Read physical memory under Windows 8

StackOverflow https://stackoverflow.com/questions/23683707

  •  23-07-2023
  •  | 
  •  

Question

I would like to be able to plug in a physical address, and read the data stored at that address.

Under Linux, I would use /dev/mem to acquire this data. Under Windows 8, I'm not sure what mechanism is available to do this.

My use case is inspecting a PCI Express device. The PCI Express device creates a ring buffer at a known address, that I can determine from the PCIe BAR. Once this address has been set, it won't change until the computer restarts.

Currently, I can use applications like RW Everything to see the data there, but I would like to be able to do this without user interaction (Without the GUI) so that I have fewer issues with the ring buffers wrapping before I can access the data.

Does anyone know if there is a privileged Windows system call I can make from userspace (to mmap a region for example) or do I need to use a custom kernel module to do this? I imagine that there is some way to do it without a custom kernel module, because I don't believe I installed one when I installed RW Everything.

Was it helpful?

Solution

Since Windows Server 2003 SP1, user-mode access to physical memory has not been possible. You will have to develop a driver to do it (or find a third-party tool that includes one).

From Technet:

In Windows Server 2003 SP1, user-mode access to the \Device\PhysicalMemory object is not permitted. All forms of access (read, write) are refused when the \Device\PhysicalMemory object is accessed from a user-mode application. Access to the \Device\PhysicalMemory object is refused regardless of the user context (Administrators, Users, Local System, etc.) the application is running in.

OTHER TIPS

There are many windows software to access the physical memory, however, many of them cannot access the physical memory in windows vista or 7 because of physical memory protection feature in these OS's.

There are many windows tools similar to dev/mem unix's one, such as:

  • Belkasoft Live RAM Caputer
  • WindowsSCOPE Pro and Ultimate, available at http://www.windowsscope.com
  • WindowsSCOPE Live
  • winen.exe (Guidance Software - included with Encase 6.11 and higher)
  • Mdd (Memory DD) (ManTech)
  • MANDIANT Memoryze
  • Kntdd
  • Moonsols
  • HBGary
  • FTK Imager
  • OSForensics
  • WinPmem; and
  • Windows Memory Reader

Check this wiki for more info: http://www.forensicswiki.org/wiki/Tools:Memory_Imaging

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top