Access to process virtual memory from Kernel mode

Господа!

Хотелось бы обсудить следующий вопрос:

какие существуют правила при использовании (чтение/запись) буфера виртуальной памяти процесса из ядра?

Ситуация:

драйвер вызывает

// IRQL == 0x0

ImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)RtlImageDirectoryEntryToData(
Process->SectionBaseAddress,
TRUE,
IMAGE_DIRECTORY_ENTRY_IMPORT,
&ImportSize);
// получили виртуальный адрес секции в процессе
// далее..
KeStackAttachProcess(&Process->Pcb, &ApcState);
RtlCopyMemory(buffer, ImportDescriptor, ImportSize); <----- ИНОГДА! BSOD (KERNEL_MODE_EXCEPTION_NOT_HANDLED_M)

Итак, не понятно, вроде PASSIVE_LEVEL.. а exception происходит!!! почему???

следует сделать следующее:

__try {

RtlCopyMemory(buffer, ImportDescriptor, ImportSize);

} __except(EXCEPTION_EXECUTE_HANDLER) {

// todo

}

НО КАК ПРЕДОТВРАТИТЬ EXCEPTION???

НУЖНО ИСПОЛЬЗОВАТЬ MmProbeAndLockPages??? НО почему ведь PASSIVE_LEVEL!!

Thanx

 

!analyze -v
в студию

 

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 804d9a69, The address that the exception occurred at
Arg3: af0e0a90, Trap Frame
Arg4: 00000000

Debugging Details:
------------------




EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text>

FAULTING_IP:
nt!memcpy+33
804d9a69 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

TRAP_FRAME: af0e0a90 -- (.trap 0xffffffffaf0e0a90)
ErrCode = 00000000
eax=01081b6c ebx=00000000 ecx=00000032 edx=00000000 esi=01081aa4 edi=00090014
eip=804d9a69 esp=af0e0b04 ebp=af0e0b0c iopl=0 nv up ei pl nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010212
nt!memcpy+0x33:
804d9a69 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] es:0023:00090014=00000000 ds:0023:01081aa4=????????
Resetting default scope

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

PROCESS_NAME: wmiprvse.exe

LAST_CONTROL_TRANSFER: from aecaa048 to 804d9a69

 

Хм, а может KeStackAttachProcess(&Process->Pcb, &ApcState); сделать до RtlImageDirectoryEntryToData...

 

Код (Text):

1. PVOID
2. RtlImageDirectoryEntryToData (
3.     IN PVOID Base,
4.     IN BOOLEAN MappedAsImage,
5.     IN USHORT DirectoryEntry,
6.     OUT PULONG Size
7.     )
8.  
9. /*++
10.  
11. Routine Description:
12.  
13.     This function locates a Directory Entry within the image header
14.     and returns either the virtual address or seek address of the
15.     data the Directory describes.
16.  
17. Arguments:
18.  
19.     Base - Supplies the base of the image or data file.
20.  
21.     MappedAsImage - FALSE if the file is mapped as a data file.
22.                   - TRUE if the file is mapped as an image.
23.  
24.     DirectoryEntry - Supplies the directory entry to locate.
25.  
26.     Size - Return the size of the directory.
27.  
28. Return Value:
29.  
30.     NULL - The file does not contain data for the specified directory entry.
31.  
32.     NON-NULL - Returns the address of the raw data the directory describes.
33.  
34. --*/
35.  
36. {
37.     PIMAGE_NT_HEADERS NtHeaders;
38.  
39.     if (LDR_IS_DATAFILE(Base)) {
40.         Base = LDR_DATAFILE_TO_VIEW(Base);
41.         MappedAsImage = FALSE;
42.         }
43.  
44.     NtHeaders = RtlImageNtHeader(Base);
45.  
46.     if (!NtHeaders)
47.         return NULL;
48.  
49.     if (NtHeaders->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) {
50.         return (RtlpImageDirectoryEntryToData32(Base,
51.                                                 MappedAsImage,
52.                                                 DirectoryEntry,
53.                                                 Size,
54.                                                 (PIMAGE_NT_HEADERS32)NtHeaders));
55.     } else if (NtHeaders->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) {
56.         return (RtlpImageDirectoryEntryToData64(Base,
57.                                                 MappedAsImage,
58.                                                 DirectoryEntry,
59.                                                 Size,
60.                                                 (PIMAGE_NT_HEADERS64)NtHeaders));
61.     } else {
62.         return (NULL);
63.     }
64. }

Судите сами, до или после звать KeStackAttachProcess.
Также не очень понятно зачем так хитро:

Код (Text):

1. KeStackAttachProcess(&Process->Pcb, &ApcState);

Если Process типа PEPROCESS, тогда можно и так:

Код (Text):

1. KeStackAttachProcess(Process, &ApcState);

И, кстати, не вижу в коде вызова KeUnstackDetachProcess.