Probe kernel memory for read

Forum for discussion about kernel-mode development.
Post Reply
easy
Posts: 2
Joined: Sun Aug 12, 2018 7:25 am

Probe kernel memory for read

Post by easy » Sun Aug 12, 2018 7:45 am

Hello, I want scan all loaded kernel modules.
The problem is I dont know how to safely read unknown kernel memory.
So i enumerating modules list, and reading each section regarding pe header, excluding discardable.
For some modules (such as win32k) read operation causes reboot without bsod, but i can bypass it with attach to any gui process.
But for some other (for example, cdd.dll) it falls on RtlImageHeader with PAGE_FAULT.
I tried IoAllocateMdl + MMProbeAndLockPages and it also causes bsod.
Any idea to accomplish that ?

easy
Posts: 2
Joined: Sun Aug 12, 2018 7:25 am

Re: Probe kernel memory for read

Post by easy » Mon Aug 13, 2018 6:55 am

while topic was approved, solved it checking address with MMGetPhysicalAddress

User avatar
Vrtule
Posts: 461
Joined: Sat Mar 13, 2010 9:14 pm
Location: Czech Republic
Contact:

Re: Probe kernel memory for read

Post by Vrtule » Mon Aug 13, 2018 2:33 pm

MmGetPhysicalAddress does not recognize memory that is currently stored in the page file only. Also, the documentation suggests you should not use this function for memory used for DMA operations.

As far as I know, there is no general way how to safe read a block of kernel memory.

User avatar
tangptr
Posts: 28
Joined: Mon Nov 14, 2016 11:14 am
Location: People Republic of China
Contact:

Re: Probe kernel memory for read

Post by tangptr » Tue Aug 14, 2018 3:35 am

Did you enclose an SEH block for your MmProbeAndLockPages invoking? This is essential for invoking it.
In addition, result of MmGetPhysicalAddress is only valid for system-session addresses. Result for memories of DMA, win32-subsystem, user-mode, etc. from MmGetPhysicalAddress are invalid.
At long last, the jumping hands of time will be halted by a weakling cast in eternal solitude.

Post Reply