Skip to content

Instantly share code, notes, and snippets.

@hfiref0x
Created April 26, 2021 10:45
Show Gist options
  • Save hfiref0x/fb822ab89c9f10c46deb172c961ce7bf to your computer and use it in GitHub Desktop.
Save hfiref0x/fb822ab89c9f10c46deb172c961ce7bf to your computer and use it in GitHub Desktop.
PassMark DirectIO memory mapping IOCTL's reconst
typedef struct _MAP_PARAMS {
HANDLE SectionHandle;
PVOID MapBaseAddressIoSpace;
PMDL AllocatedMdl;
DWORD MapSize;
LARGE_INTEGER Offset;
PVOID MapBaseAddress;
BOOLEAN Writeable;
} MAP_PARAMS, *PMAP_PARAMS; //sizeof 45 bytes
NTSTATUS DirectIoUnmapMemory_IOCTL_8011E048(MAP_PARAMS *MapParams)
{
NTSTATUS ntStatus;
MAP_PARAMS *mapParams;
ntStatus = STATUS_SUCCESS;
mapParams = MapParams;
if ( MapParams->SectionHandle )
return ZwUnmapViewOfSection(ZwCurrentProcess(), MapParams->MapBaseAddress);
MmUnmapLockedPages(MapParams->MapBaseAddress, MapParams->AllocatedMdl);
IoFreeMdl(mapParams->AllocatedMdl);
MmUnmapIoSpace(mapParams->MapBaseAddressIoSpace, mapParams->MapSize);
return ntStatus;
}
NTSTATUS DirectIoMapMemory_IOCTL_8011E044(MAP_PARAMS *MapParams)
{
MAP_PARAMS *mapParams;
NTSTATUS ntStatus;
PVOID mappedAddress;
_MDL *mdl;
PVOID mappedPages;
ULONG_PTR ViewSize;
UNICODE_STRING objectName;
OBJECT_ATTRIBUTES ObjectAttributes;
HANDLE SectionHandle;
LARGE_INTEGER SectionOffset;
PVOID RefObject;
mapParams = MapParams;
RefObject = 0;
RtlInitUnicodeString(&objectName, L"\\Device\\PhysicalMemory");
ObjectAttributes.Length = sizeof(OBJECT_ATTRIBUTES);
ObjectAttributes.RootDirectory = 0;
ObjectAttributes.Attributes = OBJ_KERNEL_HANDLE;
ObjectAttributes.ObjectName = &objectName;
_mm_storeu_si128(&ObjectAttributes.SecurityDescriptor, 0);
SectionHandle = 0;
ntStatus = ZwOpenSection(&SectionHandle, mapParams->Writeable != 0 ? SECTION_MAP_READ | SECTION_MAP_WRITE : SECTION_MAP_READ, &ObjectAttributes);
if ( ntStatus >= 0 )
{
ntStatus = ObReferenceObjectByHandle(SectionHandle, mapParams->Writeable != 0 ? SECTION_MAP_READ | SECTION_MAP_WRITE : SECTION_MAP_READ, 0, 0, &RefObject, 0i64);
if ( ntStatus >= 0 )
{
SectionOffset = mapParams->Offset;
mapParams->MapBaseAddress = 0;
ViewSize = mapParams->MapSize;
ntStatus = ZwMapViewOfSection(
SectionHandle,
ZwCurrentProcess(),
&mapParams->MapBaseAddress,
0,
ViewSize,
&SectionOffset,
&ViewSize,
ViewShare,
0,
mapParams->Writeable != 0 ? PAGE_READWRITE | PAGE_NOCACHE : PAGE_READONLY | PAGE_NOCACHE);
if ( ntStatus >= 0 )
{
mapParams->Offset = SectionOffset.QuadPart;
mapParams->SectionHandle = SectionHandle;
mapParams->MapBaseAddressIoSpace = 0;
mapParams->AllocatedMdl = 0;
ObfDereferenceObject(RefObject);
}
}
ZwClose(SectionHandle);
}
if ( !(NT_SUCCESS(ntStatus)) && ntStatus != STATUS_INVALID_VIEW_SIZE )
{
_mm_lfence();
mappedAddress = MmMapIoSpace(mapParams->Offset, mapParams->MapSize, 0);
mapParams->MapBaseAddressIoSpace = mappedAddress;
if ( mappedAddress )
{
_mm_lfence();
mdl = IoAllocateMdl(mappedAddress, mapParams->MapSize, 0, 0, 0);
mapParams->AllocatedMdl = mdl;
if ( mdl )
{
MmBuildMdlForNonPagedPool(mdl);
_mm_lfence();
mappedPages = MmMapLockedPagesSpecifyCache(mapParams->AllocatedMdl, KernelMode, MmNonCached, 0, 0, NormalPagePriority);
mapParams->MapBaseAddress = mappedPages;
if ( mappedPages )
{
mapParams->SectionHandle = 0;
ntStatus = 0;
}
else
{
_mm_lfence();
ntStatus = STATUS_ACCESS_DENIED;
IoFreeMdl(mapParams->AllocatedMdl);
MmUnmapIoSpace(mapParams->MapBaseAddressIoSpace, mapParams->MapSize);
}
}
else
{
_mm_lfence();
ntStatus = STATUS_ACCESS_DENIED;
MmUnmapIoSpace(mapParams->MapBaseAddressIoSpace, mapParams->MapSize);
}
}
else
{
ntStatus = STATUS_ACCESS_DENIED;
}
}
return ntStatus;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment