How to access memory using the physical address

NTDEV
21

Gary,

rereading my yesterdays answer to the question
“What do you gain by having credentials entered before the GINA has
control”
I now see that it was misleading - I tend to skip things that are clear to
me.

=> restart:

IF “having credentials entered before the GINA has controI” WOULD BE part
of a
sector-based encryption product (either by fabulous firmware or by an ugly
disk filter
driver - I know of no product doing this thru the file system)
THEN you cannot boot (an encrypted boot volume) with wrong credentials
(because
the disk encryption key will not be retrieved).
If you can (boot, because your preboot credentials are ok),
the SSO is just a “side-effect” then.

I did never intend to discuss disk encryption and the various problems that
arise.
It’s just the only useful application in combination with preboot
authentication and sso
I personally know of.

Now please don’t make me doubt my English if it’s still unclear.

Regards
Else

|---------±-------------------------------->
| | xxxxx@seagate.|
| | com |
| | Sent by: |
| | bounce-235132-16691@li|
| | sts.osr.com |
| | |
| | |
| | 01/17/2006 06:59 PM |
| | Please respond to |
| | “Windows System |
| | Software Devs Interest|
| | List” |
|---------±-------------------------------->
>-----------------------------------------------------------------------------------------------------------|
| |
| To: “Windows System Software Devs Interest List” |
| cc: |
| Subject: RE: [ntdev] How to access memory using the physical address (Unsigned Mail) |
>-----------------------------------------------------------------------------------------------------------|

I cannot boot? I dare say a few minutes with minimal tools, possibly only
an XP install disc, booting to the repair console will resolve that
problem and allow me access to that “un-bootable” disc. Sector based Disc
Encryption from a file system driver, while possible, is difficult. Do you
encrypt the MBR? Many solutions swap the MBR around and some of those have
ended in unreadable systems or security failures. How do you handle the
page file, dump_atapi.sys?

This is easier solved by using a disc with Full Disc Encryption firmware
following the new ATA spec coming out of the T13 committee. Failing the
password on that disc will not even permit you to read the MBR, preventing
ANY access to the disc or system, if it is the boot disc.

The personal opinion of
Gary G. Little

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@utimaco.de
Sent: Tuesday, January 17, 2006 11:24 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] How to access memory using the physical address

“What do you gain by having credentials entered before the GINA
has control”

You cannot boot - a desired effect of sector based Disk Encryption.
If you can (because your preboot credentials are ok), the SSO is
just a “side-effect” then.

Else

22

Hello guy, you are doing what I am doing :slight_smile:

