你在应用层访问该地址前用SOFTICE看看该地址是否已经存在了?
还有建议你在DRIVERENTRY里分配内存,影射MDL等,而在DispatchIOControl里只需MmMapLockedPages即可.

PVOID pBee;
PVOID userAddress;

在DispatchIOControl里的代码:
......
......
pBee = ExAllocatePoolWithTag(NonPagedPool,PAGE_SIZE,'xjuw');
mdl = IoAllocateMdl(pBee,PAGE_SIZE,FALSE,FALSE,NULL);
MmBuildMdlForNonPagedPool(mdl);
outBeeAddress= MmMapLockedPagesSpecifyCachemdl,UserMode,MmCached,
NULL,FALSE,NormalPagePriority);
RtlCopyMemory(pSmartcardExtension->IoRequest.ReplyBuffer,&outBeeAddress,sizeof(PVOID));
*pSmartcardExtension->IoRequest.Information = sizeof(PVOID);
return STATUS_SUCCESS;
我省去了一些检查分配的代码,outBeeAddress de的值是0x630000.

z在application端的代码:
PVOID    pBeeAddress;
unsigned char abc[10] = {0x01,0x02...0x0A};

通过DeviceIOControl得到kernel里传出的outBeeAddress的值,
然后我发现pBeeAddress的是确实也是0x630000.
但是当我做:
memcpy(pBeeAddress,abc,10);
的时候application程序就崩掉了,请问为深么啊?0x630000不是从kernel里映射到user地址空间的地址吗?

试一试在映射前加一句

MmProbeAndLockPages(Mdl, KernelMode, IoWriteAccess);

把outBeeAddress= MmMapLockedPagesSpecifyCachemdl,UserMode,MmCached,

改成MmBuildMdlForNonPagedPool(pMdl);

那个pBee应该就是返回的共享地址。

 

    {        
        DWORD size = MmSizeOfMdl(pHeader,bufferSize); // map pHeader to user
        pMdl = (PMDL)ExAllocatePool( NonPagedPool, size );
        pMdl = MmCreateMdl( pMdl, pHeader, bufferSize);


        if ( (pMdl->MdlFlags & (MDL_PAGES_LOCKED |
                                MDL_SOURCE_IS_NONPAGED_POOL |
                                MDL_MAPPED_TO_SYSTEM_VA |
                                MDL_PARTIAL) ) == 0)
            MmBuildMdlForNonPagedPool(pMdl);


        PVOID ptr = MmMapLockedPages(pMdl, UserMode);

        if ( ptr == NULL )
            *(PDBGTRAP_HEADER*)outputBuffer = NULL;
        else
            *(PDBGTRAP_HEADER*)outputBuffer = (PDBGTRAP_HEADER) (ULONG(ptr) | MmGetMdlByteOffset(pMdl));
DbgPrint("Pointer %x + Offset %x \n", ptr, MmGetMdlByteOffset(pMdl));    
    }

我是这样造的.