Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 02-22-2010, 23:39
benina benina is offline
Friend
 
Join Date: Nov 2004
Posts: 47
Rept. Given: 10
Rept. Rcvd 5 Times in 2 Posts
Thanks Given: 13
Thanks Rcvd at 3 Times in 3 Posts
benina Reputation: 5
How to pass the large data in kernel mode to user mode?

Hi
I need to pass the large data in kernel mode to user mode. So, i created a file from kernel mode and write request data to new file.
Do you can show other method for me, please?.Thanz u to help me.
This is my source in kernel mode:
Code:
			
			Status = ZwQuerySystemInformation(
							 _SystemProcessesAndThreadsInformation, pBuffer,0, &cb_x); 
			
			_snprintf(buffer,255,"ROOTKIT: Get var cb_x 1: %4X  \n",cb_x);
      DbgPrint(buffer);	
if (cb_x!=0)
{   
  		pBuffer = ExAllocatePool (NonPagedPool, cb_x); 
			if (pBuffer == NULL) // if memory allocation failed, exit
					{
      		DbgPrint("ROOTKIT: ExAllocatePool failed");
					
			
			
					}
			else
					{
      		DbgPrint("ROOTKIT: ExAllocatePool OK");
      		

					Status = ZwQuerySystemInformation(
					_SystemProcessesAndThreadsInformation, pBuffer, cb_x, &cb_x);

					_snprintf(buffer,255,"ROOTKIT: Get var cb_x 2: %4X  \n",cb_x);
      		DbgPrint(buffer);	
 					};


RtlInitUnicodeString(&g_usFileName,FILE_NAME_TXT);					
InitializeObjectAttributes(&oa, &g_usFileName,
														OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);				
Status_f=ZwCreateFile(&hFile,FILE_WRITE_DATA|SYNCHRONIZE,&oa,&iosb, 0, FILE_ATTRIBUTE_NORMAL, 
                        FILE_SHARE_READ,FILE_OPEN|FILE_CREATE, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
                        
if (Status_f == STATUS_SUCCESS)
	{
        DbgPrint("ROOTKIT: File created\n");
        Status_f=ZwWriteFile(hFile, 0, NULL, NULL,&iosb, 
                        pBuffer,cb_x, NULL, NULL);

        ZwClose(hFile);
   }
    else
    	{
    			_snprintf(buffer,255,"ROOTKIT: Can't create file. Status: %08X\n",(ULONG)Status_f );
      		DbgPrint(buffer);
    		
    };
                        
                        
                        
                        
 					
			ExFreePool(pBuffer); // free the memory associated with the buffer 
};

Last edited by benina; 02-22-2010 at 23:50.
Reply With Quote
  #2  
Old 02-23-2010, 08:05
WhoCares's Avatar
WhoCares WhoCares is offline
who cares
 
Join Date: Jan 2002
Location: Here
Posts: 409
Rept. Given: 10
Rept. Rcvd 16 Times in 14 Posts
Thanks Given: 41
Thanks Rcvd at 155 Times in 61 Posts
WhoCares Reputation: 17
You can allocate a buffer in user process, then send an IOCTL to the driver with this memory, and then call MmGetSystemAddressForMdlSafe(Irp->MdlAddress) in the driver.
__________________
AKA Solomon/blowfish.
Reply With Quote
The Following User Gave Reputation+1 to WhoCares For This Useful Post:
benina (02-23-2010)
  #3  
Old 02-24-2010, 02:25
Git's Avatar
Git Git is offline
Old Git
 
Join Date: Mar 2002
Location: Torino
Posts: 1,115
Rept. Given: 220
Rept. Rcvd 265 Times in 157 Posts
Thanks Given: 108
Thanks Rcvd at 216 Times in 124 Posts
Git Reputation: 200-299 Git Reputation: 200-299 Git Reputation: 200-299
Be very careful using this method if you move the code to 64bit, or if there is possibility of a 32 bit client running on 64bit windows sending this ioctrl to a 64bit driver.

Git
Reply With Quote
The Following User Gave Reputation+1 to Git For This Useful Post:
benina (02-24-2010)
  #4  
Old 03-06-2010, 04:50
nuemga2000 nuemga2000 is offline
Friend
 
Join Date: Jan 2002
Posts: 59
Rept. Given: 1
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 0
Thanks Rcvd at 5 Times in 5 Posts
nuemga2000 Reputation: 2
Isn't the mapping being done automatically correct when running a 32 bit
application accessing a 64 Bit driver ...
... or did i only had (by accident) a lot of luck ?
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Hades:Windows kernel driver lets reverse engineers monitor user and kernel mode code sh3dow Source Code 0 05-12-2016 03:15
Use IDA in kernel mode ?? Veyskarami General Discussion 14 02-23-2013 12:38
Kernel-Mode GUI!? (like SoftIce) Cobi General Discussion 1 01-21-2005 02:24
Kernel Mode Driver for NT SPeY General Discussion 12 04-22-2004 15:34


All times are GMT +8. The time now is 23:56.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )