Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   How to pass the large data in kernel mode to user mode? (https://forum.exetools.com/showthread.php?t=12666)

benina 02-22-2010 23:39
How to pass the large data in kernel mode to user mode?
 
Hi
I need to pass the large data in kernel mode to user mode. So, i created a file from kernel mode and write request data to new file.
Do you can show other method for me, please?.Thanz u to help me.
This is my source in kernel mode:
Code:
                       
                        Status = ZwQuerySystemInformation(
                                                        _SystemProcessesAndThreadsInformation, pBuffer,0, &cb_x);
                       
                        _snprintf(buffer,255,"ROOTKIT: Get var cb_x 1: %4X  \n",cb_x);
      DbgPrint(buffer);       
if (cb_x!=0)

                  pBuffer = ExAllocatePool (NonPagedPool, cb_x);
                        if (pBuffer == NULL) // if memory allocation failed, exit
                                        {
                      DbgPrint("ROOTKIT: ExAllocatePool failed");
                                       
                       
                       
                                        }
                        else
                                        {
                      DbgPrint("ROOTKIT: ExAllocatePool OK");
                     

                                        Status = ZwQuerySystemInformation(
                                        _SystemProcessesAndThreadsInformation, pBuffer, cb_x, &cb_x);

                                        _snprintf(buffer,255,"ROOTKIT: Get var cb_x 2: %4X  \n",cb_x);
                      DbgPrint(buffer);       
                                        };


RtlInitUnicodeString(&g_usFileName,FILE_NAME_TXT);                                       
InitializeObjectAttributes(&oa, &g_usFileName,
                                                                                                                OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);                               
Status_f=ZwCreateFile(&hFile,FILE_WRITE_DATA|SYNCHRONIZE,&oa,&iosb, 0, FILE_ATTRIBUTE_NORMAL,
                        FILE_SHARE_READ,FILE_OPEN|FILE_CREATE, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
                       
if (Status_f == STATUS_SUCCESS)
        {
        DbgPrint("ROOTKIT: File created\n");
        Status_f=ZwWriteFile(hFile, 0, NULL, NULL,&iosb,
                        pBuffer,cb_x, NULL, NULL);

        ZwClose(hFile);
  }
    else
            {
                            _snprintf(buffer,255,"ROOTKIT: Can't create file. Status: %08X\n",(ULONG)Status_f );
                      DbgPrint(buffer);
                   
    };
                       
                       
                       
                       
                                       
                        ExFreePool(pBuffer); // free the memory associated with the buffer
};

WhoCares 02-23-2010 08:05
You can allocate a buffer in user process, then send an IOCTL to the driver with this memory, and then call MmGetSystemAddressForMdlSafe(Irp->MdlAddress) in the driver.

Git 02-24-2010 02:25
Be very careful using this method if you move the code to 64bit, or if there is possibility of a 32 bit client running on 64bit windows sending this ioctrl to a 64bit driver.

Git

nuemga2000 03-06-2010 04:50
Isn't the mapping being done automatically correct when running a 32 bit
application accessing a 64 Bit driver ...
... or did i only had (by accident) a lot of luck ?


All times are GMT +8. The time now is 04:03.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX