Help Needed !!!
-
Hi all, I am trying to read a particular bit on the kernel memory. That page belongs to a driver, say cdrom.sys. Jus before proceeding further, i jus tried to read the contents in the physical memory where the driver is loaded. i.e. i found the driver load address and tried reading that location from kernel memory. But it simply returns 'FF'. Any thoughts??? I am using ZwOpenSection to open the memory and lock the pages, then read. Is there any other way of doing it.. Are there any tools which can read the kernel memory location.... Thanks in advance....
Selva
-
Hi all, I am trying to read a particular bit on the kernel memory. That page belongs to a driver, say cdrom.sys. Jus before proceeding further, i jus tried to read the contents in the physical memory where the driver is loaded. i.e. i found the driver load address and tried reading that location from kernel memory. But it simply returns 'FF'. Any thoughts??? I am using ZwOpenSection to open the memory and lock the pages, then read. Is there any other way of doing it.. Are there any tools which can read the kernel memory location.... Thanks in advance....
Selva
It doesn't work because the OS is designed so that it doesn't work. User mode programs cannot access kernel mode areas except through the exposed interfaces. In general, those interfaces do not give direct access to the kernel area but copy kernel info into a user space address. The only time user mode can directly access kernel mode is with the help of a cooperating driver and, even then, user mode can only safely direct access the kernel area of the specific driver. General answer - can't do it. Judy
-
It doesn't work because the OS is designed so that it doesn't work. User mode programs cannot access kernel mode areas except through the exposed interfaces. In general, those interfaces do not give direct access to the kernel area but copy kernel info into a user space address. The only time user mode can directly access kernel mode is with the help of a cooperating driver and, even then, user mode can only safely direct access the kernel area of the specific driver. General answer - can't do it. Judy
-
Thanks for your reply Judy, But i am reading the kernel only thru a driver (created for physical memory reading).. all the functions are returning true (analyzed thru dbgview).. any thoughts???
Selva
Not without seeing your code and, even then, I probably can't provide too much help since this is something I haven't done. Also, your problem is probably in the driver and drivers are not within the purview of this site. Try a driver development site. If you do go to a driver site, be warned: Providing unfettered user access to kernel memory is highly frowned upon since it is a huge security hole and invites BSODs. There is almost always a better safer way and one of the first responses you will get will be "why this way instead of the proper way". Judy