Kernel Mode: BSOD to obtain image base of win32k.sys module [duplicate] - c++

I'm writing a kernel driver, which should read (and in some cases, also write) some memory addresses in kernel session space (win32k.sys). I've read in another topic that for example in Windbg I should change the context to a random user process to read the memory of kernel session space (with .process /p). How can I do that in a kernel driver? Should I create a user process which communicate with the driver (that's my idea now, but I hope that there is a better solution) or there is a more simple solution for this?

Session space are not mapped in system address space (that drivers share, if not attached to any process). Those why you getting BSOD while accessing win32k.
You need to be attached to EPROCESS via KeStackAttachProcess to perform this operation. You can get session id with ZwQueryInformationProcess(ProcessSessionInformation) function.

Kernel memory space is shared among all of the kernel objects ( just like a real/unprotected mode in DOS and early Windows versions). Kernel driver can access any address within the kernel space, whether it belongs to him or not.

You must find and attach to the csrss process!
win32k.sys is not loaded in the system address space of all process only for csrss.
You should do stack attach to csrss process.

Related

Windows lock usb port per user in c++

My software is protected by a USB hardware token and I want to achieve the following:
A user should be able to start as many instances of the software as he likes
A Second user on the same machine should not be able to start the application if the first user is already running the software.
So basically if the first user starts the software I would like to lock the usb port so only this user can access it. The Software is written in C++ and is running on Windows >7 or Windows Server >2008
Any Ideas?
As Jonathon suggested, you can use global names object. Check the example for global shared memory: https://msdn.microsoft.com/en-us/library/windows/desktop/aa366551(v=vs.85).aspx
When process starts, it shall
get the GetUserName (maybe also GetCurrentProcessId).
open named shared memory, like "Global\\MyAppRunningInstances"
Parse every line for values like: Username, ProcessId, heartbeat-timestamp...
If it finds another process with different username, check the heartbeat timestamp, maybe it is long ago crashed :) (if that process wasn't the only one, shared memory mapping will not be destroyed)
If timestamp indicates that "alien" process is running, you can quit current process with a message that there is another user session running
If no "alien" processes detected, add/edit entry for current user.
Do periodic heartbeat update with timestamp

Shared memory between kernel and user mode. How to share handle?

I am trying to use shared memory between user process and kernel.
Option one - to let kernel to create section and let user mode app to open memory by name "Global\my_mem". It's working only in read-only mode. When I am trying to open section with FILE_MAP_WRITE it gives access denied(5). Not sure how to grant access or modify DACL.
Option two - pass handle back via IOCTL. This one is questionable since handle to section opened in KERNEL is 0xFFFFFFFF80001234. My understanding that handles that have any of upper bits set can not be used in user mode. Especially if app will be 32-bit :) Initially I expected that section handle will be somewhat similar to kernel file handle and I will be able to use it.
What would be the correct approach to establish shared memory channel between kernel and user mode?
For option 1, you can specify the security descriptor assigned to the newly created object via the SecurityDescriptor member of the OBJECT_ATTRIBUTES structure.
For option 2, you would need to create an additional handle as a user handle, which you do by not specifying the OBJ_KERNEL_HANDLE flag in the OBJECT_ATTRIBUTES structure. This will only work if you open the new handle while running in the context of a thread belonging to the user application's process, e.g., while processing an IOCTL received from the user application.
Another option is for the kernel driver to map the section into the user-mode application's address space itself, using ZwMapViewOfSection.
One issue with using a section is that the driver itself can only safely access it from a system thread. If that is a problem, you can share memory directly rather than via a section. If you allocate the memory in kernel mode, you can map it into the user-mode application's address space using MmMapLockedPagesSpecifyCache.
Yet another option is for the driver to access a memory buffer allocated by the user-mode process.
The downside to either of these approaches is that the buffer (or the part of it being shared) must be locked in memory, whereas using a section allows the buffer to be pageable.
Since you referred to 32bit app, I assume it is between a user process and a device driver - I would go with IOCTL - METHOD_IN_DIRECT (receives data in the buffer) and METHOD_OUT_DIRECT (write data into the buffer).
If shared memory is between multiple user processes and one or more device drivers - using shared Memory Object method is recommended .

