none
How to dump memory using kernel mode driver? RRS feed

  • Question

  • I am trying to create a tool for dumping physical memory with the help of a device driver. The memory manager routines can be called from the driver to get access to ram.

    I am working on a windows 7 32 bit machine with vs 2015 and wdk 10.

    Please help me to create such a driver..

    Monday, February 1, 2016 7:05 AM

Answers

  • You need to read HKEY_LOCAL_MACHINE\HARDWARE\RESOURCEMAP\System Resources this will get you the memory regions.  If you search the web you can find some data.  Once you have the regions, MmMapIoSpace should allow you to map things in chunks then you can use the mapped memory to write a file.

    Of course this will still have all the problems of not being consistent etc, perhaps a simpler solution is to call KeBugCheck to crash the system with dump files enabled.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Tuesday, February 2, 2016 4:12 PM

All replies

  • What problem are you really trying to solve?  Getting a consistent dump of physical memory is a very challenging problem.

    Understand that unless you do something to coordinate all the processors you will not have a snapshot of the memory a given moment, but instead may have pages that were that reflect different points in time, i.e. a kernel table might be captured without a pointer being updated to memory that was updated after the pointer was.

    You also need to understand that physical memory is in a number of regions, and that with some machines memory can be hot-plugged into the system adding to the physical memory on the fly.  The calls to get the memory regions are undocumented.

    Finally, you should think about security since this tool would allow someone to get at the memory of a number of processes, Microsoft used to have a memory device to read physical memory from user space and removed it because to security.

    So please tell use what you really need to do, the current problem is a challenge and hopefully understanding the actual goal will make it easier.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Monday, February 1, 2016 12:16 PM
  • I had to do this once, and as Don wrote, it is very difficult. Basically, if you have to ask how, then you do not have the necessary skills - and this is definitely not something that can be taught in the forum.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Monday, February 1, 2016 12:27 PM
    Moderator
  • Actually i am doing it for my project. My aim is only to dump contents from ram and not to perform any malicious activity. The dump is for forensic analysis. I know there are tools available for dumping physical memory. I am also looking for making such a tool. But i barely know about windows kernel structure and memory manager routines.
    Tuesday, February 2, 2016 4:54 AM
  • Thats true.
    Tuesday, February 2, 2016 4:54 AM
  • You need to read HKEY_LOCAL_MACHINE\HARDWARE\RESOURCEMAP\System Resources this will get you the memory regions.  If you search the web you can find some data.  Once you have the regions, MmMapIoSpace should allow you to map things in chunks then you can use the mapped memory to write a file.

    Of course this will still have all the problems of not being consistent etc, perhaps a simpler solution is to call KeBugCheck to crash the system with dump files enabled.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Tuesday, February 2, 2016 4:12 PM