Uncategorized

Entries with no category

  1. Reading Virtual Memory

    During a project i did lately i had to deal with the detection of hidden device drivers... while researching i stumbled upon a problem i came across several years but never had the patience to deal with it, yet now i had to. Well what happened ?! See for yourself:

    I used such pseudocode to scan for the DRIVER_OBJECTs:
    Code:
    unsigned char * pKernel = 0x80000000;
    for (i = 0; i < KernelSpaceSize; i++)
    {
      	if (pKernel[i] == x)
      	{ 	 
      	  	...
      	} 	 
    }
    at one point the machine simply freezed (no bugcheck) and i couldn't make any clue out of it, this effect was a 100% reproducible.

    I tried pretty much everything to get rid of the problem like using seh, probing the page, physically accessing it etc you name it.

    (Try it for yourself, in windbg do a "s 0 L -1 0xff", at some point it will most likely freeze your machine)

    After further research on this i saw that others faced this problem also, like Joanna Rutkowska, which can't solve the problem either.
    Her solution was to reduce the range of memory that she scans for [a] (which is absolutely bullshit if you ask me).

    To shorten the whole story, the problem arised because some memory areas are mapped to physical devices (memory mapped io) like your graphic card once you touch those areas your machine will go into an undefined state.
    The reason for all this is the north bridge of your motherboard which is the router for those requests, it will decide if the request will be forwarded to your mem chips or if it is an attempt to access a device. [b]

    So how does Windows handle it ?! That's pretty much the first question that came to my mind, because seriously i have never ever seen a "bugcheck" freezing while creating a memory dump.

    The answer is again simple if you know how it works, basically the bios is the key to all of it, the devices "register" their areas and the ntldr queries the bios for the accessible memory areas during boot.

    This is all done via INT 15h, the keyword if you are interested in it is "System Address Map" [c], luckily windows needs to keep track of those areas. It does so in a structure called PHYSICAL_MEMORY_RUN, which is nothing else than an array of elements that tell you the areas that can be touched and which you can't.

    And there you go... as long as you are aware of the limits described in the run's it's all good...

    ^DAEMON^



    References:

    [a] http://invisiblethings.org/tools/modGREPER/changelog.txt

    [b] http://duartes.org/gustavo/blog/post/motherboard-chipsets-memory-map

    [c] http://www.uruk.org/orig-grub/mem64mb.html

    Updated March 30th, 2011 at 06:48 by ^DAEMON^

    Categories
    Uncategorized