A forum for reverse engineering, OS internals and malware analysis 

 #33060  by BastianSuter
 Mon Jul 08, 2019 7:12 pm
I am trying to map up to 4GB (max of an MDL) of memory into a usermode process from kernel. My initial attempt at achieving this was by allocating an MDL, locking the pages and mapping them into the target process. This should generally work, but when I call MmProbeAndLockPages I always receive and access violation. My guess is that it happens because the virtual memory I'm trying to map is not contiguous. I can't find any other explanation really, since smaller allocations almost always succeed.
At the start of my buffer I have a few valid pages after that there's like 3 pages of unallocated memory and then again, allocated memory. I could map each of the buffer sections separately, but that's not really the preferred solution as I would really need the memory to be mapped in the exact order as in the original buffer.