Hi
Is there another way than hooking to detect systemwide memory read and write?
Regards
Joe
You cannot do it period, what would you hook?
–
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
wrote in message news:xxxxx@ntdev…
> Hi
>
> Is there another way than hooking to detect systemwide memory read and
> write?
>
> Regards
>
> Joe
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4049 (20090501)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
Information from ESET NOD32 Antivirus, version of virus signature database 4049 (20090501)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
Hi Don
I would hook ZwReadVirtualMemory and ZwWriteVirtualMemory. Further ZwAllocVirtualAlloc to or the allocation parameter with MEM_WRITE_WATCH and MEM_COMMIT (periodically call GetWriteWatch).
I totally hate hooking because it is very unstable, but MS does provide very few callbacks for system activities which is a pain in the ass.
Regards
Joe
Umm - what exactly do you mean by ‘log memory reads and writes’?
Mark Roddy
On Sat, May 2, 2009 at 11:24 AM, wrote:
> Hi Don
>
> I would hook ZwReadVirtualMemory and ZwWriteVirtualMemory. Further ZwAllocVirtualAlloc to or the allocation parameter with MEM_WRITE_WATCH and MEM_COMMIT (periodically call GetWriteWatch).
>
> I totally hate hooking because it is very unstable, but MS does provide very few callbacks for system activities which is a pain in the ass.
>
> Regards
>
> Joe
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
Get called if the processor has read memory (eip, address) or has written memory (eip, address). Like single stepping and looking for mov and other memory operands.
Regards
Joe
Perhaps you should invest in an ICE.
-p
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmx.net
Sent: Saturday, May 02, 2009 8:39 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] How to log memory reads and writes?
Get called if the processor has read memory (eip, address) or has written memory (eip, address). Like single stepping and looking for mov and other memory operands.
Regards
Joe
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Hm ok you do not know other good techniques to do it without using ICE?
Regards
Joe
And this will do what for you how? These calls allow a process X to read
the virtual memory of another process Y, so what you will be catching is
debugger type actions, not general accesses. I’ve looked for solutions to
this problem on Windows for 15 years, all you can do is get an ICE or build
your own hardware.
–
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
wrote in message news:xxxxx@ntdev…
> Hi Don
>
> I would hook ZwReadVirtualMemory and ZwWriteVirtualMemory. Further
> ZwAllocVirtualAlloc to or the allocation parameter with MEM_WRITE_WATCH
> and MEM_COMMIT (periodically call GetWriteWatch).
>
> I totally hate hooking because it is very unstable, but MS does provide
> very few callbacks for system activities which is a pain in the ass.
>
> Regards
>
> Joe
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4049 (20090501)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
Information from ESET NOD32 Antivirus, version of virus signature database 4049 (20090501)
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
> Get called if the processor has read memory (eip, address) or has written memory (eip, address).
Debug breakpoints using processor’s debug registers are your only chance.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
You would need a full ice; a jtag emulator like an Arium won’t help you.
If you could narrow down the range of memory your interested in, you might be able do this by unmapping page tables and replacing the page fault hander as softice used to do, but it’s hard to imagine this working as an arbitrary technique.
Good luck,
mm
FSB analyzer would do.
If all you need is decode the memory access, you can build something tapping into the fsb, capture the mutiplexed A/D bus and a couple of control signals. No horribly difficult to build as a home project if you are a degreed and handy EE. You would need to figure out the virt to phy mapping b/c only physical address are seen on fsb.
Calvin Guan
Broadcom Corp.
Connecting Everything(r)
From: xxxxx@lists.osr.com [xxxxx@lists.osr.com] On Behalf Of xxxxx@gmx.net [xxxxx@gmx.net]
Sent: Saturday, May 02, 2009 9:20 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] How to log memory reads and writes?
Hm ok you do not know other good techniques to do it without using ICE?
Regards
Joe
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Won’t cache effects restrict the usefulness of correlating FSB traffic to granular memory accesses on modern platforms?
- S
-----Original Message-----
From: Calvin Guan (Business Guest)
Sent: Saturday, May 02, 2009 14:29
To: Windows System Software Devs Interest List
Subject: RE: RE:[ntdev] How to log memory reads and writes?
FSB analyzer would do.
If all you need is decode the memory access, you can build something tapping into the fsb, capture the mutiplexed A/D bus and a couple of control signals. No horribly difficult to build as a home project if you are a degreed and handy EE. You would need to figure out the virt to phy mapping b/c only physical address are seen on fsb.
Calvin Guan
Broadcom Corp.
Connecting Everything(r)
________________________________________
From: xxxxx@lists.osr.com [xxxxx@lists.osr.com] On Behalf Of xxxxx@gmx.net [xxxxx@gmx.net]
Sent: Saturday, May 02, 2009 9:20 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] How to log memory reads and writes?
Hm ok you do not know other good techniques to do it without using ICE?
Regards
Joe
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Yeah, I realized that after I click the send button.
From: xxxxx@lists.osr.com [xxxxx@lists.osr.com] On Behalf Of Skywing [xxxxx@valhallalegends.com]
Sent: Saturday, May 02, 2009 4:20 PM
To: Windows System Software Devs Interest List
Subject: RE: RE:[ntdev] How to log memory reads and writes?
Won’t cache effects restrict the usefulness of correlating FSB traffic to granular memory accesses on modern platforms?
- S
-----Original Message-----
From: Calvin Guan (Business Guest)
Sent: Saturday, May 02, 2009 14:29
To: Windows System Software Devs Interest List
Subject: RE: RE:[ntdev] How to log memory reads and writes?
FSB analyzer would do.
