none
having a problem when sending and reading a struct. (shared memory) RRS feed

  • Question

  • so am trying to send a struct from 1 process to another and it is not reading it correctly in my second process . i guess it has to do with pointers but i really don't know how to send a struct or a pointer to a struct with MapViewOfFile.(please note: that i am trying to send the whole struct + the data that it has.)

    i have tried to send a pointer of an object address via memcpy but i think that wouldn't work because am using typdef struct.

    // this is my second process 2
    // using mmcopyvirtualmemory btw.
    KM_WRITE_REQUEST* WriteInput = (KM_WRITE_REQUEST*)SharedSection; // this should get our struct pointer from User mode.
                PEPROCESS Process;
                NTSTATUS Status;
                if (NT_SUCCESS(PsLookupProcessByProcessId(WriteInput->ProcessId, &Process))) {
                    Status = WriteKernelMemory(Process, WriteInput->SourceAddress, WriteInput->TargetAddress, WriteInput->Size);
                    DbgPrintEx(0, 0, "Status debug \n",Status);
                }
                else {
                    Status = STATUS_ACCESS_DENIED;
                    ObDereferenceObject(Process);
                    DbgPrintEx(0, 0, "Status debug \n", Status);
                    return Status;
                }
    
                DbgPrintEx(0, 0, "Write Params:  %lu, %#010x \n", WriteInput->SourceAddress, WriteInput->TargetAddress);

    // this is my struct
    typedef struct _KM_WRITE_REQUEST
    {
        ULONG ProcessId;
    
        UINT_PTR SourceAddress; 
        UINT_PTR TargetAddress;
        ULONG Size;
    
    } KM_WRITE_REQUEST, *PKM_WRITE_REQUEST;

    // and this is how am trying to send my struct and write to it well , write to it before sending it .
    
    // this is in my first process.
    
    bool WriteVirtualMemoryRaw(UINT_PTR WriteAddress, UINT_PTR SourceAddress, SIZE_T WriteSize)
        {
    
            DWORD res;
            res = WaitForSingleObject(g_hMutex, INFINITE);
    
            auto Write_memoryst = (char*)MapViewOfFile(hMapFileW, FILE_MAP_WRITE, 0, 0, 4096);
            char str[8];
            strcpy_s(str, "Write");
            RtlCopyMemory(Write_memoryst, str, strlen(str) + 1);
            printf("message has been sent to kernel [Write]! \n");
            UnmapViewOfFile(Write_memoryst);
    
            WaitForSingleObject(SharedEvent_dataarv, INFINITE); // wait for kernel event to happen
    
            KM_WRITE_REQUEST* Sent_struct = (KM_WRITE_REQUEST*)MapViewOfFile(hMapFileW, FILE_MAP_WRITE, 0, 0, sizeof(KM_WRITE_REQUEST));
    
            if (!Sent_struct) {
                printf("Error MapViewOfFile(Sent_struct)\n");
                return false;
            }
    
            KM_WRITE_REQUEST  WriteRequest;
            WriteRequest.ProcessId = PID;
            WriteRequest.TargetAddress = WriteAddress;
            WriteRequest.SourceAddress = SourceAddress;
            WriteRequest.Size = WriteSize;
    
    
            KM_WRITE_REQUEST* test_ptr = &WriteRequest;
            if (!memcpy(Sent_struct, test_ptr, sizeof(KM_WRITE_REQUEST))) {
                printf("Error copying memory with (memcpy) to struct\n");
                return false;
            }
    
            UnmapViewOfFile(Sent_struct);
    
            ReleaseMutex(g_hMutex);
            return true;
        }

    am sure am doing something wrong when sending the struct pointer , but this is how i have done it and its not working :(

    Saturday, March 23, 2019 9:43 PM

All replies

  • Put #pragma pack(1) https://docs.microsoft.com/en-us/cpp/preprocessor/pack?view=vs-2017 around the structure in its definition. The kernel and user space use different packing rules.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Saturday, March 23, 2019 11:24 PM
  • Virtual Memory can be edited by R.click on computer/properties/Advanced/Virtual memory/Advanced/Change button..With C:  highlited,set to" Let System Manage" click set 2X close out restart pc...As far as Virtual-Memory goes & Intel.com,/& Microsoft Performance goes/a simple way of editing the page file is to run regedit/expand/HKEY_LOCAL_MACHINE/System/CurrentControlSet/Control/SessionManager/MemoryManagement.

