Help required on Kernel memory reading
-
Hi all, I need to read a particular bit on kernel memory which will be owned by a device driver. I am using ZwOpenSection and ZwMapViewOfSection API's to map the particular page on the kernel memory. But it returns only 'FF' in all bytes. But the same stuff works with pages other than that are device driver oriented. In a nutshell, I am just getting a device driver load address and trying to read the same address from the physical memory. But it simple shows 'FF' in all the bytes. Can you pls share if you have any experiances in this regard. Thanks in advance. :)
Selva
-
Hi all, I need to read a particular bit on kernel memory which will be owned by a device driver. I am using ZwOpenSection and ZwMapViewOfSection API's to map the particular page on the kernel memory. But it returns only 'FF' in all bytes. But the same stuff works with pages other than that are device driver oriented. In a nutshell, I am just getting a device driver load address and trying to read the same address from the physical memory. But it simple shows 'FF' in all the bytes. Can you pls share if you have any experiances in this regard. Thanks in advance. :)
Selva
1.) A valid kernel mode virtual address is always above 0x8000000 2.) Check that ZwMapViewOfSection call is not returning error STATUS_CONFLICTING_ADDRESSES. 3.) See if this helps: http://support.microsoft.com/kb/189327[^] Best Wishes, -Randor (David Delaune)
-
1.) A valid kernel mode virtual address is always above 0x8000000 2.) Check that ZwMapViewOfSection call is not returning error STATUS_CONFLICTING_ADDRESSES. 3.) See if this helps: http://support.microsoft.com/kb/189327[^] Best Wishes, -Randor (David Delaune)
Thanks a lot Randor. I have already referred the link and i am proceeding in the same way. Actually my physical memory reading works for some other address but not to the addresses that are device driver oriented. I have just calculated the cdrom.sys driver's load address and tried to read the same from the kernel memory. But it simple shows "FF" in all bytes :-( Any thoughts....
Selva