KMDF中未分頁內存的類型選擇

在內核驅動程序中，內存空間的動態分配不能使用C語言的malloc等函數，取而代之的是ExAllocatePoolWithTag()和ExFreePool()，使用方法舉例如下：

#defineTEST_POOL_TAG            (ULONG)'test'

PUCHAR tempBuf = NULL;

tempBuf = ExAllocatePoolWithTag ( NonPagedPool,tempBufSize, TEST_POOL_TAG );

ExFreePool ( (PVOID)tempBuf ); //free memory

但此種寫法在進行HLK測試時，會出現藍屏的現象，具體的錯誤信息如下：

DRIVER_VERIFIER_DETECTED_VIOLATION(c4)

A device driverattempting to corrupt the system has been caught.  This is

because the driverwas specified in the registry as being suspect (by the

administrator) andthe kernel has enabled substantial checking of this driver.

If the driverattempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will

be among the mostcommonly seen crashes.

Arguments:

Arg1: 00002000,Code Integrity Issue: The caller specified an executable pool type. (Expected:NonPagedPoolNx)

Arg2: 9b38504d,The address in the driver's code where the error was detected.

Arg3: 00000000,Pool Type.

Arg4: 67646978,Pool Tag (if provided).

檢查後發現，是由於在使用ExAllocatePoolWithTag分配內存空間時，指定的內存空間類型有問題。因爲從Windows 8之後，NonPagedPool 類型與NonPagedPoolExecute 是等價的，這種類型的內存空間是允許代碼指令在其中執行的，這有可能讓惡意代碼得以在該空間執行。所以微軟出於安全性的考慮，從Windows 8開始微軟建議驅動在分配未分頁內存時儘量使用NonPagedPoolNx類型。

MSDN資料的參考地址：

https://msdn.microsoft.com/zh-cn/library/ff559707(v=vs.85).aspx

https://msdn.microsoft.com/zh-cn/library/hh920391%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396

從下是從MSDN上截取相關的敘述：

NonPagedPool

Nonpaged pool, which isnonpageable system memory. Nonpaged pool can be accessed from any IRQL, but itis a scarce resource and drivers should allocate it only when necessary.

System memoryallocated with the NonPagedPool pool type is executable. For moreinformation, see the description of theNonPagedPoolExecute pool type.

Starting withWindows 8, drivers should allocate most or all of their nonpaged memoryfrom the no-execute (NX) nonpaged pool instead of the executable nonpaged pool.For more information, see the description of the NonPagedPoolNx pool type.

NonPagedPoolExecute

Starting withWindows 8, NonPagedPoolExecute is an alternate name for the NonPagedPool value. This value indicates that theallocated memory is to be nonpaged and executable—that is, instruction execution is enabled in this memory. To port adriver from an earlier version of Windows, you should typically replace all ormost instances of the NonPagedPool name in the driver source code with NonPagedPoolNx. Avoid replacinginstances of the NonPagedPool name with NonPagedPoolExecute except in cases in which executablememory is explicitly required. For more information, see No-Execute (NX)Nonpaged Pool.

NonPagedPoolNx

No-execute (NX) nonpagedpool. This pool type is available starting with Windows 8. In contrast tothe nonpaged pool designated by NonPagedPool,which allocates executable memory, the NX nonpaged pool allocates memory inwhich instruction execution is disabled. For more information, see No-Execute (NX)Nonpaged Pool.

 

No-Execute (NX) NonpagedPool

As a best practice, drivers for Windows 8 and laterversions of Windows should allocate most or all of their nonpaged memory fromthe no-execute (NX) nonpaged pool. By allocating memory from NX nonpaged pool,a kernel-mode driver improves security by preventing malicious software fromexecuting instructions in this memory.

Starting with Windows 8, kernel-mode drivers can allocatememory from a pool of NX nonpaged memory. This pool is managed by ageneral-purpose, kernel-mode memory allocator that operates similarly to theuser-mode Win32 heap allocator. The memory in this pool is NX and nonpaged. Thex86, x64, and ARM processor architectures enable memory pages to be designatedas NX to prevent the execution of instructions in these pages. Typically, akernel-mode driver uses memory allocated from nonpaged pool to store data, anddoes not require the ability to execute instructions in this memory.

Supportfor Legacy Drivers

In Windows 7 and earlier versions of Windows, all memoryallocated from the nonpaged pool is executable. To encourage porting of thesedrivers to use NX nonpaged pool in Windows 8 and later versions ofWindows, Microsoft provides several opt-in mechanisms to enable developers toupdate their drivers with minimal effort. For more information, see NX Pool Opt-InMechanisms.

For backward compatibility, driver binaries that run onWindows 7 and earlier versions of Windows, and that allocate memory fromthe executable nonpaged pool, will run on Windows 8 and later versions ofWindows without modification. However, these drivers do not take advantage ofthe improved security of the NX nonpaged pool.