If all you need is decode the memory access, you can build something tapping into the fsb, capture the mutiplexed A/D bus and a couple of control signals. No horribly difficult to build as a home project if you are a degreed and handy EE. You would need to figure out the virt to phy mapping b/c only physical address are seen on fsb.
Calvin Guan
Broadcom Corp.
Connecting Everything(r)
________________________________________
From: xxxxx@lists.osr.com [xxxxx@lists.osr.com] On Behalf Of xxxxx@gmx.net [xxxxx@gmx.net]
Sent: Saturday, May 02, 2009 9:20 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] How to log memory reads and writes?
Hm ok you do not know other good techniques to do it without using ICE?
Regards
Joe
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
> Get called if the processor has read memory (eip, address) or has written memory (eip, address).
Like single stepping and looking for mov and other memory operands.
If I got it right you are speaking about analyzing execution path, right?
First of all, you have to define your target (i.e. precise address at which you want to start analyzing execution path) - you just cannot do it like " I want to analyze something I don’t know what", because you need to define a condition that triggers your code…
After you have decided upon you target, you can proceed to the actual job - INT 1 and INT 3 are your friends here, so that you will have to hook them. You can insert a breakpoint either via debug register
(in this case only INT 1 has to be hooked), or as 0xCC opcode (in this case both INT 1 and INT 3 have to be hooked) at the target address . When BPX gets reached, you hooking code that traps breakpoint will set TF in EFLAGS, and return - from now on your code that hooks INT1 will get invoked upon every instruction’s execution until you decide to clear TF in your INT 1 handler…
Anton Bassov
> you will be catching is debugger type actions, not general accesses. I’ve looked for solutions
to this problem on Windows for 15 years
Well, I think you would not find a solution for trapping generic accesses on any OS even if you keep on looking for it for another 50 years -" trapping generic accesses" is just another way of saying " I want to analyze something I don’t know what". You can trace and break even at the kernel level (which implies that the target system has to be modified if you do it from within the system), but these actions are still
“debugger type ones” - even if you use ICE…
Anton Bassov
> Get called if the processor has read memory (eip, address) or has written memory (eip, address).
As usual, it really depends on the OP’s requirements.
There are quite a few options that may be a bit more reasonable than an
ICE. In general, though, I don’t think the OP should expect to find a
solution that allows them to /efficiently/ monitor all reads and writes
system wide. Monitoring reads and writes for a subset of processes &
memory regions is certainly feasible, even without an ICE.
Perhaps the simplest option is to modify an existing emulator, such as
Bochs or QEMU. It should be relatively straight forward to add
instrumentation code that logs reads and writes. In fact, there have
been examples in the past of using Bochs and QEMU to monitor memory
writes[6,7]. Of course, this may not be an option depending on the OP’s
requirements.
You can also use shadow page tables (or their hardware equivalent) in a
virtualized environment to define page protections that are more
restrictive than those specified in the guest page tables[1]. For
example, you could specify page protections that prevent read or write
access to a set of guest physical pages. This would result in page
faults whenever the guest reads from or writes to these pages. These
page faults can then be intercepted by the hypervisor and then emulated
accordingly.
Another option is dynamic binary instrumentation (DBI)[2,3,4,5]. This
would allow you to rewrite the instruction stream and insert
instrumentation code prior to each instruction that could read from or
write to memory.
There are other options too, such as taking advantage of normal paging
and segmentation behavior[5].
[1] http://developer.amd.com/assets/NPT-WP-1%201-final-TM.pdf
[2] http://valgrind.org/docs/phd2004.pdf
[3] http://www.pintool.org/
[4] http://www.cag.lcs.mit.edu/rio/
[5] http://uninformed.org/?v=7&a=1&t=sumry
[6] http://bitblaze.cs.berkeley.edu/papers/renovo.pdf
[7] http://pi1.informatik.uni-mannheim.de/filepool/theses/diplomarbeit-2008-boehne.pdf
Now that’s a post, Matt.
mm
One idea I have is to use the page fault monitor feature of ETW tracing, that would be much simpler than hooking the kernel or page
fault interrupts. You would have to make sure in one way or another that access to your memory locations would always generate a
page fault.
A more complicated idea I have is to use the branch trace store (BTS) that many processors have. This in combination with a debug
store ISR as well as the help of a built-in disassembler could get you a trace of memory access. See the Intel 64 and IA-32
Architectures Software Developer’s Manual for more information.
//Daniel
wrote in message news:xxxxx@ntdev…
> Hi
>
> Is there another way than hooking to detect systemwide memory read and write?
>
> Regards
>
> Joe
>
> that would be much simpler than hooking the kernel or page fault interrupts.
There is nothing complex with hooking page fault handler in itself. The problem lies with the necessity to modify PTE in order to trigger page fault, because at this point you can easily get into a conflict with MM - you don’t have an access to its internal synch constructs, do you. I did INT 1-based analysis of execution path even in commercial products, but I would think twice before playing around with page fault handler…
A more complicated idea I have is to use the branch trace store (BTS) that many processors have.
This in combination with a debug store ISR as well as the help of a built-in disassembler could
get you a trace of memory access.
This approach is much better, compared to messing around with PTEs…
Anton Bassov
xxxxx@gmx.net wrote:
Hm ok you do not know other good techniques to do it without using ICE?
The Bochs x86 simulator (http://bochs.sourceforge.net) is actually able
to boot and run Windows XP. You can trace every instruction.
However, I am quite confident that you don’t understand what you are
asking. EVERY instruction causes a memory read, just to read the
instruction itself (module caching).
What is it, exactly, that you are hoping to learn?
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.