Calling Mi Internal functions directly
In this article you can learn how to use some internal Mi functions in Windows Operating Systems. In this example i am using Windows 8.1 x64
a) MiCreateSection
b) MiMapViewInSystemSpace
c) MiRemoveFromSystemSpace
and the system variable MmSession which used in conjunction with functions b & c
Lets see the definitions of these functions using ida
As you can see MmSession is used across some functions. As you can imagine, MmSession address is NOT static.
In this example we will map the ntdll.dll file into system space using the above functions.
Using the ida debugger information we create function definitions and search for the addresses using a kernel debugger. You can create a memory scanner to find the addresses.
We are calling internal IopCreateFile (which is called by both IoCreateFile & NtCreateFile). We pass reading parameters. Next step to query the file size, which we will need for creating the section.
We use the size in bytes of ntdll.dll to create the section, after that we map the section into system space.
We decrement the object , close the handle and remove the mapped memory from system space. keep in mind this operations wont work with large files, since kernel memory is very limited.
a) MiCreateSection
b) MiMapViewInSystemSpace
c) MiRemoveFromSystemSpace
and the system variable MmSession which used in conjunction with functions b & c
Lets see the definitions of these functions using ida
As you can see MmSession is used across some functions. As you can imagine, MmSession address is NOT static.
In this example we will map the ntdll.dll file into system space using the above functions.
Using the ida debugger information we create function definitions and search for the addresses using a kernel debugger. You can create a memory scanner to find the addresses.
We are calling internal IopCreateFile (which is called by both IoCreateFile & NtCreateFile). We pass reading parameters. Next step to query the file size, which we will need for creating the section.
We use the size in bytes of ntdll.dll to create the section, after that we map the section into system space.
We decrement the object , close the handle and remove the mapped memory from system space. keep in mind this operations wont work with large files, since kernel memory is very limited.
Comments
Post a Comment