Regards,
ZG [@ Sydney]
Windows Driver Developer

“GrepAll” wrote in message news:xxxxx@ntdev…
>
> Yes, I do want to implement a sector based encrption.
>
> 1. “First, not all ppl just use Windows. Multi-OS on one computer is
> very
> common.”
> It supports only one Windows system. This can be mentioned in the User
> Manual.
>
> 2. " I dare say a few minutes with minimal tools, possibly only an XP
> install disc, booting to the repair console will resolve that problem and
> allow me access to that “un-bootable” disc. "
> Since the whole disk is encrypted, except the MBR which is stored in the
> sector other than 0, and the encrypt-key is protected by the SmartCard. I
> don’t think it is easy to read any data from the disk.
>
> 3. “What happens if user A logs in, then logs out, and user B wants to log
> in?
> Does the machine need to be rebooted?”
> I’m thinking on it.
>
> 4. “Also, please spell out “you” and “are”.”
> OK. Advice accepted!
>
> 5. “There is no guarantee that your memory address will not be
> overwritten.”
> I think it’s safe if I keep the data in the lowest 1MB of physical memory.
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Booko
> fSP1/e0f862a3-cf16-4a48-bea5-f2004d12ce35.mspx
>
> GrepAll
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Peter Scott
> Sent: Wednesday, January 18, 2006 1:53 AM
> To: Windows System Software Devs Interest List
> Subject: RE: [ntdev] How to access memory using the physical address
>
>
>
> Right, the poster did not mention sector based encryption, this is a
> completely different animal, so to speak.
>
> Pete
>
> Kernel Drivers
> Windows Filesystem and Device Driver Consulting www.KernelDrivers.com
> (303)546-0300
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Else Kluger
> Sent: Tuesday, January 17, 2006 10:24 AM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] How to access memory using the physical address
>
> “What do you gain by having credentials entered before the GINA has
> control”
>
> You cannot boot - a desired effect of sector based Disk Encryption.
> If you can (because your preboot credentials are ok), the SSO is just a
> “side-effect” then.
>
> Else
>
>
> |---------±-------------------------------->
> | | “Bill McKenzie” |
> | | > | | net> |
> | | Sent by: |
> | | bounce-235093-16691@li|
> | | sts.osr.com |
> | | |
> | | |
> | | 01/17/2006 03:25 PM |
> | | Please respond to |
> | | “Windows System |
> | | Software Devs Interest|
> | | List” |
> |---------±-------------------------------->
>
>>-----------------------------------------------------------------------
>>----
> --------------------------------|
> |
> |
> | To: “Windows System Software Devs Interest List”
> |
> | cc:
> |
> | Subject: Re:[ntdev] How to access memory using the physical
> address (Unsigned Mail) |
>
>>-----------------------------------------------------------------------
>>----
> --------------------------------|
>
>
>
>
> To what end? What do you gain by having credentials entered before the
> GINA
> has control? Through a custom GINA it is possible to establish secure
> network connections before Windows login, there is support for dealing
> with
>
> Smart cards and such, and you can even customize the Windows login UI if
> more info is needed at login. Essentially, Winlogon is up and running
> about
> as early in the OS load process as you could ever want a network
> connection,
> so I am curious as to the need for any pre-OS handoff.
>
> Bill M.
>
> “ZG” wrote in message news:xxxxx@ntdev…
>> As I know, SafeBoot and SecureDoc have done this. I think there are
>> some people who want this feature otherwise these companies will not
> survive.
>>
>> –
>>
>> Regards,
>> ZG [@ Sydney]
>> Windows Driver Developer
>>
>>
>> “Bill McKenzie” wrote in message
>> news:xxxxx@ntdev…
>> This is not the way to implement single sign-on. You need to read up
>> on the Microsoft Gina DLL and Gina-stub DLLs. The user does have to
>> successfully login to the WIndows platform 1 time, but that is the
>> only requirement. From that point on, the user’s credentials can be
>> cached for
>
>> pre-Windows login network verification. If you have more restrictive
>> requirements, it might be interesting to explain those further.
>> However,
>
>> the GINA method has worked for the biggest names in PC platform
>> production, so I can’t imagine the customer for whom this is not
>> sufficient. Playing hand-off from a boot loader or some such to the
>> OS, is not a great idea.
>>
>> Bill M.
>> “GrepAll” wrote in message news:xxxxx@ntdev…
>> Hi,
>>
>> It’s not a platform, either a device.
>>
>> I want implement pre-boot verification function. That is, user should
>> enter his password before Windows starts, and by sharing the buffer,
>> the driver could get the password to implement single-sign-on (in fact
>> it’s useless for password verification, but it’s useful for other
> verification,
>> SmartCard verification for example.).
>>
>> In my research, there is about 32kb size space which Windows won’t
>> rewrite, and it’s enough as my buffer. Or we just forget the “won’t be
>> rewritten” suppose, I’m interested in how to access memory by physical
>> address.
>>
>> I check the DDK document, u r right, MmMapIoSpace is not obsolete. But
> the
>> HalTranslateBusAddress is obsolete. Could you please tell me how to
>> initialize the PHYSICAL_ADDRESS with a linear physical address? I’m
>> not
> so
>> familar with driver development. Thanks!
>>
>> GrepAll
>>
>>
>>
>>
>>
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of Mark Roddy
>> Sent: Tuesday, January 17, 2006 12:02 PM
>> To: Windows System Software Devs Interest List
>> Subject: RE: [ntdev] How to access memory using the physical address
>>
>>
>> Massively small font there.
>>
>> MmMapIoSpace is not obsolete, but that is the least of your problems.
> That
>> “suppose the buffer won’t be rewritten” part, for physical memory
>> owned
> by
>> the OS, is a huge problem. How do you suppose that is going to happen?
> You
>> initialize the PHYSICAL_ADDRESS with the linear physical address of
>> the buffer that you suppose won’t be rewritten. What exactly are you
>> bootstrapping? A platform? A device?
>> =====================
>> Mark Roddy DDK MVP
>> Windows 2003/XP/2000 Consulting
>> Hollis Technology Solutions 603-321-1032 www.hollistech.com
>>
>>
>>
>>
>>
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of GrepAll
>> Sent: Monday, January 16, 2006 8:56 PM
>> To: Windows System Software Devs Interest List
>> Subject: [ntdev] How to access memory using the physical address
>>
>>
>> Hi, all
>>
>> I’m trying to access memory by the physical address in my driver. The
>> reason why I do this is I need to get data from my bootstrap code. In
>> the
>
>> bootstrap code, I first enter the 386 Protected Mode and then write
>> some important data to a buffer (identified by the physical address),
>> at last jump back to the original bootstrap code. Suppose the buffer
>> won’t be re-written, how can I read the content of the buffer in my
>> WinXP driver module?
>>
>> I’ve read about MmMapIoSpace function, but I don’t know how to
>> initialize
>
>> the PHYSICAL_ADDRESS parameter, and it seems this function is obsolete.
>>
>> Any suggestion is welcome. Thanks,
>> GrepAll
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: unknown lmsubst tag argument:
> ‘’
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: unknown lmsubst tag argument:
> ‘’
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@utimaco.de To
> unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@kerneldrivers.com To
> unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: JungleKnight@163.com To
> unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>
>
>

