Physical Memory Mapper

[The Dude of Dudes]

After much reading and BSODing my computer, I've completed a Driver that permits direct access to Physical Memory from user mode. It works by directly modifying the Page Table entry of a committed  memory block in the process space to point to any Physical page, while maintaining the access rights of the process memory.  It's similar to the PhysicalMemory object,  but isn't restricted in write access.  The source is documented. There's a driver installer, uninstaller and UseMemPhys.exe that demonstrates how to use the driver.   :dance:



[attachment deleted by admin]

[Opcode]

Very interesting work !   :U

Regards,
Opcode

[pbrennick]

Very interesting, indeed.  I am interested in knowing where you obtained the following;

include ntstatus.inc
include ntddk.inc
include ntoskrnl.inc
include w2kundoc.inc

include strings.mac
includelib ntoskrnl.lib

Thanks,
Paul

[The Dude of Dudes]

They're from Four-F's KMD Kit.



[attachment deleted by admin]

[pbrennick]

Oh yeah, that was where I read about the Kernel Mode Driver, I had all but forgotten that.  :bdg

Paul

[chetnik]

Very nice, great job  :U   :cheekygreen: :cheekygreen:

[AeroASM]

Why would you need to use physical memory?

[Bieb]

For fun, of course!

[The Dude of Dudes]

I wanted to make something semi-useful with my driver, so I wrote a Memory Editor that uses it to view/change physical and process specific virtual memory. Had a lot of fun making it!  :toothy

Attachment changed Feb 26 (bugfix)

[attachment deleted by admin]

[six_L]

 :U :U :U

I guess you are FOUR-F.

best regards.

[six_L]

it has a bit scarcity.

• 1. it can be terminated by other process (ring3).
• 2. if it unconventionally exited, next time it can't run (msg: specified server has already existed.)  for running, we must use Kernel-mode Driver manager to Stop, Unregister.

regards.

[The Dude of Dudes]

it has a bit scarcity.

    * 1. it can be terminated by other process (ring3).
    * 2. if it unconventionally exited, next time it can't run (msg: specified server has already existed.)  for running, we must use Kernel-mode Driver manager to Stop, Unregister.

#2 - Thanks for pointing that out! I've fixed the problem and updated the attachment!  :U

#1 - Not excactly sure what you mean. Can you be more specific?

[six_L]

The Dude of Dudes,
hello,
Thanks you for paying attention to my test.
the second scarcity be figured out very good. I hope your MemPhys Editor is running like system process lsass.exe, can't be terminate by user Process.

there is the Process Manager v1.01 that can terminate your MemPhys Editor.
the Process Manager v1.01 has two errors(user, size), but it can terminate user Process. 


regards.


[attachment deleted by admin]

[The Dude of Dudes]

Six_L,

Try this version....  :cheekygreen:


P.S. - only for WinXP, will probably crash other versions


Edit - I've removed the attachment. I believe it borders on the edge of the forum rules, and I wish to keep the peace!  :bg

[six_L]

The Dude of Dudes,
Ok, you used the Hide Process technique. it is ghastfulness. your MemPhys Editor should like system process lsass.exe.   Could you append the source code?
another scarcity:

• if i selected the Physical Address, gave 0, it showed 0-ff0 the datas of this addresses; if gave 11, it still showed 0-ff0 the datas of this addresses. I think it should show the datas of the 11-----(11+ff0) addresses.
• the datas of this addresses can be saved a txt file.

[/b]
however, it is a great work.
:U :U :U

regards.