A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about kernel-mode development.
 #31967  by easy
 Sun Aug 12, 2018 7:45 am
Hello, I want scan all loaded kernel modules.
The problem is I dont know how to safely read unknown kernel memory.
So i enumerating modules list, and reading each section regarding pe header, excluding discardable.
For some modules (such as win32k) read operation causes reboot without bsod, but i can bypass it with attach to any gui process.
But for some other (for example, cdd.dll) it falls on RtlImageHeader with PAGE_FAULT.
I tried IoAllocateMdl + MMProbeAndLockPages and it also causes bsod.
Any idea to accomplish that ?
 #31980  by Vrtule
 Mon Aug 13, 2018 2:33 pm
MmGetPhysicalAddress does not recognize memory that is currently stored in the page file only. Also, the documentation suggests you should not use this function for memory used for DMA operations.

As far as I know, there is no general way how to safe read a block of kernel memory.
 #31981  by tangptr
 Tue Aug 14, 2018 3:35 am
Did you enclose an SEH block for your MmProbeAndLockPages invoking? This is essential for invoking it.
In addition, result of MmGetPhysicalAddress is only valid for system-session addresses. Result for memories of DMA, win32-subsystem, user-mode, etc. from MmGetPhysicalAddress are invalid.