A forum for reverse engineering, OS internals and malware analysis 

Very Simple Question: How to read any kernel address safely?

Forum for discussion about kernel-mode development.

Very Simple Question: How to read any kernel address safely?

 #30608  by myid
 Tue Jul 18, 2017 6:23 am
Hi, everyone.
We all knows that it's not safe to use MmIsAddressValid to test a kernel address is valid or not.
Is exist a method to read any kernel address? if address is not valid, return fail, not BSOD.
PS: It's better to compatible with XP. Do not use HOOK or VT-x/AMD-V.

Re: Very Simple Question: How to read any kernel address saf

 #30616  by tangptr
 Thu Jul 20, 2017 2:54 am
Check validity of its physical address related to specified virtual address via PTE.
Additionally, you may use MmCopyMemory in systems higher than or equal to Windows 8.1, or ZwSystemDebugControl in Windows XP.
Using Intel VT-x or AMD-V to hook KiPageFault may also be an appropriate method. However, you rejected using it.

Re: Very Simple Question: How to read any kernel address saf

 #30639  by myid
 Wed Jul 26, 2017 3:57 am
tangptr wrote:Check validity of its physical address related to specified virtual address via PTE.
Additionally, you may use MmCopyMemory in systems higher than or equal to Windows 8.1, or ZwSystemDebugControl in Windows XP.
Using Intel VT-x or AMD-V to hook KiPageFault may also be an appropriate method. However, you rejected using it.
Maybe your method is OK. But how to read kernel memory safely on VISTA, WIN7, WIN8?

Re: Very Simple Question: How to read any kernel address saf

 #30667  by tangptr
 Wed Aug 02, 2017 6:36 pm
myid wrote:
tangptr wrote:Check validity of its physical address related to specified virtual address via PTE.
Additionally, you may use MmCopyMemory in systems higher than or equal to Windows 8.1, or ZwSystemDebugControl in Windows XP.
Using Intel VT-x or AMD-V to hook KiPageFault may also be an appropriate method. However, you rejected using it.
Maybe your method is OK. But how to read kernel memory safely on VISTA, WIN7, WIN8?
You may analyze the page table in order to judge whether the specified address is valid or not.
For detailed information, you may reference to "Volume 3A, Chapter 4, Intel 64 and IA-32 Architectures Software Developer's Manual."

Re: Very Simple Question: How to read any kernel address saf

 #30809  by m5home
 Sat Sep 02, 2017 1:42 pm
Use MmGetPhysicalAddress to get the physical address of the your virtual address, if it return a none-zero value, use MmMapIoSpace to get a NEW virtual address and read it.
If you want to know more details about verify a virtual address is valid or not, try to read the source code of Cheat Engine.

Re: Very Simple Question: How to read any kernel address saf

 #30812  by myid
 Sun Sep 03, 2017 2:31 am
m5home wrote:Use MmGetPhysicalAddress to get the physical address of the your virtual address, if it return a none-zero value, use MmMapIoSpace to get a NEW virtual address and read it.
If you want to know more details about verify a virtual address is valid or not, try to read the source code of Cheat Engine.
That sounds a good idea. I have read the source code of CE, I noticed that it use MmGetPhysicalAddress to test a VA is valid or not.
 Return to “Kernel-Mode Development”