| |
| |
|
 | Hello people...
The virtual memory each Prozesses is in two pieces unterteilt:
One area To ca. 2GB, the for User einseh and auslesbar is and a area Pipe.pcu 2GB, into Structures the Kernels stored go (How well z.B. the Access-Token). my größter wish is it sometime and somehow once whom Kernelspeicher reading to,
I can with my Process (z.B. with [...]  ) whom Kernelspeicher not read - but I think, some Process (or one part of it) becomes this well can. The Process system is me diesbezüglich something in that eye fallen - not only the Namens because of, separate too because of another stories:
I have of course The ID the Prozesses and can a handle with all possible Zugriffsrecchten open, but only one part the APIs functions too really of these lever. the Reading of Modulen z.B. works not and the einschleusen of/ one DLL through [...] neither, though I a handle on system with the erforderlichen Zugriffsrechten open can.
[box:176c01f1f3]
can system whom Kernelspeicher reading?
what could very cause, the single APIs not this lever functions? lying the on installed inquire on The Process-ID (or ähnlichem) inside the APIs, or lying it Perhaps even on the lever self?
[/box:176c01f1f3]
what think your? Git it somewhere Info? everything I bislang found have, is NT related and well antiquated. |
|
| |
| |
| |
|
|
| Aaaaaaaaaaaah  ...
I have me with [...]  time whom Process system something hither respected:
If MS verhinder would like, the so one Schwachkopf How I The of system loaded Module comes, ought to then well rather too the Edit and Reading the Prozessspeichers of system prohibited go   .
In system becomes by me under windows2000 on address 2005401600 (i will hoping, I have me not slip  ) The File WIN32k.SYS loaded. These File is loudly Internetquellen the Module, the the Reading of Speicherbereichen Pipe.pcu 2GB allows. WIN32k.SYS might well for windows 32 Kernel stand and the Prozesserzeugende Module of system his. Therefore is it now well sure, the system as einziger Process memory Pipe.pcu 2GB read and describe can. further Module, The in this Process loaded go, dürften KERNEL32.DLL and NTDLL.DLL his - is not yet very tested.
How runs The Mechanik ex, The prevented one gültiges lever on system To get? has someone a Statement? |
|
| |
| |
| |
|
|
 | |
| |
| |
| |
|
|
| | How Dou you mean the? If you there irgendeine idea have (alike whether it abwegig or not) Teils me Please with - I need ideas. |
|
| |
| |
| |
|
|
| Well many Opportunities Gibts Yes not. Grunsätzlich remaining Yes only a) The list and b) The function.
there here performance demand is type I on function. and hierbei bid it itself still on the if the lever through X restbehaftet divisible is it (k)one Syshandle is. The question hierbei is naturally to the X. |
|
| |
| |
| |
|
|
Michael
Wodrich | on the Iczelion-pages I had something To MMF MemoryMappedFiles found.
there watts the Speicherbereich very described, what everything below of 4GB lying and what above - and the reason Why MMF only max 4 GB (or were it 2) describe can.
having me astonishes, what there everything addressed watts ( the guru was because too one technician in MS-Diensten).
I dig time, Perhaps has the part Yes whom lane on my disk found...
Best wishes
Michael Wodrich |
|
| |
| Programmieren, das spannendste Detektivspiel der Welt. | 09/07/06 ▲ |
|
| |
|
|
Michael
Wodrich | in a whether the already everything was or only the part inside the Text-Tutorials. but these everything I wiederfand - Sorry:
[quote:9033556722]
Win95/98 Virtual Address Space Memory Layout:
---------------------------------------------
From 0x00000000 to 0x00000FFF. These ridge 4KB is used to maintain
compatibility with Win16 and DOS programs. It is unaccessible to any process
raising on exception if a read/write attempt occurs.
From 0x00001000 to 0x003FFFFF. Diese 4 MB area is means used for compatibility
issues but is accessible by any process. Off course, it is hardship recommended
to play with this area.
From 0x00400000 to 0x7FFFFFFF. Diese 2 GB partition is the private address
space assigned to every running process. Each win32 application receives on
unshared, private 2 GB chunk of virtual address space (dont forget to
subtract the bottom 4MB describe above). At this point, you should hardship
confuse yourself, windows does hardship assign 2 GB of your precious memory to
every running thread; this is virtual address space, hardship physical memory.
Win95/98 (Win98 from now on) judiciously commits and maps physical storage
the every process virtual address space according to its growing necessities.
From 0x80000000 to 0xBFFFFFFF. Diese partition is 1 GB long and is shared
among all Win32 process. hier, Win98 maps all memory allocations, dynamic
link libraries (KERNEL32.DLL, USER32.DLL, GDI32.DLL, ADVAPI32.DLL), memory
mapped files (MMF from now on) and Win16 applications. It is useful to say
that DLLs are always mapped to the same fixed virtual addresses.
From 0xC0000000 to 0xFFFFFFFF. Diese partition is means 1 GB long; hier is
where the operative system code resides. Unfortunately, this area is means
accessible to all win32 processes and that is why Win98 is more prone to
crashing than WinNT.
Now that you know how this wonderful 4 GB world is constrained by
invisible barriers, is time to discuss about the subject of this
tutorial.
Managing memory under win98 can be achieved by three different
strategies: virtual memory allocation, memory mapped files and heaps. Each
method is best suited for certain tasks. MMF is used to access large buffers
of data in memory, mainly files like EXE, DLL (which explains the name of
this method), to be more accurate, both the user and the operative system
can map files in memory, for instance, the operative system loads files like
kernel32.dll using this feature.
[/quote:9033556722]
fountain: mmf.txt (somewhere from the Iczelion-universe)
Best wishes
Michael Wodrich |
|
| |
| Programmieren, das spannendste Detektivspiel der Welt. | 09/07/06 ▲ |
|
| |
|
|
| Hello Michael...
only short überflogen:
in the item goes it circa windows95/98 => the runs NT something differently. under windows95/98 can 3GB address, NT only 2GB. The DLLs are NT into Speicherbereich of ca 1GB To 2GB gemappt. the on Adressen of 0xC0000000 To 0xFFFFFFFF ditto of all Prozessen from zugegriffen go can, stops I first times for one rumour (see TNT). Lies time there Info over The address -16 under windows98 from  . the The Adressen but on The equal real Speicherbereiche verweisen, have myself already vermutet.
under windows95/98 must no memory for Zugriffsrechte Sicherheitsbeschreibungen or whom Token provided go - such things knows only NT - therefore is here the not zugängliche Speicherbereich too integral small.
@IF:
CompileMarkSeparationDef @OpenProcess(3) !"KERNEL32","OpenProcess"
Def @CloseHandle(1) !"KERNEL32","CloseHandle"
Def @GetCurrentProcessID(0) !"KERNEL32","GetCurrentProcessId"
Declare Prozess_SYSTEM&,Prozess&,ID$,ID2$,Prozess2&
Windowstyle 31
Windowtitle "Handletest"
Window 0,0-640,440
LET ID$=@INPUT$("ID eines Prozesses eingeben:","Prozess-ID",@STR$(@INT(@GetCurrentProcessID())))
LET ID2$=@INPUT$("ID eines Prozesses eingeben:","Prozess-ID",@STR$(@INT(@GetCurrentProcessID())))
LET Prozess&=@OpenProcess($400,0,@GetCurrentProcessID())
LET Prozess2&=@OpenProcess($400,0,@GetCurrentProcessID())
LET Prozess_SYSTEM&=@OpenProcess($400,0,8)
@CloseHandle(Prozess_SYSTEM&)
@CloseHandle(Prozess2&)
@CloseHandle(Prozess&)
PRINT "Handle des ersten Prozesses: "+@STR$(Prozess&)
PRINT "Handle des zweiten Prozesses: "+@STR$(Prozess2&)
PRINT "Handle von System: "+@STR$(Prozess_SYSTEM&)
While 0=0
Waitinput
wend
The number the Handles is tributary of it, when to the lever opens. between whom individual Handles exists one stood off of 4 - shine itself means, like at memory, Adressen behind it To hide. with sharing can itself there unfortunately nothing to charge, because The number the Handles says nothing above from, whether it validly or not. the only, what Perhaps from the number the Handles ersehen could, would The manner the lever.
differently sees with the the ID the Prozesses from: 
The ID the Prozesses system lying always with 8. The next Process places then again with over 100 go.
at that Disassemblen the functions, The with the system-lever fehl hit, could I but nirgendwo a 8 discover  . Perhaps is there in reference on The ID a small-as-request with a plunge include? 
PS: the lever the Prozesses system get You first, if You whom View source as service with Systemrechten launch. |
|
| |
| |
| |
|
|
| ...I Have me The of system loaded Module over again with TNT respected:
system läd WIN32k.SYS and the NTDLL.DLL, but not The KERNEL32.DLL.
the can really only mean, the WIN32k.SYS whom Kernelspeicher self ausliest - or, take off me first once wahrscheinlicher is, undokumentierte functions from the NTDLL.DLL for uses. |
|
| |
| |
| |
|
|
Jac
de
Lad | | I had time heard, that windows 98 ur 512 MB Hauptspeicher manage can, but these information is now evident superfluously... |
|
| |
| Profan² 2.6 bis XProfan 11.1+XPSE+XPIA+XPRR (und irgendwann XIDE)
Core2Duo E8500/T2250, 8192/1024 MB, Radeon HD4850/Radeon XPress 1250, Vista64/XP | 09/08/06 ▲ |
|
| |
|
|
| Hello Jacob...
it's about whom virtual Prozessspeicher, not around the real memory. eachone Process manages a ´virtuellen Prozessspeicher of ca.4GB. Diesen virtual Prozesspeicher must You you as an manner Landkarte present, with the each address of/ one real address in the RAM or in the Auslagerungsdatei zugeordnet go can. can is, not each address must absolutely RAM zugeordnet his, separate Adressen can also unbelegt his. The downstairs 2GB this Speichers can the User manage and describe /with not NT based Systemen The downstairs 3GB), the Rest is for Use the Betriebsystems reserved. I hope, I have something Klarheit into thing brought.
my Überlegung: If it gelänge, through Patching of Betriebsystem DLLs in memory of their own processes one gültiges lever on the system Process To obtain circa DLLs there To injizieren, could one evtl. too Access to Speicherbereiche receive, The really only the OS benefit can and man could quasi windows The underwear take off circa a look on naked lowdown To obtain... 
 |
|
| |
| |
| |
|
|
Jac
de
Lad | Hello Andreas,
thanks for process. Jaja, I know what virtueller memory is, but I thought It's all right here circa physikalischen memory. moreover have I but nothing To say.
Jac  |
|
| |
| Profan² 2.6 bis XProfan 11.1+XPSE+XPIA+XPRR (und irgendwann XIDE)
Core2Duo E8500/T2250, 8192/1024 MB, Radeon HD4850/Radeon XPress 1250, Vista64/XP | 09/08/06 ▲ |
|
| |
|
(768)
Deutsch
English
Français
Español
Italia