A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about kernel-mode development.
 #31589  by lwbkm
 Mon May 21, 2018 6:45 am
easy code ,but ExFreePool will be blue screen.......why... :x how can i fix it ..
Code: Select all
#include <ntddk.h>
#include <windef.h>

PVOID pBuffer;
NTSTATUS NTGetLogicalDrives(OUT DWORD *pDiskNumber);

NTSTATUS WINAPI ZwQueryInformationProcess(
	_In_      HANDLE           ProcessHandle,
	_In_      PROCESSINFOCLASS ProcessInformationClass,//ProcessDeviceMap
	_Out_     PVOID            ProcessInformation,
	_In_      ULONG            ProcessInformationLength,
	_Out_opt_ PULONG           ReturnLength

VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
	//UNREFERENCED_PARAMETER(pDriverObject);//close error tip


	NTSTATUS status;

	pDriverObject->DriverUnload = DriverUnload;

	int dm = 0;
	DWORD *pDiskNumber = &dm;
	status = NTGetLogicalDrives(pDiskNumber);

	KdPrint(("%d.....\n", status));

	KdPrint(("0x%p.....\n", dm));

	return status;

NTSTATUS NTGetLogicalDrives(OUT DWORD *pDiskNumber) {
	NTSTATUS status;

	HANDLE handle = -1;
	PVOID pBuffer = ExAllocatePool(NonPagedPool, 4);

	status = ZwQueryInformationProcess(handle, 0x17,pBuffer, 0x24, 0);
	if (NT_SUCCESS(status))
		*pDiskNumber = *(int *)pBuffer;

	//ExFreePool(pBuffer);//blue screen

	return status;
 #31590  by EP_X0FF
 Mon May 21, 2018 9:18 am
Are you kidding or what?

You allocated 4 byte long buffer and passed it to function giving it size as 36 bytes long.

You don't need to allocate memory for PROCESS_DEVICEMAP_INFORMATION. It is structure with fixed size.
 #31591  by lwbkm
 Mon May 21, 2018 3:15 pm
omg,i am first use this function,
I didn't look carefully about
ProcessInformationLength [in]
The size of the buffer pointed to by the ProcessInformation parameter, in bytes.

It was very careless of me.thank you! :D
 #31593  by Brock
 Wed May 23, 2018 11:32 pm

When you graduate to better understanding kernel memory allocation and general management you might also strongly consider, on Windows 8+ anyhow, using ExAllocatePool(NonPagedPoolNx, ...); or the newer compiler's opt-in flag instead of the NonPagedPool type. It's just a best practice is all