none
In The Driver call ZwOpenSection Device-PhysicalMemory,return status is 0,but the Sectionhandle is 0,next ObReferenceObjectByHandle bulescreen . RRS feed

  • 问题


  • environment:  win7 x64 ult sp1   no driver signature

    The code:

    NTSTATUS MapPhysicalMemoryToLinearSpace(IN ULONG64 pPhysAddress,

    IN ULONG PhysMemSizeInBytes,
    OUT PULONG64 *ppPhysMemLin)
    {
    OBJECT_HANDLE_INFORMATION object_handle_information;
    UNICODE_STRING PhysicalMemoryUnicodeString;
    PVOID PhysicalMemorySection = NULL;
    HANDLE *pPhysicalMemoryHandle = NULL;
    OBJECT_ATTRIBUTES ObjectAttributes;
    PHYSICAL_ADDRESS ViewBase;
    PHYSICAL_ADDRESS pStartPhysAddress;
    PHYSICAL_ADDRESS pEndPhysAddress;
    PHYSICAL_ADDRESS MappingLength;
    BOOLEAN Result1, Result2;
    ULONG IsIOSpace;
    ULONG64 *pbPhysMemLin = NULL;
    NTSTATUS ntStatus;

    DbgPrint("Entering Mp");

    RtlInitUnicodeString(&PhysicalMemoryUnicodeString, L"\\Device\\PhysicalMemory");

    InitializeObjectAttributes(&ObjectAttributes,
    &PhysicalMemoryUnicodeString,
    OBJ_CASE_INSENSITIVE,
    (HANDLE) NULL,
    (PSECURITY_DESCRIPTOR) NULL);

    ntStatus = ZwOpenSection(pPhysicalMemoryHandle,                                    <---- in windbg ntStatus is 0,pPhysicalMemoryHandle is 0.
    SECTION_ALL_ACCESS,
    &ObjectAttributes);

    if(NT_SUCCESS(ntStatus)){
    ntStatus = ObReferenceObjectByHandle(*pPhysicalMemoryHandle,
    SECTION_ALL_ACCESS,
    (POBJECT_TYPE) NULL,
    KernelMode,
    &PhysicalMemorySection,
    &object_handle_information);      <---- in windbg blue screen  pagefault

    if(NT_SUCCESS(ntStatus)){

    pStartPhysAddress.QuadPart =(ULONG64)pPhysAddress;

    pEndPhysAddress = RtlLargeIntegerAdd(pStartPhysAddress,RtlConvertUlongToLargeInteger(PhysMemSizeInBytes));

    IsIOSpace = 0;

    Result1 = HalTranslateBusAddress(1, 0, pStartPhysAddress, &IsIOSpace, &pStartPhysAddress);

    IsIOSpace = 0;

    Result2 = HalTranslateBusAddress(1, 0, pEndPhysAddress, &IsIOSpace, &pEndPhysAddress);

    if(Result1 && Result2){

    MappingLength = RtlLargeIntegerSubtract(pEndPhysAddress, pStartPhysAddress);

    if(MappingLength.LowPart){

    // Let ZwMapViewOfSection pick a linear address

    PhysMemSizeInBytes = MappingLength.LowPart;

    ViewBase = pStartPhysAddress;

    ntStatus = ZwMapViewOfSection(*pPhysicalMemoryHandle,
    (HANDLE) -1,
    &pbPhysMemLin,
    0L,
    PhysMemSizeInBytes,
    &ViewBase,
    (PSIZE_T)&PhysMemSizeInBytes,
    ViewShare,
    0,
    PAGE_READWRITE | PAGE_NOCACHE);

    if(!NT_SUCCESS(ntStatus)){
    DbgPrint("ERROR: ZwMapViewOfSection failed");
    }else{
    pbPhysMemLin += (ULONG64)pStartPhysAddress.LowPart -(ULONG64)ViewBase.LowPart;
    *ppPhysMemLin = pbPhysMemLin;

    }else{
    DbgPrint("ERROR: RtlLargeIntegerSubtract failed");
    }
    }else{
    DbgPrint("ERROR: MappingLength = 0");
    }
    }else{
    DbgPrint("ERROR: ObReferenceObjectByHandle failed");
    }
    }else{
    DbgPrint("ERROR: ZwOpenSection failed");
    }

    ZwClose(*pPhysicalMemoryHandle);

    DbgPrint("Leaving Mp!");

    return ntStatus;
    }

    Thanks!

    2017年2月13日 8:00