23

Lots of trouble. Wish you good luck. :slight_smile:

GrepAll

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of ZG
Sent: Thursday, January 19, 2006 4:00 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] How to access memory using the physical address

Hello guy, you are doing what I am doing :slight_smile:

Regards,
ZG [@ Sydney]
Windows Driver Developer

“GrepAll” wrote in message news:xxxxx@ntdev…
>
> Yes, I do want to implement a sector based encrption.
>
> 1. “First, not all ppl just use Windows. Multi-OS on one computer is
> very common.”
> It supports only one Windows system. This can be mentioned in the User
> Manual.
>
> 2. " I dare say a few minutes with minimal tools, possibly only an XP
> install disc, booting to the repair console will resolve that problem
> and allow me access to that “un-bootable” disc. "
> Since the whole disk is encrypted, except the MBR which is stored in
> the sector other than 0, and the encrypt-key is protected by the
> SmartCard. I don’t think it is easy to read any data from the disk.
>
> 3. “What happens if user A logs in, then logs out, and user B wants to
> log in?
> Does the machine need to be rebooted?”
> I’m thinking on it.
>
> 4. “Also, please spell out “you” and “are”.”
> OK. Advice accepted!
>
> 5. “There is no guarantee that your memory address will not be
> overwritten.”
> I think it’s safe if I keep the data in the lowest 1MB of physical memory.
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library
> /Booko fSP1/e0f862a3-cf16-4a48-bea5-f2004d12ce35.mspx
>
> GrepAll
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Peter Scott
> Sent: Wednesday, January 18, 2006 1:53 AM
> To: Windows System Software Devs Interest List
> Subject: RE: [ntdev] How to access memory using the physical address
>
>
>
> Right, the poster did not mention sector based encryption, this is a
> completely different animal, so to speak.
>
> Pete
>
> Kernel Drivers
> Windows Filesystem and Device Driver Consulting www.KernelDrivers.com
> (303)546-0300
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Else Kluger
> Sent: Tuesday, January 17, 2006 10:24 AM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] How to access memory using the physical address
>
> “What do you gain by having credentials entered before the GINA has
> control”
>
> You cannot boot - a desired effect of sector based Disk Encryption.
> If you can (because your preboot credentials are ok), the SSO is just
> a “side-effect” then.
>
> Else
>
>
> |---------±-------------------------------->
> | | “Bill McKenzie” |
> | | > | | net> |
> | | Sent by: |
> | | bounce-235093-16691@li|
> | | sts.osr.com |
> | | |
> | | |
> | | 01/17/2006 03:25 PM |
> | | Please respond to |
> | | “Windows System |
> | | Software Devs Interest|
> | | List” |
> |---------±-------------------------------->
>
>>----------------------------------------------------------------------
>>-
>>----
> --------------------------------|
> |
> |
> | To: “Windows System Software Devs Interest List”
> |
> | cc:
> |
> | Subject: Re:[ntdev] How to access memory using the physical
> address (Unsigned Mail) |
>
>>----------------------------------------------------------------------
>>-
>>----
> --------------------------------|
>
>
>
>
> To what end? What do you gain by having credentials entered before
> the GINA has control? Through a custom GINA it is possible to
> establish secure network connections before Windows login, there is
> support for dealing with
>
> Smart cards and such, and you can even customize the Windows login UI
> if more info is needed at login. Essentially, Winlogon is up and
> running about as early in the OS load process as you could ever want a
> network connection, so I am curious as to the need for any pre-OS
> handoff.
>
> Bill M.
>
> “ZG” wrote in message news:xxxxx@ntdev…
>> As I know, SafeBoot and SecureDoc have done this. I think there are
>> some people who want this feature otherwise these companies will not
> survive.
>>
>> –
>>
>> Regards,
>> ZG [@ Sydney]
>> Windows Driver Developer
>>
>>
