[bananaking]

Hello

I want to signature scan inside these two modules, I get the base address through ZwQuerySystemInformation but get hit by a page fault when reading, I tried https://msdn.microsoft.com/en-us/librar ... s.85).aspx

[Vrtule]

Hello,

what exactly do you want to accomplish by a call to this routine (MmPageEntireDriver)? The routine makes the whole driver pageable; that means all of its code or data may be swapped out to paging file at any time. Additionaly, paged memory may be moved within the physical memory from one place to another.

Calling this routine on other drivers than yours does not make any sense to me. AFAIK, you can use this function (on your driver) to save some physical memory. That's all.

[bananaking]

Okay thanks, I am rather new to kernel coding that's why I posted in the newbie section, but do you know how I can make my driver able to read through the win32k.sys module? I have a kernel tool that can read it without debug mode on, just wondering what it does to be able to? I tried something simple like DbgPrint("%x", *(BYTE*)imageBase), which should print "4d".

[Vrtule]

Okay thanks, I am rather new to kernel coding that's why I posted in the newbie section, but do you know how I can make my driver able to read through the win32k.sys module? I have a kernel tool that can read it without debug mode on, just wondering what it does to be able to? I tried something simple like DbgPrint("%x", *(BYTE*)imageBase), which should print "4d".

I don't know how the win32k.sys things work on W8+ but till Windows 7, the driver was mapped only to processes owning at least one GUI thread. That menas, you can access the win32k.sys image in memory only when your code runs in the right process context.

[bananaking]

Okay thanks, I am rather new to kernel coding that's why I posted in the newbie section, but do you know how I can make my driver able to read through the win32k.sys module? I have a kernel tool that can read it without debug mode on, just wondering what it does to be able to? I tried something simple like DbgPrint("%x", *(BYTE*)imageBase), which should print "4d".

I don't know how the win32k.sys things work on W8+ but till Windows 7, the driver was mapped only to processes owning at least one GUI thread. That menas, you can access the win32k.sys image in memory only when your code runs in the right process context.

So if I KeStackAttachProcess on csrss.exe you think I'll be able to? I will try that anyway, thanks. I am using windows 10 btw

[Vrtule]

Yes, this approach should success unless the things changed since W7. I used a similar one on Vista-W7 (I enumerated processes via ZwQuerySystemInformation, extracted the GUI ones (EPROCESS->W32Process != NULL) and attached to one of them.

[bananaking]

Yes, this approach should success unless the things changed since W7. I used a similar one on Vista-W7 (I enumerated processes via ZwQuerySystemInformation, extracted the GUI ones (EPROCESS->W32Process != NULL) and attached to one of them.

Worked flawlessly ;) Thanks a lot