none
How to monitor a memory address (read/write)? RRS feed

  • Question

  • Hello,

    I need to monitor a physical memory address for writing and reading.  It should be a sort of filter driver.

    Which example from the DDK is the best to start with?

    Thanks

    Eli

    Wednesday, January 29, 2014 10:29 AM

Answers

  • There is no support in Windows for this capability.   There is debugger support for memory breakpoints, but no ability to catch this on a normally running system.  What bigger problem are you trying to solve?


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Wednesday, January 29, 2014 12:23 PM

All replies

  • There is no support in Windows for this capability.   There is debugger support for memory breakpoints, but no ability to catch this on a normally running system.  What bigger problem are you trying to solve?


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Wednesday, January 29, 2014 12:23 PM
  • Hello Don and thanks for your reply,

    I'm trying to monitor device drivers that write to a certain address (to a certain hardware) without going via a standard driver.

    This problem was observed more than once and I want to write a filter driver to monitor it.

    Thanks again,

    Eli

    Wednesday, January 29, 2014 12:47 PM
  • Memory breakpoints could potentially do this, but it will slow things down a lot.   This sort of thing can be a pain, I have had to debug situations like this where people accessed the PCI configurate space registers.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Wednesday, January 29, 2014 1:43 PM
  • Don,

    I can skip the breakpoints.  It is enough to write to debug port /DbgPrint. 

    The only thing is that I need a starting point of which driver to filter in order to monitor this physical memory area.

    Thanks

    Eli

    Wednesday, January 29, 2014 1:49 PM
  • That is a problem, there is no good way to identify what is the driver that is non-compliant.  This is why I suggested breakpoints, you can set a processor breeakpoint (ba command) with a command string that continues if the memory reference is comming from the driver you expect to access this memory. 

    As I say it will be slow.  The only other possibility is to disable drivers (start with the ones that are non-Microsoft) and see if the problem goes away.  This is not guaranteed to find the problem, since removing a driver may just cause the offending driver to write to a different location.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Wednesday, January 29, 2014 1:57 PM
  • Is there a central place to monitor all READ_PORT_UCHAR, WRITE_PORT_UCHAR commands?   I assume there is no "memory.sys" driver to filter.  Or there is one?

    Thanks

    Eli

    Wednesday, January 29, 2014 2:30 PM
  • Unfortunately there is no place for this.  You can put a breakpoint on the exported functions, but these can also be inline.  Search for the functions in WDK include files and you can see the problem.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Wednesday, January 29, 2014 2:42 PM
  • OK.

    I'll have to think about a creative way to bypass it.

    Thanks,

    Eli

    Wednesday, January 29, 2014 2:45 PM