[g4mbit]

Hi all,

It used to be kind of easy to access pool memory on XP (for x86): http://www.kernelmode.info/forum/viewto ... =10&t=1279
You get the KdVersionBlock and then look at MmNonPagedPoolStart/MmNonPagedPoolEnd and MmPagedPoolStart/MmPagedPoolEnd

But for 7 (it might be similar for Vista and/or 8), it seems like some of theses values are NULL...

So, my question is how do I get theses values now?

[EP_X0FF]

Hi all,

It used to be kind of easy to access pool memory on XP (for x86): http://www.kernelmode.info/forum/viewto ... =10&t=1279
You get the KdVersionBlock and then look at MmNonPagedPoolStart/MmNonPagedPoolEnd and MmPagedPoolStart/MmPagedPoolEnd

But for 7 (it might be similar for Vista and/or 8), it seems like some of theses values are NULL...

So, my question is how do I get theses values now?

where do you see NULL's?

Code: Select all

lkd> dq KdDebuggerDataBlock l1
fffff800`0324c0a0  fffff800`032680e0
lkd> dt _LIST_ENTRY fffff800`032680e0
nt!_LIST_ENTRY
 [ 0xfffff800`0324c0a0 - 0xfffff800`0324c0a0 ]
   +0x000 Flink            : 0xfffff800`0324c0a0 _LIST_ENTRY [ 0xfffff800`032680e0 - 0xfffff800`032680e0 ]
   +0x008 Blink            : 0xfffff800`0324c0a0 _LIST_ENTRY [ 0xfffff800`032680e0 - 0xfffff800`032680e0 ]
lkd> dq 0xfffff800`0324c0a0+0x110 l1
fffff800`0324c1b0  fffff800`0330a0b8
lkd> dq MmNonPagedPoolStart l1
fffff800`0330a0b8  fffffa80`06bec000

[g4mbit]

On my Windows 7 x86 SP1, I get NULL values on MmNonPagedPoolEnd, MmPagedPoolEnd, MmSizeOfPagedPoolInBytes, MmPageSize.

Any ideas why I might these results?

[g4mbit]

Ok. So, this is going forward. Here is my progress so far on x86:

Code: Select all

PKPCR pKPCR;
PDBGKD_GET_VERSION64 kdVersion;
PVOID debugDataList;
PVOID list;
PKDDEBUGGER_DATA64 listEntry;
DBGKD_DEBUG_DATA_HEADER64 debugHeader;

pKPCR = __readfsdword(FIELD_OFFSET(KPCR, SelfPcr));
kdVersion = pKPCR->kdVersion;
debugDataList = kdVersion ->DebuggerDataList;
list = ULongToPtr(debugDataList);
listEntry = ULongToPtr(((PLIST_ENTRY64)list)->Flink);
debugHeader = listEntry->Header;
//debugHeader.OwnerTag is 4742444b (GBDK) -> KDBG: Debugger memory tag
//this way we know we are at the right place in memory

//listEntry->MmNonPagedPoolStart is 0x829112c that is pointing to 0x84101000
//listEntry->MmNonPagedPoolEnd is 0x00000000 ???
//listEntry->MmMaximumNonPagedPoolInBytes is 0x82981128 that is pointing to 0x2e4ff000, that seems pretty big for non pageable memory...
//listEntry->MmPagedPoolStart is 0x00000000 ???
//listEntry->MmPagedPoolEnd is 0x82981098 that is pointing to 0x00000000 ???

Theses last 4 values looks weird to me, especialy considering the values that were in XP (http://www.cs.miami.edu/~burt/journal/NT/memory.html)
What is going on here?

Thanks

[EP_X0FF]

Hello,

You can forget about them if you want to use XP-8.1. These variables are no longer valid because of Dynamic Kernel Addressing,
http://blogs.technet.com/b/askperf/arch ... dling.aspx
http://www.nynaeve.net/?p=261, see http://www.nirsoft.net/kernel_struct/vi ... _TYPE.html

If you want to find pool size for current session, it can be dumped from MM_SESSION_TYPE

Code: Select all

lkd> !sprocess
Dumping Session 0

_MM_SESSION_SPACE fffff880089a3000

Code: Select all

lkd> dt nt!_MM_SESSION_SPACE fffff880089a3000
   +0x000 ReferenceCount   : 0n39
   +0x004 u                : <unnamed-tag>
   +0x008 SessionId        : 0
   +0x00c ProcessReferenceToSession : 0n41
   +0x010 ProcessList      : _LIST_ENTRY [ 0xfffffa80`08b52d10 - 0xfffffa80`0afa8240 ]
   +0x020 LastProcessSwappedOutTime : _LARGE_INTEGER 0x0
   +0x028 SessionPageDirectoryIndex : 0x1e604b
   +0x030 NonPagablePages  : 0x55
   +0x038 CommittedPages   : 0x715
   +0x040 PagedPoolStart   : 0xfffff900`c0000000 Void
   +0x048 PagedPoolEnd     : 0xfffff920`bfffffff Void

[g4mbit]

MM_SESSION_SPACE seems to include PagedPoolStart and PagedPoolEnd, what about NonPagedPoolStart and NonPagedPoolEnd?

How can I get the non pageable memory start and end?

Thanks

[EP_X0FF]

MM_SESSION_SPACE seems to include PagedPoolStart and PagedPoolEnd, what about NonPagedPoolStart and NonPagedPoolEnd?

How can I get the non pageable memory start and end?

Thanks

You didn't read my previous post. There is no "fixed" sizes and locations of it.

[g4mbit]

I get that these particular variables are not usable anymore, but how/where does the kernel allocate non pageable memory then? It has to keep track of what has been allocated and where it can allocate new blocks, no?

[g4mbit]

To give a little bit of backstory of why I'm interested in these fields/structure. I'm interested in allocated memory by ExAllocatePoolWithTag and how the kernel actually keeps track of it? I mean, it is probabably in a list somewhere or in a block of contiguous memory (or not), but the kernel has to keep track of it somehow. Do you have any ideas?

Thanks

[EP_X0FF]

http://www.codemachine.com/article_x64kvas.html