微软的文档里对MDL的描述感觉语焉不详,这两天在找工作的间隙逆向+黑盒测试了一下MmBuildMdlForNonPagedPool,把得到的一些理解描述下来。
一.MDL数据结构
MDL是用来建立一块虚拟地址空间与物理页面之间的映射,结构定义如下:
- typedef struct _MDL {
- struct _MDL *Next;
- CSHORT Size;
- CSHORT MdlFlags;
- struct _EPROCESS *Process;
- PVOID MappedSystemVa;
- PVOID StartVa;
- ULONG ByteCount;
- ULONG ByteOffset;
- } MDL, *PMDL;
各field的解释:
Next:MDL可以连接成一个单链表,这在IRP的结构里能找到。具体是做什么用的参考对IRP的描述
Size:一个MDL并不单单包含结构里这些东西,在内存中紧接着一个MDL结构,存着这个MDL对应的各个物理页面编号,由于一个物理页面一定是4KB 对齐的,所以这个编号相当于一个物理页面起始地址的高20位。Size的值减去sizeof(MDL),等于存放编号的区域的大小。比如该MDL需要三个 物理页面来映射虚拟地址空间,则Size-sizeof(MDL)==4*3==12;
MdlFlags:与这个MDL相关的一些标记
Process:如果虚拟地址是某一进程的用户地址空间,那么MDL代表的这块虚拟地址必须是从属于某一个进程,这个成员指向从属进程的结构
MappedSystemVa:该MDL结构对应的物理页面可能被映射到内核地址空间,这个成员代表这个内核地址空间下的虚拟地址。对 MmBuildMdlForNonPagedPool的逆向表明,MappedSystemVa=StartVa+ByteOffset。这是因为这个函 数的输入MDL,其StartVa是由ExAllocatePoolWithTag决定的,所以已经从内核空间到物理页面建立了映 射,MappedSystemVa自然就可以这样算。 可以猜测,如果是调用MmProbeAndLockPages返回,则MappedSystemVa不会与StartVa有这样的对应关系,因为此时对应的物理页面还没有被映射到内核空间。(此处未定,MmProbeAndLockPages是否会到PDE与PTE中建立映射,未知。)
StartVa:虚拟地址空间的首地址,当这块虚拟地址描述的是一个用户进程地址空间的一块时,这个地址从属于某一个进程。
ByteCount:虚拟地址块的大小,字节数
ByteOffset:StartVa+ByteCount等于缓冲区的开始地址
二.对MmBuildMdlForNonPagedPool的黑盒测试
测试的程序主要执行如下步骤:
1.用ExAllocatePoolWithTag在内核地址空间的NonpagedPool分配一块10000自己的区域
2.用上述得到的地址和大小调用IoAllocateMdl,返回一个MDL
3.打印该MDL个成员的值
4.调用MmBuildMdlForNonPagedPool
5.打印MDL各成员的值,比较与步骤3中的不同
代码如下:
- #include "ntddk.h"
- #include "wdm.h"
- #include "ntdef.h"
- #define BUF_LENGTH 10000
- static void OutputMDL(PMDL pMDL);
- static void Unload( IN PDRIVER_OBJECT pDriverObject);
- NTSTATUS DriverEntry( IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING RegistryPath )
- {
- PVOID pBuf = NULL;
- PMDL pMDL;
- //set up unload routing
- pDriverObject->DriverUnload = Unload;
- //allocate memory from non-paged pool
- pBuf = ExAllocatePoolWithTag(NonPagedPool,BUF_LENGTH,(ULONG)DriverEntry);
- if(!pBuf) {
- DbgPrint("ExAllocatePoolWithTag failed./n");
- return STATUS_SUCCESS;
- }
- DbgPrint("MDL_TEST: pBuf=0x%08x/n",(ULONG)pBuf);
- //allocate a MDL
- pMDL = IoAllocateMdl(pBuf,BUF_LENGTH,FALSE,FALSE,NULL);
- if(!pMDL) {
- DbgPrint("IoAllocateMdl failed./n");
- ExFreePoolWithTag(pBuf,(ULONG)DriverEntry);
- return STATUS_SUCCESS;
- }
- //print MDL right after IoAllocateMdl
- OutputMDL(pMDL);
- //
- DbgPrint("****************************************/n");
- //call MmBuildMdlForNonPagedPool
- MmBuildMdlForNonPagedPool(pMDL);
- //print MDL after MmBuildMdlForNonPagedPool is called
- OutputMDL(pMDL);
- //return
- IoFreeMdl(pMDL);
