Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mapping physical memory in system address space #26

Open
m0rethan3 opened this issue Aug 14, 2020 · 9 comments
Open

mapping physical memory in system address space #26

m0rethan3 opened this issue Aug 14, 2020 · 9 comments
Labels
question Further information is requested

Comments

@m0rethan3
Copy link

in my previous question #25 i described how i have access to kernel functions and system (kernel) address space.
is it possible to map all physical memory to system address space? im trying to not leave traces in usermode program such as very big mapped region.
my uc thread with code: https://www.unknowncheats.me/forum/general-programming-and-reversing/409449-mapping-physical-memory-system-address-space.html
as you can see my code in post on uc is not working as it should
is that even possible to do this?
@HoShiMin
Copy link
Owner

But what about ZwMapViewOfSection?
Anyway you can stuck with incompatible cache attributes: as physical memory regions have different cache attributes (for example, one is WriteBack and another one is Uncacheable) you're unable to map it as one region.

@HoShiMin HoShiMin added the question Further information is requested label Aug 14, 2020
@m0rethan3
Copy link
Author

as i know ZwMapViewOfSection maps memory to usermode address space and i tried it but im searching way to map it into system one to not leave traces in usermode

@HoShiMin
Copy link
Owner

Well, what about MmMapIoSpace? You can map physical memory without \Device\PhysicalMemory section.

@m0rethan3
Copy link
Author

MmMapIoSpace cannot map page tables such as PTE/PDE after win 10 1803 build

@HoShiMin
Copy link
Owner

But if you need them, you can use MmGetVirtualForPhysical. In other cases MmMapIoSpace works perfectly. Is it critical for you to map all physical memory as one contiguous region? For what?

@m0rethan3
Copy link
Author

because im using this library https://github.com/can1357/physical_mem_controller and dont want to rewrite code for appoach you described but it sounds good

@HoShiMin
Copy link
Owner

HoShiMin commented Aug 14, 2020
edited
Loading

What exactly are you want? If you need to read memory of another processes or system regions you should use MDL and only it. Can's library is VERY unsafe and unpredictable, so, don't use it. There are documented and valid ways to do you want and you don't need to map physical memory.

@m0rethan3
Copy link
Author

ok big thanks for explanation i think i'll try way you described

@HoShiMin
Copy link
Owner

HoShiMin commented Aug 14, 2020
edited
Loading

And, at last, you should remember that any work with physical memory is unsafe at all as pageable memory has a constant virtual base but can move in physical memory and even swap to a hard drive - in this case, even if you have a virtual address, there are no corresponding mapping in physical memory. And ALL usermode memory is pageable. So, you shouldn't work with physical memory directly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@HoShiMin @m0rethan3