Problem with ZwMapViewOfSection()

OSR_Community_User · July 8, 2002, 3:14am

Hi,

Could you help me to resolve this situation (I spend several days trying
to find-out where is my mistake):
I follow R.Nagar’s “File System Internals” [220], and try to create
section using ZwCreateSection in Kernel mode (actualy in filter driver).
The section seems to be properly created in adress space 0x8000xxxx.
Then I wish to invoke ZwMapViewOfSection() to map a view on this section
object. But I always receive error STATUS_INVALID_PARAMETER_9
(AllocationType). Unfortunately (as many things in Microsoft’s
documentation) for meaning and acceptable values of this parameter has
just a few words.
Here is extract of my code:

InitializeObjectAttributes(&ObjectAttributes, NULL, OBJ_KERNEL_HANDLE,
NULL, NULL);

if (NT_SUCCESS( RC=ZwCreateSection(&SectionHandle,
(STANDARD_RIGHTS_REQUIRED |
SECTION_MAP_READ |
SECTION_MAP_WRITE |
SECTION_QUERY),
&ObjectAttributes,
&AllocationSize,
PAGE_READWRITE,
SEC_RESERVE,
NULL
)))
{
if (NT_SUCCESS( RC=ZwMapViewOfSection(SectionHandle,
NtCurrentProcess(),
&ShadowSection,
0,
ReadBytes,
NULL,
&ViewSize,
ViewShare,
MEM_TOP_DOWN, // (!??!)
PAGE_READWRITE )))
{
…
}
}

Please, give me some advice!
10x in advance.

Mark_Roddy · July 8, 2002, 7:21am

When in doubt, try zero

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Toni Garabedyan
Sent: Monday, July 08, 2002 3:15 AM
To: File Systems Developers
Subject: [ntfsd] Problem with ZwMapViewOfSection()

Hi,

Could you help me to resolve this situation (I spend several
days trying to find-out where is my mistake): I follow
R.Nagar’s “File System Internals” [220], and try to create
section using ZwCreateSection in Kernel mode (actualy in
filter driver). The section seems to be properly created in
adress space 0x8000xxxx. Then I wish to invoke
ZwMapViewOfSection() to map a view on this section object.
But I always receive error STATUS_INVALID_PARAMETER_9
(AllocationType). Unfortunately (as many things in Microsoft’s
documentation) for meaning and acceptable values of this
parameter has just a few words. Here is extract of my code:

InitializeObjectAttributes(&ObjectAttributes, NULL,
OBJ_KERNEL_HANDLE, NULL, NULL);

if (NT_SUCCESS( RC=ZwCreateSection(&SectionHandle,
(STANDARD_RIGHTS_REQUIRED |
SECTION_MAP_READ |
SECTION_MAP_WRITE |
SECTION_QUERY),
&ObjectAttributes,
&AllocationSize,
PAGE_READWRITE,
SEC_RESERVE,
NULL
)))
{
if (NT_SUCCESS( RC=ZwMapViewOfSection(SectionHandle,
NtCurrentProcess(),
&ShadowSection,
0,
ReadBytes,
NULL,
&ViewSize,
ViewShare,
MEM_TOP_DOWN, // (!??!)
PAGE_READWRITE )))
{
…
}
}

Please, give me some advice!
10x in advance.

You are currently subscribed to ntfsd as:
xxxxx@hollistech.com To unsubscribe send a blank email to
%%email.unsub%%

Dan_Partelly · July 8, 2002, 7:30am

I think MEM_TOP_DOWN is not valid for IA32. generaly the flags used here
are mostly MEM_COMMIT MEM_RESERVE. Just look into the Win32 API
help for their meaning, youll match them against native counterparts
in no time.

Later , Dan

----- Original Message -----
From: “Toni Garabedyan”
To: “File Systems Developers”
Sent: Monday, July 08, 2002 10:14 AM
Subject: [ntfsd] Problem with ZwMapViewOfSection()

> Hi,
>
> Could you help me to resolve this situation (I spend several days trying
> to find-out where is my mistake):
> I follow R.Nagar’s “File System Internals” [220], and try to create
> section using ZwCreateSection in Kernel mode (actualy in filter driver).
> The section seems to be properly created in adress space 0x8000xxxx.
> Then I wish to invoke ZwMapViewOfSection() to map a view on this section
> object. But I always receive error STATUS_INVALID_PARAMETER_9
> (AllocationType). Unfortunately (as many things in Microsoft’s
> documentation) for meaning and acceptable values of this parameter has
> just a few words.
> Here is extract of my code:
>
> InitializeObjectAttributes(&ObjectAttributes, NULL, OBJ_KERNEL_HANDLE,
> NULL, NULL);
>
> if (NT_SUCCESS( RC=ZwCreateSection(&SectionHandle,
> (STANDARD_RIGHTS_REQUIRED |
> SECTION_MAP_READ |
> SECTION_MAP_WRITE |
> SECTION_QUERY),
> &ObjectAttributes,
> &AllocationSize,
> PAGE_READWRITE,
> SEC_RESERVE,
> NULL
> )))
> {
> if (NT_SUCCESS( RC=ZwMapViewOfSection(SectionHandle,
> NtCurrentProcess(),
> &ShadowSection,
> 0,
> ReadBytes,
> NULL,
> &ViewSize,
> ViewShare,
> MEM_TOP_DOWN, // (!??!)
> PAGE_READWRITE )))
> {
> …
> }
> }
>
> Please, give me some advice!
> 10x in advance.
>
> —
> You are currently subscribed to ntfsd as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>