    Edit PagingExecutive/L.click on it,go to manage,set to 1  from 0  This gets the OS to run memory to Ram instead of a Page-File,which is slow.If you really do OS check-ups & you run Intel hardware/download:

    https://software.intel.com/en-us/node/327154?wapkw=gael+t.+holmes

    The link is old,but the Intel VPro analyzer is not,its been updated/download to a slave HD or a USB Flash drive,run the utility,

    Or if Windows drivers/software is youre item,go to:

    https://www.osr.com/

     OSR only deals with Windows WHQL drivers (Windows Hardware Quality Labs) you can not get a better link(s)..

    Sunday, March 24, 2019 3:36 AM
  • Put #pragma pack(1) https://docs.microsoft.com/en-us/cpp/preprocessor/pack?view=vs-2017 around the structure in its definition. The kernel and user space use different packing rules.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    didn't help, this is windbg crash error i have also checked that reading Sharedsection isn't equal to NULL;  idk i guess this is from the way am sending it, 
    Unable to enumerate user-mode unloaded modules, Win32 error 0n30
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    PAGE_FAULT_IN_NONPAGED_AREA (50)
    Invalid system memory was referenced.  This cannot be protected by try-except.
    Typically the address is just plain bad or it is pointing at freed memory.
    Arguments:
    Arg1: ffffffff800011c0, memory referenced.
    Arg2: 0000000000000002, value 0 = read operation, 1 = write operation.
    Arg3: fffff800082cafe3, If non-zero, the instruction address which referenced the bad memory
    	address.
    Arg4: 0000000000000002, (reserved)
    
    Debugging Details:
    ------------------
    
    
    KEY_VALUES_STRING: 1
    
    
    STACKHASH_ANALYSIS: 1
    
    TIMELINE_ANALYSIS: 1
    
    
    DUMP_CLASS: 1
    
    DUMP_QUALIFIER: 0
    
    BUILD_VERSION_STRING:  10240.17443.amd64fre.th1.170602-2340
    
    DUMP_TYPE:  0
    
    BUGCHECK_P1: ffffffff800011c0
    
    BUGCHECK_P2: 2
    
    BUGCHECK_P3: fffff800082cafe3
    
    BUGCHECK_P4: 2
    
    READ_ADDRESS:  ffffffff800011c0 
    
    FAULTING_IP: 
    nt!ObfDereferenceObject+23
    fffff800`082cafe3 f0480fc15ed0    lock xadd qword ptr [rsi-30h],rbx
    
    MM_INTERNAL_CODE:  2
    
    CPU_COUNT: 2
    
    CPU_MHZ: db0
    
    CPU_VENDOR:  GenuineIntel
    
    CPU_FAMILY: 6
    
    CPU_MODEL: 5e
    
    CPU_STEPPING: 3
    
    CPU_MICROCODE: 6,5e,3,0 (F,M,S,R)  SIG: C2'00000000 (cache) C2'00000000 (init)
    
    DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT
    
    BUGCHECK_STR:  AV
    
    PROCESS_NAME:  System
    
    CURRENT_IRQL:  0
    
    ANALYSIS_SESSION_HOST:  DESKTOP-BMP442D
    
    ANALYSIS_SESSION_TIME:  03-24-2019 18:35:11.0296
    
    ANALYSIS_VERSION: 10.0.17763.1 amd64fre
    
    TRAP_FRAME:  ffffd0013bbaa520 -- (.trap 0xffffd0013bbaa520)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=00000000c000000b rbx=0000000000000000 rcx=ffffffff800011f0
    rdx=ffffd0013bbaa703 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff800082cafe3 rsp=ffffd0013bbaa6b0 rbp=ffffd0013bbaa860
     r8=fffff80009eeba10  r9=0000000000000204 r10=0000058c1e5f757f
    r11=fffff80008287000 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0         nv up ei ng nz na po nc
    nt!ObfDereferenceObject+0x23:
    fffff800`082cafe3 f0480fc15ed0    lock xadd qword ptr [rsi-30h],rbx ds:ffffffff`ffffffd0=????????????????
    Resetting default scope
    
    LAST_CONTROL_TRANSFER:  from fffff8000847b402 to fffff800083dbcd0
    
    STACK_TEXT:  
    ffffd001`3bba9b28 fffff800`0847b402 : 00000000`00000050 00000000`00000003 ffffd001`3bba9c90 fffff800`0838b768 : nt!DbgBreakPointWithStatus
    ffffd001`3bba9b30 fffff800`0847ad32 : 00000000`00000003 ffffd001`3bba9c90 fffff800`083e3110 00000000`00000050 : nt!KiBugCheckDebugBreak+0x12
    ffffd001`3bba9b90 fffff800`083d66f4 : 00000000`00000000 00000000`00000000 00000000`00000002 00000000`00000000 : nt!KeBugCheck2+0x93e
    ffffd001`3bbaa2a0 fffff800`0841e851 : 00000000`00000050 ffffffff`800011c0 00000000`00000002 ffffd001`3bbaa520 : nt!KeBugCheckEx+0x104
    ffffd001`3bbaa2e0 fffff800`082bbeb6 : 00000000`00000002 00000000`00000000 ffffd001`3bbaa520 fffff800`083db026 : nt! ?? ::FNODOBFM::`string'+0x39651
    ffffd001`3bbaa3d0 fffff800`083df6bd : ffffe001`fb5ce140 fffff800`082d30ed 00000000`00000000 00000000`00000000 : nt!MmAccessFault+0x696
    ffffd001`3bbaa520 fffff800`082cafe3 : ffffe001`fcad1000 ffffe001`fb8902d0 00000000`00000200 ffffd001`3bbaa860 : nt!KiPageFault+0x13d
    ffffd001`3bbaa6b0 fffff801`24941526 : 00000012`00170000 ffffe001`fa398b20 ffffe001`fa398b20 fffff801`24940000 : nt!ObfDereferenceObject+0x23
    ffffd001`3bbaa6f0 fffff801`249413c7 : ffffffff`800011f0 ffffffff`ff676980 ffffffff`ff676980 04000000`00020020 : Shared_mem_By_Frankoo!DriverLoop+0x12a [c:\users\jack\desktop\shared-mem by frankoo\shared_mem-by-frankoo\shared_mem-by-frankoo\main.c @ 252] 
    ffffd001`3bbaa730 fffff800`087d9ec0 : 00000000`000001c8 00000000`0000002c ffffd001`3bbaa860 00000000`00000000 : Shared_mem_By_Frankoo!DriverEntry+0x97 [c:\users\jack\desktop\shared-mem by frankoo\shared_mem-by-frankoo\shared_mem-by-frankoo\main.c @ 311] 
    ffffd001`3bbaa760 fffff800`087d858a : 00000000`00000000 00000000`00000000 00000000`00000000 fffff800`0865f340 : nt!IopLoadDriver+0x5e8
    ffffd001`3bbaaa30 fffff800`082d6489 : fffff800`00000000 ffffffff`80000f94 ffffe001`fb5ce040 fffff800`0865f340 : nt!IopLoadUnloadDriver+0x4e
    ffffd001`3bbaaa70 fffff800`0830c1fc : ffffe001`fa29d840 00000000`00000080 fffff800`0865f340 ffffe001`fb5ce040 : nt!ExpWorkerThread+0xe9
    ffffd001`3bbaab00 fffff800`083db6d6 : fffff800`085e9180 ffffe001`fb5ce040 ffffe001`fa5e1840 700b720f`000a340f : nt!PspSystemThreadStartup+0x58
    ffffd001`3bbaab60 00000000`00000000 : ffffd001`3bbab000 ffffd001`3bba4000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16
    
