Hello everyone, newbie here.
I already wrote a user space application which allows me to read the entire address space of another process.
Now I need to port it to kernel space but I have some confused ideas so I’d like to have some little insight. I’ll do a recap of what I’ve in mind.
Preface:
I always have the process ID of the application I need to scan.
First, I need to get a handle of the process so I can use ZwOpenProcess or PsLookupProcessByProcessId. Which one suits best?
After that I need to have the virtual base address of the process which should be given by the EPROCESS handle itself, if I recall correctly.
From now on I’ll need to check which pages are committed by my process but sincerely I do not now how. I used VirtualQueryEx to get the pages addresses and sizes and then checked whether they belonged to my process.
I know, though, I need to map user mode addresses to kernel space ones’ but I need to know which ones are right.
Thank you for your help.
xxxxx@gmail.com wrote:
I already wrote a user space application which allows me to read the entire address space of another process.
Now I need to port it to kernel space…
Why? Don’t ever do in the kernel tasks that can be adequately handled
in user mode.
First, I need to get a handle of the process so I can use ZwOpenProcess or PsLookupProcessByProcessId. Which one suits best?
After that I need to have the virtual base address of the process…
The virtual base address of the process is 0, just as it is with all
processes. To read another process’s memory, you need to force a
context switch so that process is current. I hope it is obvious that,
when process 6 is current, none of process 5 is visible in virtual
memory (except for shared regions).
From now on I’ll need to check which pages are committed by my process but sincerely I do not now how. I used VirtualQueryEx to get the pages addresses and sizes and then checked whether they belonged to my process.
If your process is not current, then NONE of the virtual pages belong to
your process. If your process is current, then ALL of the virtual pages
belong to your process.
I know, though, I need to map user mode addresses to kernel space ones’ but I need to know which ones are right.
As long as you are in that process’s context, you don’t have to map the
addresses. You can read the user-mode addresses, as long as you realize
they might be changing under your nose. As long as you are at
PASSIVE_LEVEL, you can even read pages that are paged-out.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Thank you for your explanation.
Could you please tell me, how do I accomplish the context switch and which function would I need to read the process memory?
Thanks again.
KeStackAttachProcess
RltCopyMemory
There are plenty of bad examples you can google that do what you want to do
but like Tim says, stick to user mode.
On Thu, Jan 7, 2016 at 2:32 PM, wrote:
> Thank you for your explanation.
> Could you please tell me, how do I accomplish the context switch and which
> function would I need to read the process memory?
> Thanks again.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:>
Great.
Is there a way to have every memory region allocated by the process with their respective size? How do I effectively retrieve the memory addresses of the target process?
Thanks again.
Does a user process have a MDL? (https://msdn.microsoft.com/en-us/library/windows/hardware/ff554414(v=vs.85).aspx)
I think that I could use that structure to directly get all the committed addresses of the target process… maybe.
Is there another way?
xxxxx@gmail.com wrote:
Does a user process have a MDL? (https://msdn.microsoft.com/en-us/library/windows/hardware/ff554414(v=vs.85).aspx)
I think that I could use that structure to directly get all the committed addresses of the target process… maybe.
No. MDLs are created to describe buffers in memory when a driver might
need to know the physical addresses. They get created and destroyed all
the time. There is certainly no long-lived MDL that describes the
entire address space of a process. Such a thing would not be possible,
because an MDL describes continuous virtual space, and a process’
address space is discontiguous.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Hmmm, I see.
How do I find all (cycle through) the valid addresses of a user space process once I switched to its context through KeStackAttachProcess then?
Thank you very much, again.
First, there is no supported way to do what you want. I suggest you pick
up a book on Windows internals to first understand how memory is managed
because it’s apparent that you don’t have a solid foundation.
Second, if after a couple of days no one answers your question it means no
one probably will. Most understand that this is not something you need to
do from the kernel and no one wants bad code in whatever product you are
developing. Like I wrote a few days back, you can use the Google to find
examples but I wouldn’t expect anyone here to tell you how to do what you
want.
On Mon, Jan 11, 2016 at 3:45 PM, wrote:
> Hmmm, I see.
> How do I find all (cycle through) the valid addresses of a user space
> process once I switched to its context through KeStackAttachProcess then?
>
> Thank you very much, again.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:>
In addition, an MDL describes a physically locked (called “pinned” by some)
buffer: Its pages cannot become invalid as long as the MDL exists. This is
decidedly not the case for most of process address space!
??? Jamie Hanrahan
??? Azius Developer Training ? http://www.azius.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: Tuesday, January 12, 2016 02:07
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Reading entire userspace process memory from kernel
space
xxxxx@gmail.com wrote:
> Does a user process have a MDL?
> (https://msdn.microsoft.com/en-us/library/windows/hardware/ff554414(v=
> vs.85).aspx)
>
> I think that I could use that structure to directly get all the committed
addresses of the target process… maybe.
No. MDLs are created to describe buffers in memory when a driver might need
to know the physical addresses. They get created and destroyed all the
time. There is certainly no long-lived MDL that describes the entire
address space of a process. Such a thing would not be possible, because an
MDL describes continuous virtual space, and a process’
address space is discontiguous.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
—
NTDEV is sponsored by OSR
Visit the list online at:
http:
MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:
To unsubscribe, visit the List Server section of OSR Online at
http:</http:></http:></http:>