Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Can the entire physical memory be read by kernel mode programs or drivers?

joetoejoetoe Member Posts: 12

Is there any part of physical memory which no program or software can read? Do current systems (PCs where you can Windows 10 etc.) have such protection mechanism?

Comments

  • anton_bassovanton_bassov Member Posts: 5,036

    Is there any part of physical memory which no program or software can read?

    There may be certain "holes" that are reserved by the firmware. As far as the OS software is concerned, these ranges simply don't exist - they are marked as either reserved or nonexistent ones on the memory map that is provided to the OS by the firmware, so that the OS knows that it should not try to make any use of them. However, if you are just desperate to read such "non-existent" range anyway, technically there is nothing that can stand in your way - as long as you are in the kernel mode you can always map it into the virtual memory and access it by the CPU.

    Certainly, the outcome of this "adventure" is unpredictable and may manifest itself as anything from simply having no effect
    (like always getting zeroed or OxFFed results no matter what) to the hung system, but this is already a different story....

    Anton Bassov

  • Pavel_APavel_A Member Posts: 2,681
  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,378

    Memory that no (taking "no" as its strict definition) program or software can read is not useful. I mean... If no software can read it, what would the purpose of it being there? Decoration?

    I'm afraid you're going to have to be be a bit more clear. What is it you really want to know?

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • anton_bassovanton_bassov Member Posts: 5,036

    If no software can read it, what would the purpose of it being there? Decoration?

    The above logic applies only if we decide to lump the software and the firmware together, and refer to them both with the broadly-defined term "software". Otherwise, there may be, indeed, some situations when one would want the memory to be unaccessible to the software, at least on x86-based system. For example,consider the memory that is meant to be accessed by the CPU only in the system-management mode, i.e. by SMI handler.....

    Anton Bassov

  • joetoejoetoe Member Posts: 12

    You answered my question very well. Thank you so much. That was what I wanted to know. I was wondering of Windows kernel or some sort of rookit malware can load into a protected area of the physical memory to protect themselves against reversing etc.

    @Peter_Viscarola_(OSR) said:
    Memory that no (taking "no" as its strict definition) program or software can read is not useful. I mean... If no software can read it, what would the purpose of it being there? Decoration?

    I'm afraid you're going to have to be be a bit more clear. What is it you really want to know?

    Peter

  • anton_bassovanton_bassov Member Posts: 5,036

    I was wondering of Windows kernel or some sort of rookit malware can load into a protected area of the
    physical memory to protect themselves against reversing etc.

    Theoretically, yes. You may want to check the following links for more details

    https://www.blackhat.com/docs/us-15/materials/us-15-Domas-The-Memory-Sinkhole-Unleashing-An-x86-Design-Flaw-Allowing-Universal-Privilege-Escalation-wp.pdf

    http://www.eecs.ucf.edu/~czou/research/SMM-Rootkits-Securecom08.pdf

    Anton Bassov

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,378

    As Mr. Pavel_A said... you may want to explore enclaves.

    Those are, of course, accessible to modules within the enclave not memory “no software can read.”

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • anton_bassovanton_bassov Member Posts: 5,036

    As Mr. Pavel_A said... you may want to explore enclaves.

    Well, I would say that the enclaves, as well as any other VT-based approach, would be more appropriate if the OP wanted to place his highly sensitive code/data to some memory area that is unaccessible to unauthorised components. However, this is not what the OP is asking about. He made it cleat that he is asking whether a rootkit can place itself in some protected memory area in order to avoid the detection. Therefore, his question is obviously related to SMM, rather than to hardware-assisted virtualisation.

    In any case, we are not helping him to write a rootkit, are we.....

    Anton Bassov

  • anton_bassovanton_bassov Member Posts: 5,036

    ......hardware-assisted virtualisation.

    Duh!!!! I meant Software Guard Extensions (SGA), rather than a VT....

    Anton Bassov

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,378

    /sound of crickets chirping

    (that's the sound of me... not taking Anton's bait)

    Peter Viscarola
    OSR
    @OSRDrivers

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Developing Minifilters 29 July 2019 OSR Seminar Space
Writing WDF Drivers 23 Sept 2019 OSR Seminar Space
Kernel Debugging 21 Oct 2019 OSR Seminar Space
Internals & Software Drivers 18 Nov 2019 Dulles, VA