[chanselisee]

I am in need to allocate a page in system space at a given virtual address. In user-mode you can simply use VirtualAlloc and pass in the preferred virtual base address, if free you get a page exactly at that virtual address. I am trying to achieve the same in system space. I was semi-successful to achieving this. I tried the following:

Code: Select all

void* not_working_page_base_address = (void*)0xfffff8006b01a000; // assume this is a free virtual address which isn't used by anything
void* working_page_base_address = (void*)0xfffffb0000001000; // assume this is a free virtual address which isn't used by anything

const auto mdl = IoAllocateMdl(working_page_base_address, 0x1000, false, false, nullptr);
if (mdl) {
  MmProbeAndLockPages(mdl, KernelMode, IoModifyAccess);
  
  //  right now I can use the allocated memory at `working_page_base_address` nicely. But when I try to use a virtual address which is free/unused within the `0xfffff8` range, it seems to fail on `MmProbeAndLockPages`.
}

I need to allocate a page closely to NTOSKRNL.exe in system space, how can I do this?

[tangptr]

Looks like you are trying to hook ssdt/eat in win64?
Well, failure to lock pages would cause the MmProbeAndLockPages to raise an exception. In that regard, you should put the call in try-except block.
But code like "mdl = IoAllocateMdl(working_page_base_address, 0x1000, false, false, nullptr);" doesn't look good.
What you may try to do is to allocate a segment of memory and describe it using mdl, then map it to specified address using MmMapLockedPagesSpecifyCache.

Related Articles:
MSDN: MmProbeAndLockPages routine
https://msdn.microsoft.com/en-us/librar ... s.85).aspx
MSDN: MmMapLockedPagesSpecifyCache
https://msdn.microsoft.com/en-us/librar ... s.85).aspx

[chanselisee]

Thanks for your response. As I understand `MmMapLockedPagesSpecifyCache` can only be used to specify user-mode base addresses, it cannot allocate virtual system memory at specified base address.