I just had some time to go back and fix a lingering bug in program. Program is still not complete but can be fun to use veiwing all of memory in Win2k and XP. The program should now determine the size of your memory automatically. Appreciate your input and hit me up if you have any questions. Thanks
Posted on 2004-02-16 13:10:15 by mrgone
Where's the source? And why use a .SYS when you can open \device\physicalmemory ? (asking out of ignorance, there might be some good reason I don't know of)
Posted on 2004-02-16 13:32:12 by f0dder
Never heard of it. What does it do? The source isn't done yet and has junk all in it tha't not even being used....lol.
Posted on 2004-02-16 14:18:31 by mrgone
http://www.sysinternals.com/ntw2k/info/tips.shtml - it's still NT-only, but as far as I've understood, it allows access to the physical memory range from ring3, if you have the sufficient privileges. Just thought there might be some reason you used a KMD instead :)

As for the source, heh okay, I know what it's like ;) - I'm just a bit paranoid about running ring0 code :)
Posted on 2004-02-16 14:36:23 by f0dder
I never knew that program existed. I searched and searched for something like that until I finally decided to write my own. Oh well, I should be done with editor soon and that program is veiwing only. Come to think of it, Sheroc did tell me about DevicePhysMemory but he told me in the context of forcing pages to memory from the pagefile.
Posted on 2004-02-16 15:00:01 by mrgone
Take a look at KmdKit\tools\PhysMemBrowser (a part of KmdKit).
Posted on 2004-02-17 04:05:23 by Four-F
Does it edit?
Posted on 2004-02-17 10:10:52 by mrgone
I down loaded the "New" file which was 1.5 I beleive. I actually already had a copy of it. Now I don't see any specific physical memory veiwer. There are alot of awesome files in that package no doubt. The ones I saw were specific to various memory locations such as the IDT and GDT etc. Great information displays by the way. Am I missing something though? Is there a user interface for veiwing specific memory locations? And does it edit? If it does I'm gonna abandon my memory editor because my stuff is crude and clumsy. My user mode skills leave much to be desired. What would be the name of that file? I mean the IDT and GDT and various system parameter tables are all veiwable by logical addresses.
Posted on 2004-02-17 12:52:08 by mrgone
Opsss... Sorry. While packing KmdKit v1.5 I've added PhysMemBrowser also. But later I thought that there is too much new staff in the package and it's better to leave something for next release. So I've removed PhysMemBrowser, but completely forgot about it. ;-)

Currently it does not allow to edit. But it is the question of getting SECTION_MAP_WRITE access right to \Device\PhysicalMemory object. I'm not quite sure it's able form user mode. You can play with object's access rights using WinObj (sysinternals.com). For w2k+ it uses standard Access Control Editor features. You can change some access rights for \Device\PhysicalMemory object but it refuse to assign write access even for system account. So I'm not sure it will be as simple as calling GetKernelObjectSecurity / SetKernelObjectSecurity.

Here http://www.phrack.org/archives/ you can find phrack59.tar.gz package and inside there is the article "Playing with Windows /dev/(k)mem" by crazylord. There some manipulations with \Device\PhysicalMemory are discussed.

Unfortunately, for the time being I don't have time to play with all that stuff. Anyway if it's even impossible to get write acces to this object from user mode it can be easily done directly manipulating with the ACL of \Device\PhysicalMemory from the driver.

My PhysMemBrowser is attached. Basically it dose the same as physmem (sysinternals.com) but with GUI.
Posted on 2004-02-18 04:52:03 by Four-F