[mav]

I'm trying to commit some user-mode memory in the context of the process: (Windows 7, architecture x86)

Code: Select all

            PMDL pMdl = NULL;
            BYTE *pVirtualMemory = NULL;
            PHYSICAL_ADDRESS phBegin,phEnd,phSkip;
            phBegin.QuadPart = 0;
            phEnd.QuadPart = (LONGLONG)-1;
            phSkip.QuadPart = 0;
            DWORD dwAllocationSize;
            __try
            {

                pMdl = MmAllocatePagesForMdl(phBegin, phEnd, phSkip, 0x1000);
                DBGPRINT(("ImageLoadNotifyRoutine MmAllocatePagesForMdl %X\r\n", pMdl));
                if (pMdl)
                {
                    dwAllocationSize = MmGetMdlByteCount(pMdl);
                    if (dwAllocationSize >= 0x60)
                    {
                        pVirtualMemory = (BYTE *)MmMapLockedPagesSpecifyCache(pMdl, UserMode, MmCached, 0, FALSE, NormalPagePriority);
                        DBGPRINT(("ImageLoadNotifyRoutine MmMapLockedPagesSpecifyCache %X\r\n", pVirtualMemory));
                        if (pVirtualMemory)
                        {

Them I copy a small shellcode there.
But when the first command of my shellcode gets invoked, some strange exception is issued.

i.e. I see that the control is passes to my shellcode:
001b:00030004 8bec mov ebp,esp

But after I press F11 (single-step) the ntdll!KiUserExceptionDispatcher is invoked

What can be wrong?

[Vrtule]

Did you checked protection of the commited pages? If you want to use them for shellcode exucution, the PAGE_EXECUTE, PAGE_EXECUTE_READ or PAGE_EXTECUTE_READWRITE permission should be set.

I suggest to try to use ZwProtectVirtualMemory to change the protection and also MmSecureVirtualMemory to prevent application from changing the protection of your pages.

[mav]

Tried to add the following code:

Code: Select all

pMdl->MdlFlags |= MDL_MAPPED_TO_SYSTEM_VA;
							
MmProtectMdlSystemAddress(pMdl, PAGE_EXECUTE_READWRITE);

But got BSOD here:

Code: Select all

82e84088 57              push    edi
82e84089 52              push    edx
82e8408a ff7508          push    dword ptr [ebp+8]    ss:0010:8ae7eaf0=86a5cf90
82e8408d 6835120000      push    1235h
82e84092 6a1a            push    1Ah
82e84094 e859dc0500      call    nt!KeBugCheckEx (82ee1cf2)

How can I invoke ZwProtectVirtualMemory form Kernel-mode ?

[mav]

Already solved the problem with ZwProtectVirtualMemory invocation problem using this code: http://www.rootkit.com/board.php?thread ... &disp=8073

But now ZwProtectVirtualMemory returns STATUS_CONFLICTING_ADDRESSES - what can this be ?

[Vrtule]

Show you code please. I think that we cannot do much without it.

[mav]

The problem was with the memory allocation using MDL. I've Switched to ZwAllocateVirtualMemory API and everything works fine! Thanks everybody! :)

[Evilcry]

Yes, ZwAllocateVirtualMemory (as reported by MSDN) is the best way of Committing/Reserving memory into user space.

Alternatively for MDL you can work on something like this ( but is not the best choise in your case)

Code: Select all

mdl = IoAllocateMdl(va , length, FALSE, TRUE, NULL); 
if (!mdl) 
{ 
return STATUS_INSUFFICIENT_RESOURCES; 
} 
MmBuildMdlForNonPagedPool(mdl); 
UserModeBase = MmMapLockedPagesSpecifyCache(mdl, UserMode, MmNonCached, NULL, FALSE, LowPagePriority); 
if (UserModeBase == NULL) 
{ IoFreeMdl(mdl); 
return STATUS_INSUFFICIENT_RESOURCES; }