Mapping memory of another process
in [Win32 Kernel]
|
Prev: GetComputerObjectName() fails when called in auto-start serviceat boot time
Next: Windows 2003 Performance vs. Windows 2000
From: anton bassov on 14 Sep 2006 19:12 Arno, > Does NtMapViewOfSection help? I saw articles about writing into > portions of physical memory. Do you mean something like http://www.codeproject.com/system/soviet_kernel_hack.asp > Can I use it to map portions of the > virtual addresses of other processes? No. First of all, in order to translate the virtual addresses to the physical one, you need to get access to the page directory of the target process, plus to PTE that describes the page in question. Either (or even both) of them, as well as your target page, may be swapped to the disk at the time of your call, and you have no chance to load a page into RAM without Memory Manager's assistance. Furthermore, even if page directory of the target process is loaded in RAM at the time of your call, you have no chance to locate it in RAM ( although the article I mentioned shows how page directory of the caller process may be located) To summarize, the only thing you can do is to call ZwReadVirtualMemory() and ZwWriteVirtualMemory() - ReadProcessMemory() and WriteProcessMemory() are just kernel32 wrappers around these native calls Anton Bassov Arno Schoedl wrote: > Does NtMapViewOfSection help? I saw articles about writing into > portions of physical memory. Can I use it to map portions of the > virtual addresses of other processes? > > Arno
From: Tim Roberts on 15 Sep 2006 02:31 "Arno Schoedl" <aschoedl(a)think-cell.com> wrote: > >Does NtMapViewOfSection help? I saw articles about writing into >portions of physical memory. Can I use it to map portions of the >virtual addresses of other processes? No, because there is no guarantee that the memory of the other process is actually IN physical memory. -- - Tim Roberts, timr(a)probo.com Providenza & Boekelheide, Inc.
From: anton bassov on 15 Sep 2006 02:43 Tim, > No, because there is no guarantee that the memory of the other process is > actually IN physical memory. This is true . However, there is one more reason why the whole thing is impossible. For the purpose of this dicussion let's presume that everything is in RAM (page directory, target page and PTE that describes it). How would you find out that the given page maps to some certain virtual address in the address space of another process???? Anton Bassov Tim Roberts wrote: > "Arno Schoedl" <aschoedl(a)think-cell.com> wrote: > > > >Does NtMapViewOfSection help? I saw articles about writing into > >portions of physical memory. Can I use it to map portions of the > >virtual addresses of other processes? > > No, because there is no guarantee that the memory of the other process is > actually IN physical memory. > -- > - Tim Roberts, timr(a)probo.com > Providenza & Boekelheide, Inc.
From: Arkady Frenkel on 15 Sep 2006 05:26 Obvioulsy, sorry for typo Arkady "Arnie" <none> wrote in message news:uFGyafC2GHA.2196(a)TK2MSFTNGP06.phx.gbl... > "Arno Schoedl" <aschoedl(a)think-cell.com> wrote in message > news:1158246230.774415.325910(a)p79g2000cwp.googlegroups.com... >> What do you mean? >> >> Arno >> > > I think Arkady probably meant: > > You CAN'T do that directly because of protection mode Win32 use for that > > - Arnie >
From: Piotr Wyderski on 16 Sep 2006 13:17
anton bassov wrote: > http://www.codeproject.com/system/soviet_kernel_hack.asp Is it a "hack"? You need to be an administrator to access physical memory, but if you are an administrator, then there are far easier methods to reach that goal, e.g. a driver... Best regards Piotr Wyderski |