Windows: accessing driver memory from userspace (read only) - possible?

Question

Is it possible in Win7 family to read a random known location at lower 4gb of RAM from userspace application? The memory at that location is allocated by kernel driver.

Answer 1

I would seriously hope that this is not possible, neither under Windows 7 nor any (reasonably recent, such as NT/2k) previous version.

If this was possible, any unprivilegued random snippet of executable code that gets on your computer somehow could trivially compromise system security, for example by reading out the drive encryption key, or authentication data of users as they log in, and whatnot.

It would not make any sense to run a webbrowser under a limited user account. Any exploit could just read sensible information from memory anyway. What programs are running, which users are logged in (and other info such as credential and encryption keys), what the firewall settings are etc etc.

Of course, as Sergius said, you can always install a driver and remap memory regions so they are accessible, but there's not much the OS can do against that if you've allowed the installation of a driver. That's why that annoying little "do you really want?" box pops up.

Answer 2

As I know it is impossible without a driver help in Win7. From a driver you can map a required memory to a user-mode address space or provide IOCLT for memory reading.