>> “Bill McKenzie” wrote in message
>> news:xxxxx@ntdev…
>> This is not the way to implement single sign-on. You need to read up
>> on the Microsoft Gina DLL and Gina-stub DLLs. The user does have to
>> successfully login to the WIndows platform 1 time, but that is the
>> only requirement. From that point on, the user’s credentials can be
>> cached for
>
>> pre-Windows login network verification. If you have more restrictive
>> requirements, it might be interesting to explain those further.
>> However,
>
>> the GINA method has worked for the biggest names in PC platform
>> production, so I can’t imagine the customer for whom this is not
>> sufficient. Playing hand-off from a boot loader or some such to the
>> OS, is not a great idea.
>>
>> Bill M.
>> “GrepAll” wrote in message news:xxxxx@ntdev…
>> Hi,
>>
>> It’s not a platform, either a device.
>>
>> I want implement pre-boot verification function. That is, user should
>> enter his password before Windows starts, and by sharing the buffer,
>> the driver could get the password to implement single-sign-on (in
>> fact it’s useless for password verification, but it’s useful for
>> other
> verification,
>> SmartCard verification for example.).
>>
>> In my research, there is about 32kb size space which Windows won’t
>> rewrite, and it’s enough as my buffer. Or we just forget the “won’t
>> be rewritten” suppose, I’m interested in how to access memory by
>> physical address.
>>
>> I check the DDK document, u r right, MmMapIoSpace is not obsolete.
>> But
> the
>> HalTranslateBusAddress is obsolete. Could you please tell me how to
>> initialize the PHYSICAL_ADDRESS with a linear physical address? I’m
>> not
> so
>> familar with driver development. Thanks!
>>
>> GrepAll
>>
>>
>>
>>
>>
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of Mark Roddy
>> Sent: Tuesday, January 17, 2006 12:02 PM
>> To: Windows System Software Devs Interest List
>> Subject: RE: [ntdev] How to access memory using the physical address
>>
>>
>> Massively small font there.
>>
>> MmMapIoSpace is not obsolete, but that is the least of your problems.
> That
>> “suppose the buffer won’t be rewritten” part, for physical memory
>> owned
> by
>> the OS, is a huge problem. How do you suppose that is going to happen?
> You
>> initialize the PHYSICAL_ADDRESS with the linear physical address of
>> the buffer that you suppose won’t be rewritten. What exactly are you
>> bootstrapping? A platform? A device?
>> =====================
>> Mark Roddy DDK MVP
>> Windows 2003/XP/2000 Consulting
>> Hollis Technology Solutions 603-321-1032 www.hollistech.com
>>
>>
>>
>>
>>
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of GrepAll
>> Sent: Monday, January 16, 2006 8:56 PM
>> To: Windows System Software Devs Interest List
>> Subject: [ntdev] How to access memory using the physical address
>>
>>
>> Hi, all
>>
>> I’m trying to access memory by the physical address in my driver. The
>> reason why I do this is I need to get data from my bootstrap code. In
>> the
>
>> bootstrap code, I first enter the 386 Protected Mode and then write
>> some important data to a buffer (identified by the physical address),
>> at last jump back to the original bootstrap code. Suppose the buffer
>> won’t be re-written, how can I read the content of the buffer in my
>> WinXP driver module?
>>
>> I’ve read about MmMapIoSpace function, but I don’t know how to
>> initialize
>
>> the PHYSICAL_ADDRESS parameter, and it seems this function is obsolete.
>>
>> Any suggestion is welcome. Thanks,
>> GrepAll
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: unknown lmsubst tag argument:
> ‘’
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: unknown lmsubst tag argument:
> ‘’
>> To unsubscribe send a blank email to
>> xxxxx@lists.osr.com
>>
>>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@utimaco.de To
> unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@kerneldrivers.com To
> unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: JungleKnight@163.com To
> unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>
>
>