    
    THREAD_SHA1_HASH_MOD_FUNC:  99303c55adcda7ec3730491551196b1e7eff2608
    
    THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  8d6b4f08b184efce05f2af0d57a66a841dd08bd1
    
    THREAD_SHA1_HASH_MOD:  4710ac62343937f610cc55aefda8e5d11b28788f
    
    FOLLOWUP_IP: 
    Shared_mem_By_Frankoo!DriverLoop+12a [c:\users\jack\desktop\shared-mem by frankoo\shared_mem-by-frankoo\shared_mem-by-frankoo\main.c @ 252]
    fffff801`24941526 bb220000c0      mov     ebx,0C0000022h
    
    FAULT_INSTR_CODE:  22bb
    
    FAULTING_SOURCE_LINE:  c:\users\jack\desktop\shared-mem by frankoo\shared_mem-by-frankoo\shared_mem-by-frankoo\main.c
    
    FAULTING_SOURCE_FILE:  c:\users\jack\desktop\shared-mem by frankoo\shared_mem-by-frankoo\shared_mem-by-frankoo\main.c
    
    FAULTING_SOURCE_LINE_NUMBER:  252
    
    FAULTING_SOURCE_CODE:  
       248: 			}
       249: 			else {
       250: 				Status = STATUS_ACCESS_DENIED;
       251: 				ObDereferenceObject(Process);
    >  252: 				DbgPrintEx(0, 0, "Status debug \n", Status);
       253: 				return Status;
       254: 			}
       255: 
       256: 			DbgPrintEx(0, 0, "Write Params:  %lu, %#010x \n", WriteInput->SourceAddress, WriteInput->TargetAddress);
       257: 
    
    
    SYMBOL_STACK_INDEX:  8
    
    SYMBOL_NAME:  Shared_mem_By_Frankoo!DriverLoop+12a
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: Shared_mem_By_Frankoo
    
    IMAGE_NAME:  Shared_mem-By-Frankoo.sys
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  5c97aa03
    
    STACK_COMMAND:  .thread ; .cxr ; kb
    
    BUCKET_ID_FUNC_OFFSET:  12a
    
    FAILURE_BUCKET_ID:  AV_INVALID_Shared_mem_By_Frankoo!DriverLoop
    
    BUCKET_ID:  AV_INVALID_Shared_mem_By_Frankoo!DriverLoop
    
    PRIMARY_PROBLEM_CLASS:  AV_INVALID_Shared_mem_By_Frankoo!DriverLoop
    
    TARGET_TIME:  2019-03-24T17:36:14.000Z
    
    OSBUILD:  10240
    
    OSSERVICEPACK:  0
    
    SERVICEPACK_NUMBER: 0
    
    OS_REVISION: 0
    
    SUITE_MASK:  272
    
    PRODUCT_TYPE:  1
    
    OSPLATFORM_TYPE:  x64
    
    OSNAME:  Windows 10
    
    OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS
    
    OS_LOCALE:  
    
    USER_LCID:  0
    
    OSBUILD_TIMESTAMP:  2017-06-03 13:24:02
    
    BUILDDATESTAMP_STR:  170602-2340
    
    BUILDLAB_STR:  th1
    
    BUILDOSVER_STR:  10.0.10240.17443.amd64fre.th1.170602-2340
    
    ANALYSIS_SESSION_ELAPSED_TIME:  2212
    
    ANALYSIS_SOURCE:  KM
    
    FAILURE_ID_HASH_STRING:  km:av_invalid_shared_mem_by_frankoo!driverloop
    
    FAILURE_ID_HASH:  {f1eecdba-96fd-88ee-5702-30699488e292}
    
    Followup:     MachineOwner
    ---------
    
    