OSR_Community_User · July 8, 2002, 8:54am

Thanks for replays!
But Mark, when I try with value of 0, it returned that ivalid parameter is
Nr.3!!! (this is OUT parameter of type PVOID). What invalid it can be?
Dan, I try with COMMIT and RESERVED - the result is the same. In DDK has a
dark hole about meaning of this values according AllocationType.

Dan_Partelly · July 8, 2002, 9:10am

parameter 3 is a IN OUT. So if this value if not NULL, the API will try to
map the view at the specified address.

try it with both NULL

“Dan Partelly” wrote in message news:xxxxx@ntfsd…
>
> I think MEM_TOP_DOWN is not valid for IA32. generaly the flags used here
> are mostly MEM_COMMIT MEM_RESERVE. Just look into the Win32 API
> help for their meaning, youll match them against native counterparts
> in no time.
>
> Later , Dan
>
> ----- Original Message -----
> From: “Toni Garabedyan”
> To: “File Systems Developers”
> Sent: Monday, July 08, 2002 10:14 AM
> Subject: [ntfsd] Problem with ZwMapViewOfSection()
>
>
> > Hi,
> >
> > Could you help me to resolve this situation (I spend several days trying
> > to find-out where is my mistake):
> > I follow R.Nagar’s “File System Internals” [220], and try to create
> > section using ZwCreateSection in Kernel mode (actualy in filter driver).
> > The section seems to be properly created in adress space 0x8000xxxx.
> > Then I wish to invoke ZwMapViewOfSection() to map a view on this section
> > object. But I always receive error STATUS_INVALID_PARAMETER_9
> > (AllocationType). Unfortunately (as many things in Microsoft’s
> > documentation) for meaning and acceptable values of this parameter has
> > just a few words.
> > Here is extract of my code:
> >
> > InitializeObjectAttributes(&ObjectAttributes, NULL, OBJ_KERNEL_HANDLE,
> > NULL, NULL);
> >
> > if (NT_SUCCESS( RC=ZwCreateSection(&SectionHandle,
> > (STANDARD_RIGHTS_REQUIRED |
> > SECTION_MAP_READ |
> > SECTION_MAP_WRITE |
> > SECTION_QUERY),
> > &ObjectAttributes,
> > &AllocationSize,
> > PAGE_READWRITE,
> > SEC_RESERVE,
> > NULL
> > )))
> > {
> > if (NT_SUCCESS( RC=ZwMapViewOfSection(SectionHandle,
> > NtCurrentProcess(),
> > &ShadowSection,
> > 0,
> > ReadBytes,
> > NULL,
> > &ViewSize,
> > ViewShare,
> > MEM_TOP_DOWN, // (!??!)
> > PAGE_READWRITE )))
> > {
> > …
> > }
> > }
> >
> > Please, give me some advice!
> > 10x in advance.
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@rdsor.ro
> > To unsubscribe send a blank email to %%email.unsub%%
> >
>
>
>
>

Dan_Partelly · July 8, 2002, 9:14am

And in fact is a PVOID* , not a PVOID. When I said to pass NULL here, I did
not meaned a NULL ptr passed,
but intialize the variable with NULL , and pass a pointer to it to the API

