Read physical memory under Windows 8

StackOverflow https://stackoverflow.com/questions/23683707

  •  23-07-2023
  •  | 
  •  

문제

I would like to be able to plug in a physical address, and read the data stored at that address.

Under Linux, I would use /dev/mem to acquire this data. Under Windows 8, I'm not sure what mechanism is available to do this.

My use case is inspecting a PCI Express device. The PCI Express device creates a ring buffer at a known address, that I can determine from the PCIe BAR. Once this address has been set, it won't change until the computer restarts.

Currently, I can use applications like RW Everything to see the data there, but I would like to be able to do this without user interaction (Without the GUI) so that I have fewer issues with the ring buffers wrapping before I can access the data.

Does anyone know if there is a privileged Windows system call I can make from userspace (to mmap a region for example) or do I need to use a custom kernel module to do this? I imagine that there is some way to do it without a custom kernel module, because I don't believe I installed one when I installed RW Everything.

도움이 되었습니까?

해결책

Since Windows Server 2003 SP1, user-mode access to physical memory has not been possible. You will have to develop a driver to do it (or find a third-party tool that includes one).

From Technet:

In Windows Server 2003 SP1, user-mode access to the \Device\PhysicalMemory object is not permitted. All forms of access (read, write) are refused when the \Device\PhysicalMemory object is accessed from a user-mode application. Access to the \Device\PhysicalMemory object is refused regardless of the user context (Administrators, Users, Local System, etc.) the application is running in.

다른 팁

There are many windows software to access the physical memory, however, many of them cannot access the physical memory in windows vista or 7 because of physical memory protection feature in these OS's.

There are many windows tools similar to dev/mem unix's one, such as:

  • Belkasoft Live RAM Caputer
  • WindowsSCOPE Pro and Ultimate, available at http://www.windowsscope.com
  • WindowsSCOPE Live
  • winen.exe (Guidance Software - included with Encase 6.11 and higher)
  • Mdd (Memory DD) (ManTech)
  • MANDIANT Memoryze
  • Kntdd
  • Moonsols
  • HBGary
  • FTK Imager
  • OSForensics
  • WinPmem; and
  • Windows Memory Reader

Check this wiki for more info: http://www.forensicswiki.org/wiki/Tools:Memory_Imaging

라이센스 : CC-BY-SA ~와 함께 속성
제휴하지 않습니다 StackOverflow
scroll top