Kernel-Bridge icon indicating copy to clipboard operation
Kernel-Bridge copied to clipboard
verified publisher icon HoShiMin

mapping physical memory in system address space

Open m0rethan3 opened this issue 5 years ago • 9 comments

in my previous question #25 i described how i have access to kernel functions and system (kernel) address space. is it possible to map all physical memory to system address space? im trying to not leave traces in usermode program such as very big mapped region. my uc thread with code: https://www.unknowncheats.me/forum/general-programming-and-reversing/409449-mapping-physical-memory-system-address-space.html as you can see my code in post on uc is not working as it should is that even possible to do this?

m0rethan3 avatar Aug 14 '20 18:08 m0rethan3

But what about ZwMapViewOfSection?
Anyway you can stuck with incompatible cache attributes: as physical memory regions have different cache attributes (for example, one is WriteBack and another one is Uncacheable) you're unable to map it as one region.

HoShiMin avatar Aug 14 '20 18:08 HoShiMin

as i know ZwMapViewOfSection maps memory to usermode address space and i tried it but im searching way to map it into system one to not leave traces in usermode

m0rethan3 avatar Aug 14 '20 18:08 m0rethan3

Well, what about MmMapIoSpace? You can map physical memory without \Device\PhysicalMemory section.

HoShiMin avatar Aug 14 '20 18:08 HoShiMin

MmMapIoSpace cannot map page tables such as PTE/PDE after win 10 1803 build

m0rethan3 avatar Aug 14 '20 18:08 m0rethan3

But if you need them, you can use MmGetVirtualForPhysical. In other cases MmMapIoSpace works perfectly. Is it critical for you to map all physical memory as one contiguous region? For what?

HoShiMin avatar Aug 14 '20 18:08 HoShiMin

because im using this library https://github.com/can1357/physical_mem_controller and dont want to rewrite code for appoach you described but it sounds good

m0rethan3 avatar Aug 14 '20 18:08 m0rethan3

What exactly are you want? If you need to read memory of another processes or system regions you should use MDL and only it. Can's library is VERY unsafe and unpredictable, so, don't use it. There are documented and valid ways to do you want and you don't need to map physical memory.

HoShiMin avatar Aug 14 '20 19:08 HoShiMin

ok big thanks for explanation i think i'll try way you described

m0rethan3 avatar Aug 14 '20 19:08 m0rethan3

And, at last, you should remember that any work with physical memory is unsafe at all as pageable memory has a constant virtual base but can move in physical memory and even swap to a hard drive - in this case, even if you have a virtual address, there are no corresponding mapping in physical memory. And ALL usermode memory is pageable. So, you shouldn't work with physical memory directly.

HoShiMin avatar Aug 14 '20 19:08 HoShiMin