Index
> Windows > Access to all memory |
| Author |
|
|
CandyMan
How to gain access to the entire memory and to the memory of other programs in windows? Is there some function which enables it?
_________________ smaller is better |
|||
12 Jun 2015, 17:05 |
|
|
Foxxy
You'd need to make a driver: http://stackoverflow.com/questions/23683707/read-physical-memory-under-windows-8
|
|||
|
12 Jun 2015, 19:28 |
|
|
CandyMan
Thanks.
PS. How the anti-virus is looking the memory through? _________________ smaller is better |
|||
|
13 Jun 2015, 15:30 |
|
|
Feryno
from ring3 you may be sometimes allowed to access virtual memory of different process via
ReadProcessMemory https://msdn.microsoft.com/en-us/library/windows/desktop/ms680553%28v=vs.85%29.aspx from ring0 there is KeStackAttachProcess https://msdn.microsoft.com/en-us/library/windows/hardware/ff549659%28v=vs.85%29.aspx after attaching you may use various ring0 procedures beginning at Mm..., you may obtain modules info, you may also parse paging tables from CR3 to last level You may also register some ring0 callbacks which are hit at CreatProcess, loading module and so on. To scan physical memory there are some undocumented things like MmGetPhysicalMemoryRanges https://msdn.microsoft.com/en-us/library/windows/hardware/ff554435%28v=vs.85%29.aspx then you may map physical memory pages via MmMapIoSpace to access them by returned virtual memory |
|||
|
15 Jun 2015, 05:01 |
|
|
l_inc
CandyMan
\Device\PhysicalMemory is still accessible in the kernel (and even was accessible from user mode in the early XP with no SP). No need to manipulate any hardware dependent structures directly or do anything undocumented. On the other hand it's for very specific purposes, and in most cases one would prefer to look in virtual address spaces. _________________ Faith is a superposition of knowledge and fallacy |
|||
|
17 Jun 2015, 21:06 |
|
< Last Thread | Next Thread > |
Forum Rules:
|