lundi 14 avril 2014

BSOD lors de l'écriture au nom de win7 x 86 pilote - débordement de pile mémoire partagée 


#include "ntddk.h"

NTSTATUS    DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath );
VOID            DriverUnload( IN PDRIVER_OBJECT DriverObject );

INT InitializeGlobalAddressSpace(VOID);
#define BUF_SIZE 256

TCHAR szName[]=TEXT("\\BaseNamedObjects\\MyFileMappingObject");
char szMsg[]="New Message";

NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath )
{
    NTSTATUS    ntStatus = STATUS_UNSUCCESSFUL;

    DriverObject->DriverUnload = DriverUnload;

    DbgPrint("Hello World Driver Loaded!");
    InitializeGlobalAddressSpace();
    ntStatus = STATUS_SUCCESS;

    return ntStatus;
}

VOID DriverUnload( IN PDRIVER_OBJECT DriverObject )
{
    DbgPrint("Hello World Driver unloaded!");
}

INT InitializeGlobalAddressSpace(VOID)
{
    OBJECT_ATTRIBUTES ObjectAttributes;
    UNICODE_STRING PhysMemName = RTL_CONSTANT_STRING(L"\\BaseNamedObjects\\MyFileMappingObject");
    NTSTATUS Status;
    HANDLE PhysMemHandle;
    PVOID BaseAddress;
    PVOID NullAddress;
    LARGE_INTEGER Offset;
    ULONG ViewSize;
    BaseAddress = NULL;
    Offset.LowPart = 0;
    Offset.HighPart = 0;
    ViewSize = 0;

    InitializeObjectAttributes(&ObjectAttributes,&PhysMemName,0,NULL,NULL);
    Status = ZwOpenSection(&PhysMemHandle, SECTION_ALL_ACCESS, &ObjectAttributes);

    if (!NT_SUCCESS(Status))
     {
        DbgPrint("Couldn't open Global\\MyFileMappingObject - error:%x\n",Status);
        return(0);
     }

   Status = ZwMapViewOfSection(PhysMemHandle,ZwCurrentProcess(),&BaseAddress,0,0,&Offset,&ViewSize,ViewShare,0,PAGE_READWRITE);

   if (!NT_SUCCESS(Status))
     {
        DbgPrint("Couldn't open Global\\MyFileMappingObject - error:%x\n",Status);
        return(0);
     }

   DbgPrint("%s",Status);

    try
    {
        memcpy((PVOID)Status, szMsg, (strlen(szMsg) * sizeof(TCHAR)));
    }
    except(EXCEPTION_EXECUTE_HANDLER)//will crash without this.
    {
        DbgPrint("error:%x");
    }

   return (1);
}

memcpy function causes the driver to crash the system, am i doing something wrong within the zwopensection/zwmapviewofsection to cause this to happen. Note: driver does not crash system with try/except function around it.




You are trying to write something in Status:


memcpy((PVOID)Status, szMsg, (strlen(szMsg) * sizeof(TCHAR)));

Actually you are supposed to write in BaseAddress ... :-)



#include "ntddk.h"

NTSTATUS    DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath );
VOID            DriverUnload( IN PDRIVER_OBJECT DriverObject );

INT InitializeGlobalAddressSpace(VOID);
#define BUF_SIZE 256

TCHAR szName[]=TEXT("\\BaseNamedObjects\\MyFileMappingObject");
char szMsg[]="New Message";

NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath )
{
    NTSTATUS    ntStatus = STATUS_UNSUCCESSFUL;

    DriverObject->DriverUnload = DriverUnload;

    DbgPrint("Hello World Driver Loaded!");
    InitializeGlobalAddressSpace();
    ntStatus = STATUS_SUCCESS;

    return ntStatus;
}

VOID DriverUnload( IN PDRIVER_OBJECT DriverObject )
{
    DbgPrint("Hello World Driver unloaded!");
}

INT InitializeGlobalAddressSpace(VOID)
{
    OBJECT_ATTRIBUTES ObjectAttributes;
    UNICODE_STRING PhysMemName = RTL_CONSTANT_STRING(L"\\BaseNamedObjects\\MyFileMappingObject");
    NTSTATUS Status;
    HANDLE PhysMemHandle;
    PVOID BaseAddress;
    PVOID NullAddress;
    LARGE_INTEGER Offset;
    ULONG ViewSize;
    BaseAddress = NULL;
    Offset.LowPart = 0;
    Offset.HighPart = 0;
    ViewSize = 0;

    InitializeObjectAttributes(&ObjectAttributes,&PhysMemName,0,NULL,NULL);
    Status = ZwOpenSection(&PhysMemHandle, SECTION_ALL_ACCESS, &ObjectAttributes);

    if (!NT_SUCCESS(Status))
     {
        DbgPrint("Couldn't open Global\\MyFileMappingObject - error:%x\n",Status);
        return(0);
     }

   Status = ZwMapViewOfSection(PhysMemHandle,ZwCurrentProcess(),&BaseAddress,0,0,&Offset,&ViewSize,ViewShare,0,PAGE_READWRITE);

   if (!NT_SUCCESS(Status))
     {
        DbgPrint("Couldn't open Global\\MyFileMappingObject - error:%x\n",Status);
        return(0);
     }

   DbgPrint("%s",Status);

    try
    {
        memcpy((PVOID)Status, szMsg, (strlen(szMsg) * sizeof(TCHAR)));
    }
    except(EXCEPTION_EXECUTE_HANDLER)//will crash without this.
    {
        DbgPrint("error:%x");
    }

   return (1);
}

memcpy function causes the driver to crash the system, am i doing something wrong within the zwopensection/zwmapviewofsection to cause this to happen. Note: driver does not crash system with try/except function around it.



You are trying to write something in Status:


memcpy((PVOID)Status, szMsg, (strlen(szMsg) * sizeof(TCHAR)));

Actually you are supposed to write in BaseAddress ... :-)


0 commentaires:

Enregistrer un commentaire