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: JungleKnight@163.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

24

Another method use Native Api ,like He4 rootkit :slight_smile:

In the 32bit translate function:
ULONG LinearAddressToPhysicalAddress(ULONG lAddress)
{
unsigned int *pAddr;
unsigned int *PageDirectoryEntry = (unsigned int *) 0xC0300000;
unsigned int *PageTableEntry = (unsigned int *) 0xC0000000;

if((!(PageDirectoryEntry[lAddress >> 22] & 0xFFFFF000))
&& (!(PageDirectoryEntry[lAddress >> 22] & 0x00000001)))
{
return 0;
}

pAddr = (unsigned int *) ((int)PageTableEntry + ((lAddress & 0xFFFFF000) >>
10));
if((*pAddr) & 1)
{
return ((*pAddr) & 0xFFFFF000) | (lAddress & 0x00000FFF);
}

return 0;
}

void PhysicalAddressToLinearAddress(ULONG pAddress)
{
int i,j;
unsigned int *pAddr;
unsigned int *PageDirectoryEntry = (unsigned int *) 0xC0300000;
unsigned int *PageTableEntry = (unsigned int *) 0xC0000000;

for(i = 0;i < 1024;i++)
{
if((PageDirectoryEntry[i] & 0xFFFFF000) && (PageDirectoryEntry[i] &
0x00000001))
{
for(j = 0;j < 1024;j++)
{
pAddr = (unsigned int *)((int)PageTableEntry + i*4096 + j*4);

if((*pAddr) & 0x00000001)
{
if(((*pAddr) & 0xFFFFF000) == (pAddress & 0xFFFFF000))
{
DbgPrint(“%08X\n”,((i*4*1024*1024 + j*4*1024) & 0xFFFFF000) |
(pAddress & 0x00000FFF));
}
}
}
}
}
}

