Opening named shared memory in windows kernel

Question

I'm trying to pass off two addresses from a user mode program to my kernel mode driver via shared memory. I couldn't find any resources online about opening named mapped memory in kernel so I figured I could just use ZwOpenFile with the name I used in the user mode program. The issue is that the driver is logging "Could not load shmem" so I don't know how to open it correctly.

User mode code:

#define BUF_SIZE 256
TCHAR szName[] = TEXT("Global\\MyFileMappingObject");
TCHAR szMsg[] = TEXT("0x0\n0x1");

int main() {
    HANDLE hMapFile;
    LPCTSTR pBuf;

    hMapFile = CreateFileMapping(
        INVALID_HANDLE_VALUE,    // use paging file
        NULL,                    // default security
        PAGE_READWRITE,          // read/write access
        0,                       // maximum object size (high-order DWORD)
        BUF_SIZE,                // maximum object size (low-order DWORD)
        szName);                 // name of mapping object

    if (hMapFile == NULL)
    {
        _tprintf(TEXT("Could not create file mapping object (%d).\n"),
            GetLastError());
        return 1;
    }
    pBuf = (LPTSTR)MapViewOfFile(hMapFile,   // handle to map object
        FILE_MAP_ALL_ACCESS, // read/write permission
        0,
        0,
        BUF_SIZE);

    if (pBuf == NULL)
    {
        _tprintf(TEXT("Could not map view of file (%d).\n"),
            GetLastError());

        CloseHandle(hMapFile);

        return 1;
    }


    CopyMemory((PVOID)pBuf, szMsg, (_tcslen(szMsg) * sizeof(TCHAR)));
    Pause(); // I run the kernel driver when code is here, shmem is still mapped

    UnmapViewOfFile(pBuf);

    CloseHandle(hMapFile);

Kernel driver code:

HANDLE shmem;
OBJECT_ATTRIBUTES attrs;
UNICODE_STRING     uniName;
OBJECT_ATTRIBUTES  objAttr;
IO_STATUS_BLOCK    ioStatusBlock;

RtlInitUnicodeString(&uniName, L"Global\\MyFileMappingObject");

InitializeObjectAttributes(&attrs, &uniName, OBJ_CASE_INSENSITIVE, NULL, NULL);
if (!NT_SUCCESS(ZwOpenFile(&shmem, READ_CONTROL, &attrs, &ioStatusBlock, FILE_SHARE_READ, FILE_NON_DIRECTORY_FILE))) {
    log("Could not load shmem");
}
else {
    log("shmem loaded successfully");
    ZwClose(shmem);
}

Thanks in advance

In the kernel memory mapped files are called sections, take a look at ZwOpenSection. — SoronelHaetir
yes, ZwOpenSection and path must be \\BaseNamedObjects\\MyFileMappingObject — RbMm
About first solution, do you check hMapFile when you call CreateFileMapping ? i remember i had a problem with Global prefix in "Global\\MyFileMappingObject" (replaced by Local) — Landstalker
@RbMm How come it returns STATUS_INVALID_PARAMETER whenever I call ZwMapViewOfSection like this? KeParams params; SIZE_T ViewSize = 0; PVOID vParams = &params; NTSTATUS status = ZwMapViewOfSection(shmem, ZwCurrentProcess(), &vParams, 0, 0, NULL, &ViewSize, ViewUnmap, MEM_RESERVE, PAGE_READWRITE); — Cow Nation
at first vParams = &params of course wrong. must be vParams = 0 at second use 0 instead MEM_RESERVE and finally i strong doubt that you got STATUS_INVALID_PARAMETER but not STATUS_INVALID_PARAMETER_3 — RbMm

Cow Nation Cow Nation · Accepted Answer · 2020-03-27T23:27:35

Solved, use ZwOpenSection and the path starts with \\BaseNamedObjects\\

HANDLE shmem;
OBJECT_ATTRIBUTES attrs;
UNICODE_STRING     uniName;

RtlInitUnicodeString(&uniName, L"\\BaseNamedObjects\\MyFileMappingObject");
InitializeObjectAttributes(&attrs, &uniName, OBJ_CASE_INSENSITIVE, NULL, NULL);
if (!NT_SUCCESS(ZwOpenSection(&shmem, FILE_SHARE_READ, &attrs))) {
    log("Could not load shmem");
}
else {
    log("shmem loaded successfully");
    ZwClose(shmem);
}

Opening named shared memory in windows kernel

1 Answers