JustKernel

A section object describes an area of meoryt that tow or more processes can potentially share. Sections Objectas are called file-mapping objects. Windows uses section objects to implement shared memory and to map disk files into memory.

Important note. Use of this mechanism is discourage for sharing memory between user mode and kernel mode. But this technique becomes unavoidable for sharing large chunk of memory between user-mode and kernel mode.

Every section object is backed by either the system paging file or file on disk. Drivers that use section objects to share memory with a user-mode application typically map an area that is backed by the system paging file. An application or driver routine that creates a section object can map the entire backing file tif the address space has enough free space for the entier object to fit. If the file is too large, however, the applicaiton or driver routine can map a portion of it. This portion is called the view. If two processes share a section object, each can have its own view of th eobject or they can share the same view.

Creating and Sharing a Section Object:

Windows provide several ways for a driver and user-mode application to share a section object. Using the technique described here, both a driver and a user-mode application open a named section object and each maps a separate view of that section object. Mapping seperate views reduces the security risks of sharing the section object bewtwen user mode and kernel mode.

The user-mode application maps a view into the user virtual address space and the driver maps a view into the kernel virtual address space. In return, the user-mode applicaiton receives a handle that is valid only in user mdoe and has been checked for security and access rights. The driver receives a handle that is valid only in the kernel mode.

Important Note: Because the view is mapped into the address space of the current process, the driver must open the section object and map the view while running in the context of the system process, such as in a DriverEntry or AddDevice routine

To share a section with a user-mode application , a driver must do the following :

1. Call InitializaeObjectAttributes to create and attribute structure that specifies the name of the section object and sets the OBJ_FORCE_ACCESS_CHECK and OBJ_KERNEL_HANDLE attributes.
2. Call ZwCreateSection to create a new section object or open an existing one, specifying the size of the section. ZwCreateSection returns a handle to the section object.
3. Call ZwMapViewOfSection to map a view of the section into the process address space, specifyin NtCurrentProcess as a handle to the process. This call maps the view into the user virtual address spce of the specified process- in this case, the system process. Mapping the driver’s view into the system process prevents user-mode applications from tampering with the view and ensures that the driver’s handle is accessible only from kernel mode . ZwMapvViewOfSectrion returns the base address and the size fo the view.
4. CallUnMapViewOfSection to unmap the view when it has finished using that view.
5. Call ZwClose to close the handle and delete the object when it has completed using hte seciton

In user-mode application, do the following :

1. Call CreateFileMapping to oen a new or existing file mapping object by name and specify the required access to the file.
2. Call MapViewOfFile or MapViewOfFIleEx to map a view of the file. These functions return the starting address of the mapped view.

Important Note: Drivers should not use ZwMapViewOFSection to map a memory range in \Device\PhysicalMemory into user mode. Doing so directly maps physical memory. A user-mode component could write over pages that belong to a different process, thus causing system corruption and crash.

Originally Posted On: 2010-04-24 03:13:43

Anshul Makkar, anshul_makkar@justkernel.com

Tags: Sharedd Memory - Section Objects