Detecting Physical Memory Mapping

Forum for discussion about kernel-mode development.
Post Reply
sdf90090
Posts: 1
Joined: Mon Jan 21, 2019 4:06 pm

Detecting Physical Memory Mapping

Post by sdf90090 » Mon Jan 21, 2019 4:14 pm

Hello,

Quick question: I'm analyzing a piece of code that is using a signed driver to read PhysicalMemory.

A IOCTL makes the driver map physical memory:

Code: Select all

	RtlInitUnicodeString(&DestinationString, L"\\Device\\PhysicalMemory");
	ZwOpenSection(&hPhysicalMemory, 0xF001Fu, &ObjectAttributes);
	ObReferenceObjectByHandle(hPhysicalMemory, 0xF001Fu, 0i64, 0, &Object, 0i64);
	ZwMapViewOfSection( hPhysicalMemory, 0xFFFFFFFFFFFFFFFFi64, pVirtualAddress, 0, dwSize, &paPhysAddr, &dwSize2, ViewShare, 0, 0x204u);
But then there is a call right after to immediately unmap it. Is there a way to detect mappings of this type? Possibly through the VAD tree?

Thanks,
sdf

gandolf
Posts: 4
Joined: Fri Nov 08, 2013 2:55 pm

Re: Detecting Physical Memory Mapping

Post by gandolf » Thu Jan 24, 2019 3:19 am

VADs are only used to track usermode memory allocations. This code seems to be in kernel mode, if you are also somehow in kernel you could use MDL to request a copy of the physical pages backing the virtual address returned by the ZwMapViewOfSection call.

Post Reply