    Sunday, March 24, 2019 5:42 PM
  • Virtual Memory can be edited by R.click on computer/properties/Advanced/Virtual memory/Advanced/Change button..With C:  highlited,set to" Let System Manage" click set 2X close out restart pc...As far as Virtual-Memory goes & Intel.com,/& Microsoft Performance goes/a simple way of editing the page file is to run regedit/expand/HKEY_LOCAL_MACHINE/System/CurrentControlSet/Control/SessionManager/MemoryManagement.

    Edit PagingExecutive/L.click on it,go to manage,set to 1  from 0  This gets the OS to run memory to Ram instead of a Page-File,which is slow.If you really do OS check-ups & you run Intel hardware/download:

    https://software.intel.com/en-us/node/327154?wapkw=gael+t.+holmes

    The link is old,but the Intel VPro analyzer is not,its been updated/download to a slave HD or a USB Flash drive,run the utility,

    Or if Windows drivers/software is youre item,go to:

    https://www.osr.com/

     OSR only deals with Windows WHQL drivers (Windows Hardware Quality Labs) you can not get a better link(s)..

    sorry but i didn't understand what did you mean , am trying to send a struct via a mapped section i really don't want to play with virtual memory or if you could explain more to me on what you are trying to say :)
    Sunday, March 24, 2019 5:43 PM
  • Your fault is in code we haven't seen the path to.  I.E.  You are failing in dereferencing the process, but we don't see the code that does the reference or dereference.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Sunday, March 24, 2019 5:48 PM
  • Your fault is in code we haven't seen the path to.  I.E.  You are failing in dereferencing the process, but we don't see the code that does the reference or dereference.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    			KM_WRITE_REQUEST* WriteInput = (KM_WRITE_REQUEST*)SharedSection; // this should get our struct pointer from User mode.
    			PEPROCESS Process;
    			NTSTATUS Status;
    
    			DbgPrintEx(0, 0, "Processid = : %u \n", WriteInput->ProcessId);
    			DbgPrintEx(0, 0, "Write Params:  %lu, %#010x \n", WriteInput->SourceAddress, WriteInput->TargetAddress);
    
    			/*if (NT_SUCCESS(PsLookupProcessByProcessId(WriteInput->ProcessId, &Process))) {
    				Status = WriteKernelMemory(Process, WriteInput->SourceAddress, WriteInput->TargetAddress, WriteInput->Size);
    				DbgPrintEx(0, 0, "Status debug \n",Status);
    			}
    			else {
    				Status = STATUS_ACCESS_DENIED;
    				ObDereferenceObject(Process);
    				DbgPrintEx(0, 0, "Status debug \n", Status);
    				return Status;
    			}
    
    			DbgPrintEx(0, 0, "Write Params:  %lu, %#010x \n", WriteInput->SourceAddress, WriteInput->TargetAddress);*/
    
    			
    			KeResetEvent(SharedEvent_dt); // resets the event to non-signnaled
    		    break;
    			
    		}

    this all what i am doing, am dereferencing the process in-case if 

    PsLookupProcessByProcessId

    failed and it is failing , because i have just checked the output value of proccessid by doing this.

    DbgPrintEx(0, 0, "Processid = : %u \n", WriteInput->ProcessId);

    and the output is 0 , is it because of the way am sending the whole struct object address ?

