Reputation: 1382
Reading RAM data from particular location using Driver?
i am trying to read RAM data from 0x00000001 and copy it to a file in hard disk (just learning!) so i wrote this and compiled and ran it
#include <ntddk.h>
void DriverUnload(PDRIVER_OBJECT pDriverObject)
{
DbgPrint("Driver Unloaded!");
}
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
DWORD *pointer;
pointer = 0x00000001;
DriverObject->DriverUnload = DriverUnload;
DbgPrint("Driver Loaded!\n");
DbgPrint("Data at 0x00000000 is %x\n",*pointer);
return STATUS_SUCCESS;
}
so i got BSOD Luckily i was running this using my Vmware :-) i always thought that only app programs didn't have rights to read from memory directly.
Now my question is does Driver use direct physical address or virtual address??? i mean what type of value does &pointer return a physical or virtual as in case of driver programming(Ring 1 or 2).i know Ring 3 app will return virtual address. and yeah i have already starting reading driver books just wanted to know quicker.
Upvotes: 0
Views: 452
Answers (1)
Reputation: 4426
No, the kernel uses virtual addresses. This doesn't have to do with rings, they only affect the page access right. If you want to gain access to physical addresses, have a look to "MmMapIoSpace" (here) kernel function.The returned pointer is suitable for memory access.
Upvotes: 1
Related Questions
- Read Kernel Memory from user mode WITHOUT driver
- Accessing kernel memory from user mode (Windows)
- Reading a process memory
- Read from any ram address directly?
- WIndows Driver to retrieve address of newly added RAM
- Write to physical memory address
- Kernel driver check if memory is mapped (BugCheck 0xC2)
- C++: Dump RAM contents
- Get ram manufacturer
- Checking RAM Bays (Windows API)