Memory Tags

Secondary Categories: 02-Windows Kernel

When programming a kernel driver usually a 4 alphanumeric value is assigned when allocating or freeing memory this is just used to identify the memory regions that have been allocated like so:

#pragma once
#include <ntddk.h>
 
constexpr auto MY_DRIVER_TAG = '1GAT';
 
void Cleanup(PDRIVER_OBJECT DriverObject);

When used in your driver code:

#include "driver.h"
 
PVOID g_myMemory;
 
extern "C"
NTSTATUS
DriverEntry(
	_In_ PDRIVER_OBJECT DriverObject,
	_In_ PUNICODE_STRING RegistryPath
)
{
	UNREFERENCED_PARAMETER(RegistryPath);
	KdPrint(("[+] Hello from DriverEntry\n"));
 
	// point DriverUnload to Cleanup function
	DriverObject->DriverUnload = Cleanup;
 
	// allocate some memory
	g_myMemory = ExAllocatePool2(
		POOL_FLAG_PAGED,
		1024,
		MY_DRIVER_TAG
	);
 
	KdPrint(("[+] Memory allocated at 0x%08p\n", g_myMemory));
 
	return STATUS_SUCCESS;
}
 
void Cleanup(
	PDRIVER_OBJECT DriverObject
)
{
	UNREFERENCED_PARAMETER(DriverObject);
	
	KdPrint(("[+] Hello from DriverUnload\n"));
	KdPrint(("[+] Freeing memory at 0x%08p\n", g_myMemory));
 
	// free the allocated memory
	ExFreePoolWithTag(
		g_myMemory,
		MY_DRIVER_TAG
	);
}

Resources:

Title	URL
PLACE	HOLDER

Also Check Out:

PLACE HOLDER

The Void 🌌

Explorer

Memory Tags

Resources:

Also Check Out:

Graph View

Backlinks

Recent Blog Posts

No More Network Bottlenecks

Unmasking Secrets - Deciphering Encrypted Passwords through Reverse Engineering

Conquering Goliath as a CCDC Blue Teamer

Explorer

Table of Contents

Recent Blog Posts

No More Network Bottlenecks

Unmasking Secrets - Deciphering Encrypted Passwords through Reverse Engineering

Conquering Goliath as a CCDC Blue Teamer