NTSTATUS TdiSendto( PFILE_OBJECT AddressObject, PVOID Data, ULONG Length, ULONG Addr, USHORT Port, PKEVENT WriteEvent ) { KEVENT Event; PIRP Irp; PMDL Mdl; NTSTATUS ntStatus; PDEVICE_OBJECT DeviceObject = IoGetRelatedDeviceObject(AddressObject); IO_STATUS_BLOCK IoStatus; TA_IP_ADDRESS DstAddr = {1, {TDI_ADDRESS_LENGTH_IP, TDI_ADDRESS_TYPE_IP, {Port, Addr}}}; TDI_CONNECTION_INFORMATION Dst = {0, 0, 0, 0, sizeof DstAddr, &DstAddr}; PKEVENT pEvent = WriteEvent; if (!WriteEvent) { KeInitializeEvent(&Event, NotificationEvent, FALSE); pEvent = &Event; } if (!(Irp = TdiBuildInternalDeviceControlIrp(TDI_SEND_DATAGRAM, DeviceObject, AddressObject, pEvent, &IoStatus))) return STATUS_INSUFFICIENT_RESOURCES; if (!(Mdl = IoAllocateMdl(Data, Length, FALSE, FALSE, Irp))) { IoFreeIrp(Irp); return STATUS_INSUFFICIENT_RESOURCES; } MmProbeAndLockPages(Mdl, KernelMode, IoModifyAccess); TdiBuildSendDatagram(Irp, DeviceObject, AddressObject, 0, 0, Mdl, Length, &Dst); ntStatus = IoCallDriver(DeviceObject, Irp); if ((ntStatus == STATUS_PENDING) && (!WriteEvent)) ntStatus = KeWaitForSingleObject(pEvent, UserRequest, KernelMode, FALSE, 0); return(ntStatus == STATUS_SUCCESS ? IoStatus.Status : ntStatus); }