3

I would like to read from Physical Memory in Windows 7 64 bit in Delphi, Assembly. How can I read from Physical memory?

Mandy Taylor
  • 91
  • 5

1 Answers1

2

Because of virtual memory protection on Windows, you cannot read from physical memory from user space. In order to read from physical memory you need to be executing code in kernel space.

David Heffernan
  • 601,492
  • 42
  • 1,072
  • 1,490
  • How can I execute my code in kernel space? – Mandy Taylor Apr 17 '13 at 08:44
  • 3
    You need to write a device driver. And that pretty much rules out Delphi. Device drivers are invariably written in C and/or assembler. Nowadays, mostly C. – David Heffernan Apr 17 '13 at 08:45
  • 2
    One way is to write a device driver. Perhaps someone already wrote a windows driver which replicates the functionality of Linux/Unix `/dev/mem`. Load it, then write the program to open the driver interface and read. – wallyk Apr 17 '13 at 08:47
  • @wallyk That's certainly a plausible option. – David Heffernan Apr 17 '13 at 08:49
  • My program have to run in kernel mode. Should I write a device driver? It is very hard. But how can I run my program in kernel mode in RING0? Will it be good? – Mandy Taylor Apr 17 '13 at 08:52
  • 4
    We cannot teach you kernel mode programming in comments. What's more your program is never going to run in kernel mode. You would need to learn C and then understand kernel mode programming which is quite different from user space. I think I answered the question that you asked. – David Heffernan Apr 17 '13 at 09:01
  • @MandyTaylor Delphi may not be up to the task of creating a device driver, but it seems FreePascal is: http://wiki.freepascal.org/Target_NativeNT –  Apr 17 '13 at 10:51
  • 2
    What about \Device\PhysicalMemory? I have used this object to read from physical memory years ago, not sure that it still exists. – Roman Yankovsky Apr 17 '13 at 13:26
  • 1
    @RomanYankovsky It would appear to be available only in kernel mode – David Heffernan Apr 17 '13 at 13:31
  • 1
    No, opening anything under `\Device` is just tricky but possible from the user-mode. @Roman Yankovsky, great idea, actually. – OnTheFly Apr 17 '13 at 13:55
  • @user539484 How do you do it? – David Heffernan Apr 17 '13 at 14:05
  • Well you can access things from users/application space if you have something at the kernel level remove the restrictions and map the physical space to your user space. Real easy to do linux, was real easy to do with older windows using a giveio approach (for I/O mapped items), have not needed to do it since (in windows). – old_timer Apr 17 '13 at 18:27
  • @dwelch Do you think my answer is incorrect? Do you think that a user mode process can read physical memory? I note that the downvote arrived with your comment, so I'm assuming that you think my answer is not correct. I always like to learn, so if I'm not correct tell me. – David Heffernan Apr 17 '13 at 18:33