Is FindFirstChangeNotification API doing any disk access? [duplicate]

I've used FileSystemWatcher in the past. However, I am hoping someone can explain how it actually is working behind the scenes.
I plan to utilize it in an application I am making and it would monitor about 5 drives and maybe 300,000 files.
Does the FileSystemWatcher actually do "Checking" on the drive - as in, will it be causing wear/tear on the drive? Also does it impact hard drive ability to "sleep"
This is where I do not understand how it works - if it is like scanning the drives on a timer etc... or if its waiting for some type of notification from the OS before it does anything.
I just do not want to implement something that is going to cause extra reads on a drive and keep the drive from sleeping.
Nothing like that. The file system driver simply monitors the normal file operations requested by other programs that run on the machine against the filters you've selected. If there's a match then it adds an entry to an internal buffer that records the operation and the filename. Which completes the driver request and gets an event to run in your program. You'll get the details of the operation passed to you from that buffer.
So nothing actually happens the operations themselves, there is no extra disk activity at all. It is all just software that runs. The overhead is minimal, nothing slows down noticeably.
The short answer is no. The FileSystemWatcher calls the ReadDirectoryChangesW API passing it an asynchronous flag. Basically, Windows will store data in an allocated buffer when changes to a directory occur. This function returns the data in that buffer and the FileSystemWatcher converts it into nice notifications for you.

Starting programs from C++, exchanging info with pipes and then shared memory

I am currently developing a modular framework using shared memory in C & C++.
The goal is to have independent programs in both C and C++, talk to each other through shared memory.
E.g. one program is responsible for reading a GPS and another responsible for processing the data from several sensors.
A master program will start all the slave programs
(currently i am using fp = popen(./slave1/slave1,"r"); to do this) and then make shared memory segments that each slave can connect to.
The thought behind this is that if a slave dies, it can be revived by the master and reconnect to the same shared memory segment.
Slaves can also be exchanged during runtime (e.g. switch one GPS with another).
The problem is that I spawn the slave via popen, and pass the shared memory ID to the slave. Via the pipe the slave transmits back the size needed.
After this is done i want to reroute the slave's pipe to terminal to display debug messages and not pass through the master.
Suggestions are greatly appreciated, as well as other solutions to the issue.
The key is to have some form of communication prior to setting up the shared memory.
I suggest to use another mean to communicate. Named pipe are the way I think. Rerouting standard out/err will be tricky at best.
I suggest to use boost.interprocess to handle IPC. And be attentive to synchronization :)
my2c
You may want to look into the SCM_RIGHTS transfer mode of unix domain sockets - this lets you pass a file descriptor across a local socket. This can be used to pass stderr and the like to your slave processes.
You can also pass shared memory segments as a file descriptor as well (at least on Linux). Create a file with a random name in /dev/shm and unlink it immediately. Now ftruncate to the desired size and mmap with MAP_SHARED. Now you have a shared memory segment tied to a file descriptor. One of the nice things about this approach is the shared memory segment is automatically destroyed if all processes holding it terminate.
Putting this together, you can pass your slaves one end of a unix domain socketpair(). Just leave the fd open over exec, and pass the fd number on the command line. Pass whatever configuration information you want as normal data over the socket pair, then hand over a file descriptor pointing to your shared memory segment.
Pipes are not reroutable -- they go where they go when they were created. What you need to do is have the slave close the pipe when its done with it, and then reopen its stdout elsewhere. If you always want output to the terminal, you can use freopen("/dev/tty", "w", stdout), but then it will always go to the terminal -- you can't redirect it anywhere else.
To address the specific issue, send debug messages to stderr, rather than stdout.

Getting ring 0 mode in C++ (Windows)

How I can get ring 0 operating mode for my process in Windows 7(or Vista)?
Allowing arbitrary code to run in ring 0 violates basic OS security principles.
Only the OS kernel and device drivers run in ring 0. If you want to write ring 0 code, write a Windows device driver. This may be helpful.
Certain security holes may allow your code to run in ring 0 also, but this isn't portable because the hole might be fixed in a patch :P
Technically speaking, all processes have some threads spending some of their time in Kernel-Mode (ring 0). Whenever a user-mode process makes a syscall into the OS, there is a transition where the thread gets into ring 0 via a 'gate'. Whenever a process needs to talk to a device, allocate more process-wide memory, or spawn new threads, a syscall is used to ask the OS to provide this service.
Therefore, if you want to have a process run some code in ring 0, you'll need to write a driver and then communicate with this driver thru some syscalls. The most common syscall for this is called ioctl (stands for I/O Control).
Another thing to look at on the Windows platform is the UMDF (User-Mode Driver Framework). This allows you to write, debug, and test a driver in user-mode (running in ring 3) but it is still accessible to other drivers or other processes in the system.
You cannot set kernel mode from a user mode process. That's how security works.