Hi ppl,
I would like to achieve ring0 so that my program has direct access to the physical memory. Is making a Kernel Mode Driver the ONLY way to achieve this on WinNT? Can someone please guide me on this because I have no idea where to start in writing a driver. Even just a quick summary would be nice but detail will be MUCH appreciated! I have heard that you have to create a service using your driver then call this service from your prog? Is this true and how do I do this?
Thanx in advance :)
I would like to achieve ring0 so that my program has direct access to the physical memory. Is making a Kernel Mode Driver the ONLY way to achieve this on WinNT? Can someone please guide me on this because I have no idea where to start in writing a driver. Even just a quick summary would be nice but detail will be MUCH appreciated! I have heard that you have to create a service using your driver then call this service from your prog? Is this true and how do I do this?
Thanx in advance :)
Hi,
no writing kernel mode driver is not the only way to look at physical memory - you must open "\Device\PhysicalMemory" via NT API Nt/ZwOpenSection (NT only, see example in Mark Russinovich's physmem.zip at SysInternals.com); or, more generally with Win32API OpenFileMapping in EliCZ's DumpXDT (http://www.anticracking.sk/EliCZ/export/DumpXDT.zip)
no writing kernel mode driver is not the only way to look at physical memory - you must open "\Device\PhysicalMemory" via NT API Nt/ZwOpenSection (NT only, see example in Mark Russinovich's physmem.zip at SysInternals.com); or, more generally with Win32API OpenFileMapping in EliCZ's DumpXDT (http://www.anticracking.sk/EliCZ/export/DumpXDT.zip)
Thanx! That PhysMem prog was a great help. However I would still like to learn how to make a Kernel Mode Driver. Anyone know how?
Yes, i have done some KMD but in simple C, not yet in ASM, but i guess its not so hard as IMO they are just a DLL with special import/export and entry routines
again sysinternals.com examples can help i guess
again sysinternals.com examples can help i guess
BogdanOntanu: can u please send me some source on how u did this. It would be much appreciated. Thx :)
roaknog: Thx, that looks useful :)
roaknog: Thx, that looks useful :)
roaknog: i tried your code. Am I correct in assuming that it should be running in ring0? If so then why does it crash when I try to access physical memory directly: xor eax, eax mov ebx, . I thought it was ok to do this sort of thing in ring0 Kernel Mode Driver. Anyone have any ideas?