“Dan Partelly” wrote in message news:xxxxx@ntfsd…
>
> parameter 3 is a IN OUT. So if this value if not NULL, the API will try to
> map the view at the specified address.
>
> try it with both NULL
>
>
> “Dan Partelly” wrote in message
news:xxxxx@ntfsd…
> >
> > I think MEM_TOP_DOWN is not valid for IA32. generaly the flags used
here
> > are mostly MEM_COMMIT MEM_RESERVE. Just look into the Win32
API
> > help for their meaning, youll match them against native counterparts
> > in no time.
> >
> > Later , Dan
> >
> > ----- Original Message -----
> > From: “Toni Garabedyan”
> > To: “File Systems Developers”
> > Sent: Monday, July 08, 2002 10:14 AM
> > Subject: [ntfsd] Problem with ZwMapViewOfSection()
> >
> >
> > > Hi,
> > >
> > > Could you help me to resolve this situation (I spend several days
trying
> > > to find-out where is my mistake):
> > > I follow R.Nagar’s “File System Internals” [220], and try to create
> > > section using ZwCreateSection in Kernel mode (actualy in filter
driver).
> > > The section seems to be properly created in adress space 0x8000xxxx.
> > > Then I wish to invoke ZwMapViewOfSection() to map a view on this
section
> > > object. But I always receive error STATUS_INVALID_PARAMETER_9
> > > (AllocationType). Unfortunately (as many things in Microsoft’s
> > > documentation) for meaning and acceptable values of this parameter has
> > > just a few words.
> > > Here is extract of my code:
> > >
> > > InitializeObjectAttributes(&ObjectAttributes, NULL, OBJ_KERNEL_HANDLE,
> > > NULL, NULL);
> > >
> > > if (NT_SUCCESS( RC=ZwCreateSection(&SectionHandle,
> > > (STANDARD_RIGHTS_REQUIRED |
> > > SECTION_MAP_READ |
> > > SECTION_MAP_WRITE |
> > > SECTION_QUERY),
> > > &ObjectAttributes,
> > > &AllocationSize,
> > > PAGE_READWRITE,
> > > SEC_RESERVE,
> > > NULL
> > > )))
> > > {
> > > if (NT_SUCCESS( RC=ZwMapViewOfSection(SectionHandle,
> > > NtCurrentProcess(),
> > > &ShadowSection,
> > > 0,
> > > ReadBytes,
> > > NULL,
> > > &ViewSize,
> > > ViewShare,
> > > MEM_TOP_DOWN, // (!??!)
> > > PAGE_READWRITE )))
> > > {
> > > …
> > > }
> > > }
> > >
> > > Please, give me some advice!
> > > 10x in advance.
> > >
> > > —
> > > You are currently subscribed to ntfsd as: xxxxx@rdsor.ro
> > > To unsubscribe send a blank email to %%email.unsub%%
> > >
> >
> >
> >
> >
>
>
>
>

OSR_Community_User · July 8, 2002, 10:40am

I can tell you a little help too:

Section object is independent of the address space type,
i.e. there can be number of views mapped from a single
section into different user process spaces together with
cache views and possible system space views.

But you must dustinguish among those types of views!

ZwMapViewOfSection needs handle to process, so it
always maps a view into the process’ user address space
(address below 0x80000000 on IA32)
MmMapViewInSystemSpace always maps into the kernel
process space, but substantial disadvantage of this routine
is absence of SectionOffset argument, so you must always
map a view from the beginning of the section :-((
MmMapViewInSystemCache always maps into the space
for Cache Manager usage. The routine has SectionOffset
argument, however it’s not exported by NTOSKRNL :-(((.

Paul

PS: Your problem is probably in the vlaue of the third argument.
I think that the routine have a good reason to fail if it points
to system space ;-)))).

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Toni Garabedyan
Sent: Monday, July 08, 2002 9:15 AM
To: File Systems Developers
Subject: [ntfsd] Problem with ZwMapViewOfSection()

Hi,

Could you help me to resolve this situation (I spend several days trying
to find-out where is my mistake): I follow R.Nagar’s “File System
Internals” [220], and try to create section using ZwCreateSection in
Kernel mode (actualy in filter driver). The section seems to be properly
created in adress space 0x8000xxxx. Then I wish to invoke
ZwMapViewOfSection() to map a view on this section object. But I always
receive error STATUS_INVALID_PARAMETER_9 (AllocationType). Unfortunately
(as many things in Microsoft’s
documentation) for meaning and acceptable values of this parameter has
just a few words. Here is extract of my code:

InitializeObjectAttributes(&ObjectAttributes, NULL, OBJ_KERNEL_HANDLE,
NULL, NULL);

if (NT_SUCCESS( RC=ZwCreateSection(&SectionHandle,
(STANDARD_RIGHTS_REQUIRED |
SECTION_MAP_READ |
SECTION_MAP_WRITE |
SECTION_QUERY),
&ObjectAttributes,
&AllocationSize,
PAGE_READWRITE,
SEC_RESERVE,
NULL
)))
{
if (NT_SUCCESS( RC=ZwMapViewOfSection(SectionHandle,
NtCurrentProcess(),
&ShadowSection,
0,
ReadBytes,
NULL,
&ViewSize,
ViewShare,
MEM_TOP_DOWN, // (!??!)
PAGE_READWRITE )))
{
…
}
}

Please, give me some advice!
10x in advance.

You are currently subscribed to ntfsd as: xxxxx@compelson.com
To unsubscribe send a blank email to %%email.unsub%%

OSR_Community_User · July 9, 2002, 8:59am

Thanks for your advice!
I will try it now (hope for the last time )