i see that is so easy to share memory segment between user space process using sys v api (shmget(), shmat(), shmdt() ), is there any solution to use the same api to share memory from kernel to user space.
i think thant's no way to do that without modifying kenel files, look at this stackoverflow post, i am refering to this article
Related
is there any way to determine which driver is the owner of the hanlde?
I mean is it stored any where is Windows objects?
I can see handles via volatilty but all kernel handles are assigned to System.exe pid:4, I need to know exactly which driver is using this system handle?
thanks
Is there any way to determine which driver is the owner of the
handle?
When kernel modules (or thread in kernel space) call Kernel API (NtCreateFile, for example), the handles are allocated from handle table of System process. In this case, the answer is: no.
I mean is it stored any where is Windows objects?
I guess no
I need to know exactly which driver is using this system handle?
Depend on analisys you're doing. If you need to associate an object back to the driver that owns it, you can try to analize _POOL_HEADER structure to obtain information about who produced the allocation. BUT if you need to analyze an executive object (_FILE object, for example), the PoolTag field in this header will be equal to ObjectType.Key, so this way is not very useful for your purpose.
In general, if you're looking for which resources a process can access (i.e. memory-mapped files), you can analyze with memmap volatility's plugin the process' page tables and so the memory area of the process. I suggest you to use VAD structures' dedicated plugin so that you can gather an high-level information about virtual address space of the process.
Is there a way, in Windows, to check if a page in in memory or in disk(swap space)?
The reason I want know this is to avoid causing page fault if the page is in disk, by not accessing that page.
There is no documented way that I am aware of for accomplishing this in user mode.
That said, it is possible to determine this in kernel mode, but this would involve inspecting the Page Table Entries, which belong to the Memory Manager - not something that you really wouldn't want to do in any sort of production code.
What is the real problem you're trying to solve?
The whole point of Virtual Memory is to abstract this sort of thing away. If you are storing your own data and in user-land, put it in a data-structure that supports caching and don't think about pages.
If you are writing code in kernel-space, I know in linux you need to convert a memory address from a user-land to a kernal-space one, then there are API calls in the VMM to get at the page_table_entry, and subsequently the page struct from the address. Once that is done, you use logical operators to check for flags, one of which is "swapped". If you are trying to make something fast though, traversing and messing with memory at the page level might not be the most efficient (or safest) thing to do.
More information is needed in order to provide a more complete answer.
I'm sharing memory between a parent process and multiple children processes by allocating shared memory segments with shm_open/mmap in OS X. Either parent or children may create the segment then communicate the identifying name to either. My understanding is that the parent has to call shm_unlink on each of these segments when it quits to cleanup memory, otherwise the shared memory is permanently leaked.
What I had initially thought from reading the documentation is that shared segments are cleaned up when no processes with it mapped are alive. However experiments show that this isn't the case and someone has to explicitly use shm_unlink.
Is there any way in OS X to list all the currently existing shared memory segments? The problem is that the parent may crash and so not have a chance to call shm_unlink. In Linux my solution is to clean out /dev/shm, but in OS X I would need some way of listing open shared segments.
The answer seems to be: you can't.
First, see this question, which quotes a comment in the kernel:
TODO:
(2) Need to export data to a userland tool via a
sysctl. Should ipcs(1) and ipcrm(1) be expanded or should new
tools to manage both POSIX kernel semaphores and POSIX shared
memory be written?
Also see this post on the Apple mailing list unix-porting:
There is no "picps"/"picprm" utility, you are expected to remember what
you create and clean up afterward, or clean up first thing on
restart if you crash a lot, there is nothing exposed directly
in the filesystem namespace, and you are expected to do
the shm_unlink because it is a rendezvous for potentially a
lot of unrelated programs.
Hope you figure out your problem. you can use ipcs -a and look under the heading Shared Memory for NATTCH. That value will tell you how many shared memory segments are attached to a particular id.
Does anyone know what are the default permissions on the page, returned by this routine. Is there any chance of putting some code section on this page.
Thanks
Allocate memory through an MDL and then call MmProtectMdlSystemAddress() to change the page protection.
Found here.
Short answer is no - there is no safe, documented way of manipulating page protection bits from kernel mode. These bits are owned by the memory manager.
That said, since memory allocated in this fashion does not have the NX bit set, there is nothing to stop you from executing code from memory allocated via this API.
EDIT: I stand corrected - I was unaware of the API mentioned in Alex's answer above. You learn something new everyday!
How does a debugger work? In other words how do programs which share the Address space of another program work? How will they have ability to write on to another process' address space?
The answer to your question will vary per operating system. I'll just quickly orient you towards the appropriate documentation for the Win32 platform. The short answer is that they don't, instead there is a win32 api for this sort of work.
The main article on the subject is listed here.