5

I would like to be able to plug in a physical address, and read the data stored at that address.

Under Linux, I would use /dev/mem to acquire this data. Under Windows 8, I'm not sure what mechanism is available to do this.

My use case is inspecting a PCI Express device. The PCI Express device creates a ring buffer at a known address, that I can determine from the PCIe BAR. Once this address has been set, it won't change until the computer restarts.

Currently, I can use applications like RW Everything to see the data there, but I would like to be able to do this without user interaction (Without the GUI) so that I have fewer issues with the ring buffers wrapping before I can access the data.

Does anyone know if there is a privileged Windows system call I can make from userspace (to mmap a region for example) or do I need to use a custom kernel module to do this? I imagine that there is some way to do it without a custom kernel module, because I don't believe I installed one when I installed RW Everything.

Community
  • 1
  • 1
Bill Lynch
  • 80,138
  • 16
  • 128
  • 173
  • @AndrewMedico: Except for one thing. That user's actual goal is to read a process's memory. So he has to deal with Virtual Memory and everything that entails. I have no need for that. The memory I want to access is locked in place. – Bill Lynch May 19 '14 at 21:28
  • You would need a kernel driver (and admin rights to install it), such as WinIO, found here: http://www.internals.com/ (with source). If you only need to read SMBIOS data (in your PCI case), it is mapped in the registry here: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssmbios\Data and maybe that's good enough, or you can also use WMI or Windows API: http://msdn.microsoft.com/en-us/library/windows/desktop/ms724259(v=vs.85).aspx – Simon Mourier May 20 '14 at 12:10

2 Answers2

8

Since Windows Server 2003 SP1, user-mode access to physical memory has not been possible. You will have to develop a driver to do it (or find a third-party tool that includes one).

From Technet:

In Windows Server 2003 SP1, user-mode access to the \Device\PhysicalMemory object is not permitted. All forms of access (read, write) are refused when the \Device\PhysicalMemory object is accessed from a user-mode application. Access to the \Device\PhysicalMemory object is refused regardless of the user context (Administrators, Users, Local System, etc.) the application is running in.

nobody
  • 19,814
  • 17
  • 56
  • 77
  • Thank you for the depressing, yet correct, answer. I've started using WinIO (as suggested by Simon Mourier) to provide the kernel driver to do this work. – Bill Lynch May 21 '14 at 20:53
2

There are many windows software to access the physical memory, however, many of them cannot access the physical memory in windows vista or 7 because of physical memory protection feature in these OS's.

There are many windows tools similar to dev/mem unix's one, such as:

  • Belkasoft Live RAM Caputer
  • WindowsSCOPE Pro and Ultimate, available at http://www.windowsscope.com
  • WindowsSCOPE Live
  • winen.exe (Guidance Software - included with Encase 6.11 and higher)
  • Mdd (Memory DD) (ManTech)
  • MANDIANT Memoryze
  • Kntdd
  • Moonsols
  • HBGary
  • FTK Imager
  • OSForensics
  • WinPmem; and
  • Windows Memory Reader

Check this wiki for more info: http://www.forensicswiki.org/wiki/Tools:Memory_Imaging

Shadi Alnamrouti
  • 11,796
  • 4
  • 56
  • 54