“Else Kluger” ??? news:xxxxx@ntdev…
> “What do you gain by having credentials entered before the GINA
> has control”
>
> You cannot boot - a desired effect of sector based Disk Encryption.
> If you can (because your preboot credentials are ok), the SSO is
> just a “side-effect” then.
>
> Else
>
>
> |---------±-------------------------------->
> | | “Bill McKenzie” |
> | | > | | net> |
> | | Sent by: |
> | | bounce-235093-16691@li|
> | | sts.osr.com |
> | | |
> | | |
> | | 01/17/2006 03:25 PM |
> | | Please respond to |
> | | “Windows System |
> | | Software Devs Interest|
> | | List” |
> |---------±-------------------------------->
>
>---------------------------------------------------------------------------
--------------------------------|
> |
|
> | To: “Windows System Software Devs Interest List”
|
> | cc:
|
> | Subject: Re:[ntdev] How to access memory using the physical
address (Unsigned Mail) |
>
>---------------------------------------------------------------------------
--------------------------------|
>
>
>
>
> To what end? What do you gain by having credentials entered before the
> GINA
> has control? Through a custom GINA it is possible to establish secure
> network connections before Windows login, there is support for dealing
with
>
> Smart cards and such, and you can even customize the Windows login UI if
> more info is needed at login. Essentially, Winlogon is up and running
> about
> as early in the OS load process as you could ever want a network
> connection,
> so I am curious as to the need for any pre-OS handoff.
>
> Bill M.
>
> “ZG” wrote in message news:xxxxx@ntdev…
> > As I know, SafeBoot and SecureDoc have done this. I think there are some
> > people who want this feature otherwise these companies will not survive.
> >
> > –
> >
> > Regards,
> > ZG [@ Sydney]
> > Windows Driver Developer
> >
> >
> > “Bill McKenzie” wrote in message
> > news:xxxxx@ntdev…
> > This is not the way to implement single sign-on. You need to read up on
> > the Microsoft Gina DLL and Gina-stub DLLs. The user does have to
> > successfully login to the WIndows platform 1 time, but that is the only
> > requirement. From that point on, the user’s credentials can be cached
for
>
> > pre-Windows login network verification. If you have more restrictive
> > requirements, it might be interesting to explain those further.
However,
>
> > the GINA method has worked for the biggest names in PC platform
> > production, so I can’t imagine the customer for whom this is not
> > sufficient. Playing hand-off from a boot loader or some such to the OS,
> > is not a great idea.
> >
> > Bill M.
> > “GrepAll” wrote in message news:xxxxx@ntdev…
> > Hi,
> >
> > It’s not a platform, either a device.
> >
> > I want implement pre-boot verification function. That is, user should
> > enter his password before Windows starts, and by sharing the buffer, the
> > driver could get the password to implement single-sign-on (in fact it’s
> > useless for password verification, but it’s useful for other
> verification,
> > SmartCard verification for example.).
> >
> > In my research, there is about 32kb size space which Windows won’t
> > rewrite, and it’s enough as my buffer. Or we just forget the “won’t be
> > rewritten” suppose, I’m interested in how to access memory by physical
> > address.
> >
> > I check the DDK document, u r right, MmMapIoSpace is not obsolete. But
> the
> > HalTranslateBusAddress is obsolete. Could you please tell me how to
> > initialize the PHYSICAL_ADDRESS with a linear physical address? I’m not
> so
> > familar with driver development. Thanks!
> >
> > GrepAll
> >
> >
> >
> >
> >
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of Mark Roddy
> > Sent: Tuesday, January 17, 2006 12:02 PM
> > To: Windows System Software Devs Interest List
> > Subject: RE: [ntdev] How to access memory using the physical address
> >
> >
> > Massively small font there.
> >
> > MmMapIoSpace is not obsolete, but that is the least of your problems.
> That
> > “suppose the buffer won’t be rewritten” part, for physical memory owned
> by
> > the OS, is a huge problem. How do you suppose that is going to happen?
> You
> > initialize the PHYSICAL_ADDRESS with the linear physical address of the
> > buffer that you suppose won’t be rewritten. What exactly are you
> > bootstrapping? A platform? A device?
> > =====================
> > Mark Roddy DDK MVP
> > Windows 2003/XP/2000 Consulting
> > Hollis Technology Solutions 603-321-1032
> > www.hollistech.com
> >
> >
> >
> >
> >
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of GrepAll
> > Sent: Monday, January 16, 2006 8:56 PM
> > To: Windows System Software Devs Interest List
> > Subject: [ntdev] How to access memory using the physical address
> >
> >
> > Hi, all
> >
> > I’m trying to access memory by the physical address in my driver. The
> > reason why I do this is I need to get data from my bootstrap code. In
the
>
> > bootstrap code, I first enter the 386 Protected Mode and then write some
> > important data to a buffer (identified by the physical address), at last
> > jump back to the original bootstrap code. Suppose the buffer won’t be
> > re-written, how can I read the content of the buffer in my WinXP driver
> > module?
> >
> > I’ve read about MmMapIoSpace function, but I don’t know how to
initialize
>
> > the PHYSICAL_ADDRESS parameter, and it seems this function is obsolete.
> >
> > Any suggestion is welcome. Thanks,
> > GrepAll
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: unknown lmsubst tag argument:
> ‘’
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: unknown lmsubst tag argument:
> ‘’
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@utimaco.de
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>

25

Boot with /3GB and enjoy the crash.

The only “blessed” need for a physical address is for DMA, and for DMA we
have its own facilities.

Other ways:

  • MmGetPhysicalAddress
  • lock the pages to the MDL and dig into the array in the MDL tail, multiply
    each entry to 4096 (NOTE! unportable to 64bit, to PAE and to machines with
    discontiguous memory).