- ExFreePoolWithTag(pBuf,(ULONG)DriverEntry);
- return STATUS_SUCCESS;
- }
- void Unload( IN PDRIVER_OBJECT pDriverObject)
- {
- DbgPrint("MDL_TEST: Unloading. 88/n");
- }
- void OutputMDL(PMDL pMDL)
- {
- int i;
- ULONG * p = (ULONG*)(pMDL+1);
- DbgPrint("MDL_TEST: Size=%d/n",pMDL->Size);
- DbgPrint("MDL_TEST: MdlFlags=0x%04x/n",pMDL->MdlFlags);
- DbgPrint("MDL_TEST: Process=0x%08x/n",(ULONG)pMDL->Process);
- DbgPrint("MDL_TEST: MappedSystemVa=0x%08x/n",(ULONG)pMDL->MappedSystemVa);
- DbgPrint("MDL_TEST: StartVa=0x%08x/n",(ULONG)pMDL->StartVa);
- DbgPrint("MDL_TEST: ByteCount=%u/n",pMDL->ByteCount);
- DbgPrint("MDL_TEST: ByteOffset=%u/n",pMDL->ByteOffset);
- //print a few 4-bytes after the MDL structure
- for(i=0;i<5;i++)
- DbgPrint("MDL_TEST: p[%d]=0x%08x/n",i,p[i]);
- }
执行的结果如下:
- MDL_TEST: pBuf=0xadc92000
- MDL_TEST: Size=40
- MDL_TEST: MdlFlags=0x0008
- MDL_TEST: Process=0x87e85c88
- MDL_TEST: MappedSystemVa=0x95fb1cc4
- MDL_TEST: StartVa=0xadc92000
- MDL_TEST: ByteCount=10000
- MDL_TEST: ByteOffset=0
- MDL_TEST: p[0]=0x0002d72f
- MDL_TEST: p[1]=0x0002e2b0
- MDL_TEST: p[2]=0x0007e15a
- MDL_TEST: p[3]=0x0007e15b
- MDL_TEST: p[4]=0x0007e15c
- ****************************************
- MDL_TEST: Size=40
- MDL_TEST: MdlFlags=0x000c
- MDL_TEST: Process=0x00000000
- MDL_TEST: MappedSystemVa=0xadc92000
- MDL_TEST: StartVa=0xadc92000
- MDL_TEST: ByteCount=10000
- MDL_TEST: ByteOffset=0
- MDL_TEST: p[0]=0x0005bd23
- MDL_TEST: p[1]=0x0005bea2
- MDL_TEST: p[2]=0x0005bb21
- MDL_TEST: p[3]=0x0007e15b
- MDL_TEST: p[4]=0x0007e15c
对驱动程序采用Direct I/O方式进行数据读的测试
采用这种方式进行读数据时,I/O Manager调用MmProbeAndLockPages将ReadFile参数提供的用户空间缓冲区对应的物理页面锁定为不可换出,然后将得到的 MDL放在Irp->MdlAddress里,将IRP传递给相应驱动程序的DispatchRead。根据Walter Oney在书中的描述,此时I/O Manager的行为可以用下面的代码来描述:
- KPROCESSOR_MODE mode; // <== either KernelMode or UserMode
- PMDL mdl = IoAllocateMdl(uva, length, FALSE, TRUE, Irp);
- MmProbeAndLockPages(mdl, mode,
- reading ? IoWriteAccess : IoReadAccess);
- <code to send and await IRP>
- MmUnlockPages(mdl);
- IoFreeMdl(mdl);
这里主要关注的地方是MmProbeAndLockPages有没有进行实际的虚拟地址的映射,即将物理页面映射到内核地址空间中。我们用下面的驱动代码来测试这一行为。
- NTSTATUS DispatchRead(IN PDEVICE_OBJECT pDeviceObject, IN PIRP pIrp)
- {
- PVOID pSysAddr;
- PMDL pMDL = pIrp->MdlAddress;
- DbgPrint("******************DispatchRead******************/n");
- DbgPrint("Before MmGetSystemAddressForMdlSafe/n");
- OutputMDL(pMDL);
- pSysAddr = MmGetSystemAddressForMdlSafe(pMDL,LowPagePriority);
- if(!pSysAddr) {
- DbgPrint("MmGetSystemAddressForMdlSafe failed./n");
- return STATUS_SUCCESS;
- }
