Quick question: I'm analyzing a piece of code that is using a signed driver to read PhysicalMemory.
A IOCTL makes the driver map physical memory:
But then there is a call right after to immediately unmap it. Is there a way to detect mappings of this type? Possibly through the VAD tree?
Code: Select all
RtlInitUnicodeString(&DestinationString, L"\\Device\\PhysicalMemory"); ZwOpenSection(&hPhysicalMemory, 0xF001Fu, &ObjectAttributes); ObReferenceObjectByHandle(hPhysicalMemory, 0xF001Fu, 0i64, 0, &Object, 0i64); ZwMapViewOfSection( hPhysicalMemory, 0xFFFFFFFFFFFFFFFFi64, pVirtualAddress, 0, dwSize, &paPhysAddr, &dwSize2, ViewShare, 0, 0x204u);