A forum for reverse engineering, OS internals and malware analysis 

Reading buffer from a device

Forum for discussion about kernel-mode development.

Reading buffer from a device

 #16574  by Stylo
 Mon Nov 12, 2012 8:04 am
Hii,

I'm working on the beginners tutorials from codeproject, and i'm trying to read a buffer from the kernel with a usermode executable
i copied the whole Example_ReadDirectIO function and when i'm calling RaedFile from usermode my driver detecting the read operation and write the DbgView that Read was called but when i'm trying to display my message on the console i don't get my message.

my read looks like:
Code: Select all
NTSTATUS Example_ReadDirectIO(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
    NTSTATUS NtStatus = STATUS_BUFFER_TOO_SMALL;
    PIO_STACK_LOCATION pIoStackIrp = NULL;
    PCHAR pReturnData = "Example_ReadDirectIO - Hello from the Kernel!";
    UINT dwDataSize = sizeof("Example_ReadDirectIO - Hello from the Kernel!");
    UINT dwDataRead = 0;
    PCHAR pReadDataBuffer;

    DbgPrint("Example_ReadDirectIO Called \r\n");
    
    /*
     * Each time the IRP is passed down the driver stack a
     * new stack location is added
     * specifying certain parameters for the IRP to the 
     * driver.
     */
    pIoStackIrp = IoGetCurrentIrpStackLocation(Irp);
    
    if(pIoStackIrp && Irp->MdlAddress)
    {
        pReadDataBuffer = MmGetSystemAddressForMdlSafe(Irp->MdlAddress, 
                                   NormalPagePriority);
    
        if(pReadDataBuffer && 
            pIoStackIrp->Parameters.Read.Length >= dwDataSize)
        {                             
            /*
             * We use "RtlCopyMemory" in the kernel instead
             * of memcpy.
             * RtlCopyMemory *IS* memcpy, however it's best
             * to use the
             * wrapper in case this changes in the future.
             */
            RtlCopyMemory(pReadDataBuffer, pReturnData, 
                               dwDataSize);
            dwDataRead = dwDataSize;
            NtStatus = STATUS_SUCCESS;
        }
    }

    Irp->IoStatus.Status = NtStatus;
    Irp->IoStatus.Information = dwDataRead;

    IoCompleteRequest(Irp, IO_NO_INCREMENT);

    return NtStatus;
}
any ideas?

Thanks

Re: Reading buffer from a device

 #16582  by Vrtule
 Mon Nov 12, 2012 6:02 pm
Hello,

I seem to be unable to see any problem. But such situation does not matter. I recommend to read some documentation about IRP_MJ_READ:
http://msdn.microsoft.com/en-us/library ... 85%29.aspx

Maybe, you can try to copy the data to Irp->UserBuffer instead of using the MDL. You can also add more debug prints in order to be notified how exactly is the dispatch routine executed (e.g. what parts of it are really executed).

I would also recommend to use strlen to get the length of the string you wish to pass to the application. The code
Code: Select all
 UINT dwDataSize = sizeof("Example_ReadDirectIO - Hello from the Kernel!");
seems a bit dangerous to me.
 Return to “Kernel-Mode Development”