- DbgPrint("After MmGetSystemAddressForMdlSafe/n");
- OutputMDL(pMDL);
- pIrp->IoStatus.Status = STATUS_SUCCESS;
- pIrp->IoStatus.Information = MmGetMdlByteCount(pMDL);
- IoCompleteRequest(pIrp,IO_NO_INCREMENT);
- return STATUS_SUCCESS;
- }
再写一个应用程序来发起一个读操作:
- void TestMDLDriver()
- {
- HANDLE hDevice;
- BOOL bRet;
- DWORD dwRead;
- BYTE buf[10000] = {'S','Q','U','I'};
- hDevice = CreateFile(_T("////.//MDLTest"),GENERIC_READ,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
- if(hDevice==INVALID_HANDLE_VALUE)
- {
- fprintf(stderr,"CreateFile error : %d/n",GetLastError());
- return;
- }
- //issue a read request
- bRet = ReadFile(hDevice,buf,sizeof(buf),&dwRead,NULL);
- if(!bRet)
- {
- fprintf(stderr,"ReadFile error : %d/n",GetLastError());
- return;
- }
- printf("Read bytes:%d/n",dwRead);
- //
- CloseHandle(hDevice);
- }
导致的内核输出如下:
- 00000009 4.27463436 ******************DispatchRead******************
- 00000010 4.27464771 Before MmGetSystemAddressForMdlSafe
- 00000011 4.27465439 MDL_TEST: Size=40
- 00000012 4.27466011 MDL_TEST: MdlFlags=0x008a
- 00000013 4.27466583 MDL_TEST: Process=0x86ca7b58
- 00000014 4.27467155 MDL_TEST: MappedSystemVa=0x92b1f000
- 00000015 4.27467775 MDL_TEST: StartVa=0x001ad000
- 00000016 4.27468348 MDL_TEST: ByteCount=10000
- 00000017 4.27468824 MDL_TEST: ByteOffset=1148
- 00000018 4.27469397 MDL_TEST: p[0]=0x00064429
- 00000019 4.27469969 MDL_TEST: p[1]=0x000619fc
- 00000020 4.27470541 MDL_TEST: p[2]=0x000618ee
- 00000021 4.27471066 MDL_TEST: p[3]=0x00060749
- 00000022 4.27471685 MDL_TEST: p[4]=0x86abca24
- 00000023 4.27472448 After MmGetSystemAddressForMdlSafe
- 00000024 4.27472973 MDL_TEST: Size=40
- 00000025 4.27473545 MDL_TEST: MdlFlags=0x008b
- 00000026 4.27474070 MDL_TEST: Process=0x86ca7b58
- 00000027 4.27474689 MDL_TEST: MappedSystemVa=0xb01e747c
- 00000028 4.27475214 MDL_TEST: StartVa=0x001ad000
- 00000029 4.27475786 MDL_TEST: ByteCount=10000
- 00000030 4.27476311 MDL_TEST: ByteOffset=1148
- 00000031 4.27476835 MDL_TEST: p[0]=0x00064429
- 00000032 4.27477455 MDL_TEST: p[1]=0x000619fc
- 00000033 4.27477980 MDL_TEST: p[2]=0x000618ee
- 00000034 4.27478504 MDL_TEST: p[3]=0x00060749
- 00000035 4.27479029 MDL_TEST: p[4]=0x86abca24
此时从VS的调试器中看到,应用程序中buf[10000]的地址为0x001ad47c
从输出可以得到如下结论:
1.MmProbeAndLockPages并不将物理页面映射到内核地址空间,而仅锁定物理页面;MappedSystemVa的变化可以显示这一点
2.buf的地址=StartVa+ByteOffset;
3.MmGetSystemAddressForMdlSafe进行实际的映射操作,并设置MdlFlags的MDL_MAPPED_TO_SYSTEM_VA标志。
4.MmProbeAndLockPages将MdlFlags=MDL_WRITE_OPERATION | MDL_ALLOCATED_FIXED_SIZE | MDL_PAGES_LOCKED