如何直接从物理内存中读取?

2021-12-21 00:00:00 windows memory c c++ readprocessmemory

在 C 或 C++ (windows) 中,如何通过提供物理(非虚拟)地址来读取 RAM?这意味着无需通过虚拟内存系统(mmu 表),而是特定于一个进程.

In C or C++ (windows), how do you read RAM by giving a physical (not virtual) address? That means without going trough virtual memory system (mmu tables), and being specific to one process.

我已经知道 API ReadProcessMemory,它从 ram 中读取(大多数培训师使用),但它仅用于特定进程.

I already know the API ReadProcessMemory, which reads from ram (used by most trainers) but it is only for a specific process.

我在 MSDN 上搜索,发现 DevicePhysicalMemory 似乎给出了这样的可能性,但我没有找到实际的例子,而且这个功能似乎已经被 Windows 服务包关闭了(为了修复一些漏洞).

I searched on MSDN and found that DevicePhysicalMemory seems to give such possibility, but I found no practical example and this feature seems to have been turned off by Windows service packs (to fix some vulnerability).

我知道这是可能的,因为 WinHex 做到了(如果您选择工具">打开内存">物理内存").然后它将显示从 0x00000000 到 your_ram_size 的 RAM 内容,就像打开传统文件一样.它需要管理员权限,但不需要安装驱动程序(这意味着 WinHex 是从用户模式完成的).

I know it is possible to do because WinHex does it (if you choose "tools" > "open ram" > "physical memory"). It will then display RAM content from 0x00000000 to your_ram_size just like when you open a traditional file. It requires administrator rights, but there is no driver to install (which means WinHex does it from user mode).

添加有关操作系统的信息.

EDIT : added information about os.

推荐答案

您必须编写内核模式驱动程序并使用内存管理器函数将物理内存范围映射到内核驱动程序的系统空间,然后将功能导出到用户 API 或司机.

You would have to write a kernel mode driver and use memory manager functions to map physical memory range to your kernel driver's system space then export functionality to a user API or driver.

Windows 98 之后,在大多数情况下无法从用户模式访问物理内存.正如其他人所说的那样,任何旧程序都不能破坏人们的计算机.您将不得不编写一个内核驱动程序,只有在它被签名并首先加载到窗口的存储中时才能安装它.这本身不是一个简单的过程,如链接 DLL.

After windows 98 it is not possible in most cases to access physical memory from user mode. As others have put it this is so any old program cant just destroy people's computers. You would have to write a kernel driver, which can only be installed if it is signed and first loaded into the window's store. This alone is not a simple process like linking a DLL.

总结 MmAllocateContiguousMemory() 是 Windows 内核模式函数,它将连续物理内存映射到系统内存,是 ntoskrnl.exe 的一部分.

In summary MmAllocateContiguousMemory() is a windows kernel mode function which maps contiguous physical memory to system memory and is a part of ntoskrnl.exe.

您也不能从用户模式应用程序调用这些 API.只有司机可以使用它们.没有驱动程序的帮助,用户模式应用程序无法访问物理内存.驱动程序可以处理来自用户 API 的请求,也可以使用 IOCTL 并将其资源映射到 API 的虚拟内存.无论哪种方式,您都需要一个驱动程序的帮助,该驱动程序必须由即插即用管理器安装.PnP 必须选择通过硬件激活(即热插拔)或其他一些方法(如始终打开的总线驱动程序)自行安装驱动程序.

Also you can not call these API's from user mode applications. Only driver's can use them. User mode applications CANNOT access physical memory with out the help of a driver. The driver can either handle request's from the user API or use IOCTLs and map it's resources to the API's virtual memory. Either way you will need the help of a driver which has to be installed by plug n play manager. PnP has to choose to install the driver on it's own either by hardware activation i.e. hot plug or some other method like a bus driver that is always on.

另外的窗口会随机分配虚拟地址,因此不容易辨别任何模式或计算出它的物理位置.

Further windows randomly assign's virtual address so that it is not easily possible to discern any pattern or work out it's physical location.

相关文章