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “lake_swan” <lake_swan>
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Saturday, December 31, 2005 5:06 PM
Subject: Re:[ntdev] Re:How to access memory using the physical address

> Another method use Native Api ,like He4 rootkit :slight_smile:
>
> In the 32bit translate function:
> ULONG LinearAddressToPhysicalAddress(ULONG lAddress)
> {
> unsigned int *pAddr;
> unsigned int *PageDirectoryEntry = (unsigned int *) 0xC0300000;
> unsigned int *PageTableEntry = (unsigned int *) 0xC0000000;
>
> if((!(PageDirectoryEntry[lAddress >> 22] & 0xFFFFF000))
> && (!(PageDirectoryEntry[lAddress >> 22] & 0x00000001)))
> {
> return 0;
> }
>
> pAddr = (unsigned int *) ((int)PageTableEntry + ((lAddress & 0xFFFFF000) >>
> 10));
> if((*pAddr) & 1)
> {
> return ((*pAddr) & 0xFFFFF000) | (lAddress & 0x00000FFF);
> }
>
> return 0;
> }
>
> void PhysicalAddressToLinearAddress(ULONG pAddress)
> {
> int i,j;
> unsigned int *pAddr;
> unsigned int PageDirectoryEntry = (unsigned int ) 0xC0300000;
> unsigned int PageTableEntry = (unsigned int ) 0xC0000000;
>
> for(i = 0;i < 1024;i++)
> {
> if((PageDirectoryEntry[i] & 0xFFFFF000) && (PageDirectoryEntry[i] &
> 0x00000001))
> {
> for(j = 0;j < 1024;j++)
> {
> pAddr = (unsigned int )((int)PageTableEntry + i4096 + j4);
>
> if((pAddr) & 0x00000001)
> {
> if(((pAddr) & 0xFFFFF000) == (pAddress & 0xFFFFF000))
> {
> DbgPrint(“%08X\n”,((i410241024 + j41024) & 0xFFFFF000) |
> (pAddress & 0x00000FFF));
> }
> }
> }
> }
> }
> }
>
> “Else Kluger” ??? news:xxxxx@ntdev…
> > “What do you gain by having credentials entered before the GINA
> > has control”
> >
> > You cannot boot - a desired effect of sector based Disk Encryption.
> > If you can (because your preboot credentials are ok), the SSO is
> > just a “side-effect” then.
> >
> > Else
> >
> >
> > |---------±-------------------------------->
> > | | “Bill McKenzie” |
> > | | > > | | net> |
> > | | Sent by: |
> > | | bounce-235093-16691@li|
> > | | sts.osr.com |
> > | | |
> > | | |
> > | | 01/17/2006 03:25 PM |
> > | | Please respond to |
> > | | “Windows System |
> > | | Software Devs Interest|
> > | | List” |
> > |---------±-------------------------------->
> >
> >---------------------------------------------------------------------------
> --------------------------------|
> > |
> |
> > | To: “Windows System Software Devs Interest List”
> |
> > | cc:
> |
> > | Subject: Re:[ntdev] How to access memory using the physical
> address (Unsigned Mail) |
> >
> >---------------------------------------------------------------------------
> --------------------------------|
> >
> >
> >
> >
> > To what end? What do you gain by having credentials entered before the
> > GINA
> > has control? Through a custom GINA it is possible to establish secure
> > network connections before Windows login, there is support for dealing
> with
> >
> > Smart cards and such, and you can even customize the Windows login UI if
> > more info is needed at login. Essentially, Winlogon is up and running
> > about
> > as early in the OS load process as you could ever want a network
> > connection,
> > so I am curious as to the need for any pre-OS handoff.
> >
> > Bill M.
> >
> > “ZG” wrote in message news:xxxxx@ntdev…
> > > As I know, SafeBoot and SecureDoc have done this. I think there are some
> > > people who want this feature otherwise these companies will not survive.
> > >
> > > –
> > >
> > > Regards,
> > > ZG [@ Sydney]
> > > Windows Driver Developer
> > >
> > >
> > > “Bill McKenzie” wrote in message
> > > news:xxxxx@ntdev…
> > > This is not the way to implement single sign-on. You need to read up on
> > > the Microsoft Gina DLL and Gina-stub DLLs. The user does have to
> > > successfully login to the WIndows platform 1 time, but that is the only
> > > requirement. From that point on, the user’s credentials can be cached
> for
> >
> > > pre-Windows login network verification. If you have more restrictive
> > > requirements, it might be interesting to explain those further.
> However,
> >
