Can the entire physical memory be read by kernel mode programs or drivers?

Is there any part of physical memory which no program or software can read? Do current systems (PCs where you can Windows 10 etc.) have such protection mechanism?

Is there any part of physical memory which no program or software can read?

There may be certain “holes” that are reserved by the firmware. As far as the OS software is concerned, these ranges simply don’t exist - they are marked as either reserved or nonexistent ones on the memory map that is provided to the OS by the firmware, so that the OS knows that it should not try to make any use of them. However, if you are just desperate to read such “non-existent” range anyway, technically there is nothing that can stand in your way - as long as you are in the kernel mode you can always map it into the virtual memory and access it by the CPU.

Certainly, the outcome of this “adventure” is unpredictable and may manifest itself as anything from simply having no effect
(like always getting zeroed or OxFFed results no matter what) to the hung system, but this is already a different story…

Anton Bassov

Enclaves :wink:

Memory that no (taking “no” as its strict definition) program or software can read is not useful. I mean… If no software can read it, what would the purpose of it being there? Decoration?

I’m afraid you’re going to have to be be a bit more clear. What is it you really want to know?

Peter

If no software can read it, what would the purpose of it being there? Decoration?

The above logic applies only if we decide to lump the software and the firmware together, and refer to them both with the broadly-defined term “software”. Otherwise, there may be, indeed, some situations when one would want the memory to be unaccessible to the software, at least on x86-based system. For example,consider the memory that is meant to be accessed by the CPU only in the system-management mode, i.e. by SMI handler…

Anton Bassov

You answered my question very well. Thank you so much. That was what I wanted to know. I was wondering of Windows kernel or some sort of rookit malware can load into a protected area of the physical memory to protect themselves against reversing etc.

@“Peter_Viscarola_(OSR)” said:
Memory that no (taking “no” as its strict definition) program or software can read is not useful. I mean… If no software can read it, what would the purpose of it being there? Decoration?

I’m afraid you’re going to have to be be a bit more clear. What is it you really want to know?

Peter

I was wondering of Windows kernel or some sort of rookit malware can load into a protected area of the
physical memory to protect themselves against reversing etc.

Theoretically, yes. You may want to check the following links for more details

https://www.blackhat.com/docs/us-15/materials/us-15-Domas-The-Memory-Sinkhole-Unleashing-An-x86-Design-Flaw-Allowing-Universal-Privilege-Escalation-wp.pdf

http://www.eecs.ucf.edu/~czou/research/SMM-Rootkits-Securecom08.pdf

Anton Bassov

As Mr. Pavel_A said… you may want to explore enclaves.

Those are, of course, accessible to modules within the enclave not memory “no software can read.”

Peter

As Mr. Pavel_A said… you may want to explore enclaves.

Well, I would say that the enclaves, as well as any other VT-based approach, would be more appropriate if the OP wanted to place his highly sensitive code/data to some memory area that is unaccessible to unauthorised components. However, this is not what the OP is asking about. He made it cleat that he is asking whether a rootkit can place itself in some protected memory area in order to avoid the detection. Therefore, his question is obviously related to SMM, rather than to hardware-assisted virtualisation.

In any case, we are not helping him to write a rootkit, are we…

Anton Bassov

…hardware-assisted virtualisation.

Duh!!! I meant Software Guard Extensions (SGA), rather than a VT…

Anton Bassov

/sound of crickets chirping

(that’s the sound of me… not taking Anton’s bait)