A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about kernel-mode development.
 #32495  by sdf90090
 Mon Jan 21, 2019 4:14 pm

Quick question: I'm analyzing a piece of code that is using a signed driver to read PhysicalMemory.

A IOCTL makes the driver map physical memory:
Code: Select all
	RtlInitUnicodeString(&DestinationString, L"\\Device\\PhysicalMemory");
	ZwOpenSection(&hPhysicalMemory, 0xF001Fu, &ObjectAttributes);
	ObReferenceObjectByHandle(hPhysicalMemory, 0xF001Fu, 0i64, 0, &Object, 0i64);
	ZwMapViewOfSection( hPhysicalMemory, 0xFFFFFFFFFFFFFFFFi64, pVirtualAddress, 0, dwSize, &paPhysAddr, &dwSize2, ViewShare, 0, 0x204u);
But then there is a call right after to immediately unmap it. Is there a way to detect mappings of this type? Possibly through the VAD tree?

 #32505  by gandolf
 Thu Jan 24, 2019 3:19 am
VADs are only used to track usermode memory allocations. This code seems to be in kernel mode, if you are also somehow in kernel you could use MDL to request a copy of the physical pages backing the virtual address returned by the ZwMapViewOfSection call.