How to pass the large data in kernel mode to user mode?

benina · #1 02-22-2010, 23:39

Hi
I need to pass the large data in kernel mode to user mode. So, i created a file from kernel mode and write request data to new file.
Do you can show other method for me, please?.Thanz u to help me.
This is my source in kernel mode:

Code:

			
			Status = ZwQuerySystemInformation(
							 _SystemProcessesAndThreadsInformation, pBuffer,0, &cb_x); 
			
			_snprintf(buffer,255,"ROOTKIT: Get var cb_x 1: %4X  \n",cb_x);
      DbgPrint(buffer);	
if (cb_x!=0)
{   
  		pBuffer = ExAllocatePool (NonPagedPool, cb_x); 
			if (pBuffer == NULL) // if memory allocation failed, exit
					{
      		DbgPrint("ROOTKIT: ExAllocatePool failed");
					
			
			
					}
			else
					{
      		DbgPrint("ROOTKIT: ExAllocatePool OK");
      		

					Status = ZwQuerySystemInformation(
					_SystemProcessesAndThreadsInformation, pBuffer, cb_x, &cb_x);

					_snprintf(buffer,255,"ROOTKIT: Get var cb_x 2: %4X  \n",cb_x);
      		DbgPrint(buffer);	
 					};


RtlInitUnicodeString(&g_usFileName,FILE_NAME_TXT);					
InitializeObjectAttributes(&oa, &g_usFileName,
														OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);				
Status_f=ZwCreateFile(&hFile,FILE_WRITE_DATA|SYNCHRONIZE,&oa,&iosb, 0, FILE_ATTRIBUTE_NORMAL, 
                        FILE_SHARE_READ,FILE_OPEN|FILE_CREATE, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
                        
if (Status_f == STATUS_SUCCESS)
	{
        DbgPrint("ROOTKIT: File created\n");
        Status_f=ZwWriteFile(hFile, 0, NULL, NULL,&iosb, 
                        pBuffer,cb_x, NULL, NULL);

        ZwClose(hFile);
   }
    else
    	{
    			_snprintf(buffer,255,"ROOTKIT: Can't create file. Status: %08X\n",(ULONG)Status_f );
      		DbgPrint(buffer);
    		
    };
                        
                        
                        
                        
 					
			ExFreePool(pBuffer); // free the memory associated with the buffer 
};

WhoCares · #2 02-23-2010, 08:05

You can allocate a buffer in user process, then send an IOCTL to the driver with this memory, and then call MmGetSystemAddressForMdlSafe(Irp->MdlAddress) in the driver.

Git · #3 02-24-2010, 02:25

Be very careful using this method if you move the code to 64bit, or if there is possibility of a 32 bit client running on 64bit windows sending this ioctrl to a 64bit driver.

Git

nuemga2000 · #4 03-06-2010, 04:50

Isn't the mapping being done automatically correct when running a 32 bit
application accessing a 64 Bit driver ...
... or did i only had (by accident) a lot of luck ?

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Hades:Windows kernel driver lets reverse engineers monitor user and kernel mode code	sh3dow	Source Code	0	05-12-2016 03:15
Use IDA in kernel mode ??	Veyskarami	General Discussion	14	02-23-2013 12:38
Kernel-Mode GUI!? (like SoftIce)	Cobi	General Discussion	1	01-21-2005 02:24
Kernel Mode Driver for NT	SPeY	General Discussion	12	04-22-2004 15:34

The Following User Gave Reputation+1 to WhoCares For This Useful Post:
benina (02-23-2010)

The Following User Gave Reputation+1 to Git For This Useful Post:
benina (02-24-2010)