Page 1 of 1

Probe kernel memory for read

Posted: Sun Aug 12, 2018 7:45 am
by easy
Hello, I want scan all loaded kernel modules.
The problem is I dont know how to safely read unknown kernel memory.
So i enumerating modules list, and reading each section regarding pe header, excluding discardable.
For some modules (such as win32k) read operation causes reboot without bsod, but i can bypass it with attach to any gui process.
But for some other (for example, cdd.dll) it falls on RtlImageHeader with PAGE_FAULT.
I tried IoAllocateMdl + MMProbeAndLockPages and it also causes bsod.
Any idea to accomplish that ?

Re: Probe kernel memory for read

Posted: Mon Aug 13, 2018 6:55 am
by easy
while topic was approved, solved it checking address with MMGetPhysicalAddress

Re: Probe kernel memory for read

Posted: Mon Aug 13, 2018 2:33 pm
by Vrtule
MmGetPhysicalAddress does not recognize memory that is currently stored in the page file only. Also, the documentation suggests you should not use this function for memory used for DMA operations.

As far as I know, there is no general way how to safe read a block of kernel memory.

Re: Probe kernel memory for read

Posted: Tue Aug 14, 2018 3:35 am
by tangptr
Did you enclose an SEH block for your MmProbeAndLockPages invoking? This is essential for invoking it.
In addition, result of MmGetPhysicalAddress is only valid for system-session addresses. Result for memories of DMA, win32-subsystem, user-mode, etc. from MmGetPhysicalAddress are invalid.