    		KM_WRITE_REQUEST* Sent_struct = (KM_WRITE_REQUEST*)MapViewOfFile(hMapFileW, FILE_MAP_WRITE, 0, 0, sizeof(KM_WRITE_REQUEST));
    
    		if (!Sent_struct) {
    			printf("Error MapViewOfFile(Sent_struct)\n");
    			return false;
    		}
    
    		KM_WRITE_REQUEST  WriteRequest;
    		WriteRequest.ProcessId = PID;
    		WriteRequest.TargetAddress = WriteAddress;
    		WriteRequest.SourceAddress = SourceAddress;
    		WriteRequest.Size = WriteSize;
    
    		
    		KM_WRITE_REQUEST* test_ptr = &WriteRequest;
    		if (!memcpy(Sent_struct, test_ptr, sizeof(KM_WRITE_REQUEST))) {
    			printf("Error copying memory with (memcpy) to struct\n");
    			return false;
    		}
    
    		UnmapViewOfFile(Sent_struct);



    • Edited by Frankooo Sunday, March 24, 2019 6:18 PM
    Sunday, March 24, 2019 6:18 PM
  • didn't help, this is windbg crash error

    So now you know from your own experience why ioctls are better. Just use ioctls and avoid self-inflicted pain.

    -- pa

    Sunday, March 24, 2019 6:19 PM
  • didn't help, this is windbg crash error

    So now you know from your own experience why ioctls are better. Just use ioctls and avoid self-inflicted pain.

    -- pa

    well am almost done with it , i know that ioctls  is a lot better , but as i said am almost done with my goal i just need to share struct with my kernel mode and am done with this driver :D
    Sunday, March 24, 2019 6:27 PM
  • nvm guys i have fixed my problem it was so stupid because i have forgot to call my GetPID(); func and it was always 0 . but aside from that am getting STATUS_ACCESS_DENIED when using mmcopyvirtual memory . anyone know why am getting that ? before when using my old driver it was working fine but idk why its not with this driver.
    Sunday, March 24, 2019 10:48 PM
  • Why do you think you need that call?   Really this project of yours has become the worst attempt at kernel software I have seen in my 48 years of working in the kernel.   The only thing to do with the code is to use a mil-spec file delete to erase it from every storage media you have it on.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Sunday, March 24, 2019 11:05 PM
  • Why do you think you need that call?   Really this project of yours has become the worst attempt at kernel software I have seen in my 48 years of working in the kernel.   The only thing to do with the code is to use a mil-spec file delete to erase it from every storage media you have it on.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    because basically i want to write and read memory :D with mmcopyvirtualmemory .
    Monday, March 25, 2019 1:10 PM
  • because basically i want to write and read memory :D with mmcopyvirtualmemory .

    That isn't an answer it is a desire.  For almost any purpose RtlCopyMemory which is actually memcpy works fine.   Why do you think you need an undocumented call?  Really it is time to stop this nonsense, and wipe the code from all machines, it is worse than worthless.



    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Monday, March 25, 2019 1:41 PM
  • because basically i want to write and read memory :D with mmcopyvirtualmemory .

    That isn't an answer it is a desire.  For almost any purpose RtlCopyMemory which is actually memcpy works fine.   Why do you think you need an undocumented call?  Really it is time to stop this nonsense, and wipe the code from all machines, it is worse than worthless.



    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    well i choosed  mmcopyvirtualmemory because its easier and for lazy people like me , but its not working so i will try  RtlCopyMemory  thanks.
    Monday, March 25, 2019 4:56 PM
  • well i choosed  mmcopyvirtualmemory because its easier and for lazy people like me , but its not working so i will try  RtlCopyMemory  thanks.

    That is the stupidest thing yet in this conversation.  How can using an UNDOCUMENTED FUNCTIONtaking 6 parameters be easier than a well documented function taking only 3?


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Monday, March 25, 2019 5:02 PM
  • well i choosed  mmcopyvirtualmemory because its easier and for lazy people like me , but its not working so i will try  RtlCopyMemory  thanks.

    That is the stupidest thing yet in this conversation.  How can using an UNDOCUMENTED FUNCTIONtaking 6 parameters be easier than a well documented function taking only 3?


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    my bad .
    Monday, March 25, 2019 7:45 PM