> > > the GINA method has worked for the biggest names in PC platform
> > > production, so I can’t imagine the customer for whom this is not
> > > sufficient. Playing hand-off from a boot loader or some such to the OS,
> > > is not a great idea.
> > >
> > > Bill M.
> > > “GrepAll” wrote in message news:xxxxx@ntdev…
> > > Hi,
> > >
> > > It’s not a platform, either a device.
> > >
> > > I want implement pre-boot verification function. That is, user should
> > > enter his password before Windows starts, and by sharing the buffer, the
> > > driver could get the password to implement single-sign-on (in fact it’s
> > > useless for password verification, but it’s useful for other
> > verification,
> > > SmartCard verification for example.).
> > >
> > > In my research, there is about 32kb size space which Windows won’t
> > > rewrite, and it’s enough as my buffer. Or we just forget the “won’t be
> > > rewritten” suppose, I’m interested in how to access memory by physical
> > > address.
> > >
> > > I check the DDK document, u r right, MmMapIoSpace is not obsolete. But
> > the
> > > HalTranslateBusAddress is obsolete. Could you please tell me how to
> > > initialize the PHYSICAL_ADDRESS with a linear physical address? I’m not
> > so
> > > familar with driver development. Thanks!
> > >
> > > GrepAll
> > >
> > >
> > >
> > >
> > >
> > > From: xxxxx@lists.osr.com
> > > [mailto:xxxxx@lists.osr.com] On Behalf Of Mark Roddy
> > > Sent: Tuesday, January 17, 2006 12:02 PM
> > > To: Windows System Software Devs Interest List
> > > Subject: RE: [ntdev] How to access memory using the physical address
> > >
> > >
> > > Massively small font there.
> > >
> > > MmMapIoSpace is not obsolete, but that is the least of your problems.
> > That
> > > “suppose the buffer won’t be rewritten” part, for physical memory owned
> > by
> > > the OS, is a huge problem. How do you suppose that is going to happen?
> > You
> > > initialize the PHYSICAL_ADDRESS with the linear physical address of the
> > > buffer that you suppose won’t be rewritten. What exactly are you
> > > bootstrapping? A platform? A device?
> > > =====================
> > > Mark Roddy DDK MVP
> > > Windows 2003/XP/2000 Consulting
> > > Hollis Technology Solutions 603-321-1032
> > > www.hollistech.com
> > >
> > >
> > >
> > >
> > >
> > > From: xxxxx@lists.osr.com
> > > [mailto:xxxxx@lists.osr.com] On Behalf Of GrepAll
> > > Sent: Monday, January 16, 2006 8:56 PM
> > > To: Windows System Software Devs Interest List
> > > Subject: [ntdev] How to access memory using the physical address
> > >
> > >
> > > Hi, all
> > >
> > > I’m trying to access memory by the physical address in my driver. The
> > > reason why I do this is I need to get data from my bootstrap code. In
> the
> >
> > > bootstrap code, I first enter the 386 Protected Mode and then write some
> > > important data to a buffer (identified by the physical address), at last
> > > jump back to the original bootstrap code. Suppose the buffer won’t be
> > > re-written, how can I read the content of the buffer in my WinXP driver
> > > module?
> > >
> > > I’ve read about MmMapIoSpace function, but I don’t know how to
> initialize
> >
> > > the PHYSICAL_ADDRESS parameter, and it seems this function is obsolete.
> > >
> > > Any suggestion is welcome. Thanks,
> > > GrepAll
> > >
> > > —
> > > Questions? First check the Kernel Driver FAQ at
> > > http://www.osronline.com/article.cfm?id=256
> > >
> > > You are currently subscribed to ntdev as: unknown lmsubst tag argument:
> > ‘’
> > > To unsubscribe send a blank email to xxxxx@lists.osr.com
> > >
> > > —
> > > Questions? First check the Kernel Driver FAQ at
> > > http://www.osronline.com/article.cfm?id=256
> > >
> > > You are currently subscribed to ntdev as: unknown lmsubst tag argument:
> > ‘’
> > > To unsubscribe send a blank email to xxxxx@lists.osr.com
> > >
> > >
> >
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@utimaco.de
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
> >
> >
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com</lake_swan>