none
mapviewoffile not working correctly RRS feed

  • Question

  •  auto Readstring = (char*)MapViewOfFile(hMapFileW, FILE_MAP_WRITE, 0, 0, 4096);
    
    printf("message has been sent to kernel [Read]! \n");
    
    rtlcopymemory(Readstring,"Read",4);
    FlushViewOfFile(Readstring, 4096);
    UnmapViewOfFile(Readstring);
    
    
    // maybe am stupid
    
    auto send_test = (char*)MapViewOfFile(hMapFileW, FILE_MAP_WRITE, 0, 0, 4096);
    
    rtlcopymemory(send_test,"Test",4);
    printf("message has been sent to kernel [Test]! \n");
    
    
    FlushViewOfFile(send_test, 4096);
    UnmapViewOfFile(send_test);

    that's what am trying to do and everytime i try to send the "Read" string + "Test" string it doesn't do anything but , if i only send "Read" string to my mapped section i can read it fine . i just want to know is it a problem because am not defining any offset to mapviewoffile but i have also tried to use (sizeof(char*)) and it didn't work. basically its simple i just want to send this 2 strings to my second process which has a while loop running it will check the first string and if its equal to the shared memory section it will execute the other while loop which keeps reading shared memory until its equal to the string "Test" this is how am reading the strings from my second process "its kernel btw".

    while (TRUE)
    {
        DbgPrintEx(0, 0, "running waiting for a command to execute.. \n");
        ReadSharedMemory();
        if (strcmp((PCHAR)SharedSection, "Stop") == 0) {
            DbgPrintEx(0, 0, "breaking out of the loop");
            break;
        }
        while (!(PCHAR)SharedSection == NULL && strcmp((PCHAR)SharedSection, "Read") == 0)
        {
            DbgPrintEx(0, 0, "Read loop is running\n");
    
    
    
            ReadSharedMemory();
            DbgPrintEx(0, 0, "sharedsection string - > : %s\n", (PCHAR)SharedSection);
    
    
    
            LARGE_INTEGER Timeout;
            Timeout.QuadPart = RELATIVE(SECONDS(1));
            KeDelayExecutionThread(KernelMode, FALSE, &Timeout);
    
    
            if (!(PCHAR)SharedSection == NULL && strcmp((PCHAR)SharedSection, "Test") == 0)
            {
                DbgPrintEx(0, 0, "it works finally !!!! \n");
                DbgPrintEx(0, 0, "[Test while loop]sharedsection string - > : %s\n", (PCHAR)SharedSection);
    
            }
        }

    and here is how i am reading shared memory

    if (sectionHandle)
        return;
    
    if (SharedSection)
        ZwUnmapViewOfSection(NtCurrentProcess(), SharedSection);
    
    SIZE_T ulViewSize = 1024 * 10;
    NTSTATUS ntStatus = ZwMapViewOfSection(sectionHandle, NtCurrentProcess(), &SharedSection, 0, ulViewSize, NULL, &ulViewSize, ViewShare, 0, PAGE_READWRITE | PAGE_NOCACHE);
    if (ntStatus != STATUS_SUCCESS)
    {
        DbgPrintEx(0,0,"ZwMapViewOfSection fail! Status: %p\n", ntStatus);
        ZwClose(sectionHandle);
        return;
    }
    DbgPrintEx(0,0,"ZwMapViewOfSection completed!\n");
    DbgPrintEx(0, 0, "String is : %s now !\n", (PCHAR)SharedSection);



    and sharedsections is just a null PVOID.

    i did search before i ask this question and the only thing that i haven't tried is to change the mapping offset (place) i don't know if that is the case.


    • Edited by Frankooo Friday, March 22, 2019 12:29 PM
    Friday, March 22, 2019 12:22 AM

Answers

  • i just fixed my whole problem by just adding events and synchronizing between my kernel mode to my User mode .
    • Marked as answer by Frankooo Friday, March 22, 2019 5:35 PM
    Friday, March 22, 2019 5:35 PM

All replies

  • I don't see you writing the strings in your first code segment.  Do you actually have strcpy calls in there that you didn't show us?

    Tim Roberts | Driver MVP Emeritus | Providenza & Boekelheide, Inc.

    Friday, March 22, 2019 6:55 AM
  • I don't see you writing the strings in your first code segment.  Do you actually have strcpy calls in there that you didn't show us?

    Tim Roberts | Driver MVP Emeritus | Providenza & Boekelheide, Inc.

    i have removed it before by mistake and forgot to add it again, but its not the problem . any ideas why is this even happening?
    Friday, March 22, 2019 12:30 PM
  • ok so far i have figured out that i need synchronization after reading the first "Read" string because when i try to send 2 strings "Read"and "Test" its over-writing "Read" string and its reading "Test" instead.
    Friday, March 22, 2019 2:21 PM
  • i just fixed my whole problem by just adding events and synchronizing between my kernel mode to my User mode .
    • Marked as answer by Frankooo Friday, March 22, 2019 5:35 PM
    Friday, March 22, 2019 5:35 PM