English
Forum

Speicherbereiche Pipe.pcu 2GB read?

 
- Page 1 -


Hello people...

The virtual memory each Prozesses is in two pieces unterteilt:
One area To ca. 2GB, the for User einseh and auslesbar is and a area Pipe.pcu 2GB, into Structures the Kernels stored go (How well z.B. the Access-Token). my größter wish is it sometime and somehow once whom Kernelspeicher reading to,

I can with my Process (z.B. with [...] ) whom Kernelspeicher not read - but I think, some Process (or one part of it) becomes this well can. The Process system is me diesbezüglich something in that eye fallen - not only the Namens because of, separate too because of another stories:
I have of course The ID the Prozesses and can a handle with all possible Zugriffsrecchten open, but only one part the APIs functions too really of these lever. the Reading of Modulen z.B. works not and the einschleusen of/ one DLL through [...]  neither, though I a handle on system with the erforderlichen Zugriffsrechten open can.

[box:176c01f1f3]
can system whom Kernelspeicher reading?

what could very cause, the single APIs not this lever functions? lying the on installed inquire on The Process-ID (or ähnlichem) inside the APIs, or lying it Perhaps even on the lever self?
[/box:176c01f1f3]
what think your? Git it somewhere Info? everything I bislang found have, is NT related and well antiquated.
 
09/07/06  
 



 
- Page 1 -



Michael
Wodrich
in a whether the already everything was or only the part inside the Text-Tutorials. but these everything I wiederfand - Sorry:

[quote:9033556722]
Win95/98 Virtual Address Space Memory Layout:
---------------------------------------------
From 0x00000000 to 0x00000FFF. These ridge 4KB is used to maintain
compatibility with Win16 and DOS programs. It is unaccessible to any process
raising on exception if a read/write attempt occurs.

From 0x00001000 to 0x003FFFFF. Diese 4 MB area is means used for compatibility
issues but is accessible by any process. Off course, it is hardship recommended
to play with this area.

From 0x00400000 to 0x7FFFFFFF. Diese 2 GB partition is the private address
space assigned to every running process. Each win32 application receives on
unshared, private 2 GB chunk of virtual address space (dont forget to
subtract the bottom 4MB describe above). At this point, you should hardship
confuse yourself, windows does hardship assign 2 GB of your precious memory to
every running thread; this is virtual address space, hardship physical memory.
Win95/98 (Win98 from now on) judiciously commits and maps physical storage
the every process virtual address space according to its growing necessities.

From 0x80000000 to 0xBFFFFFFF. Diese partition is 1 GB long and is shared
among all Win32 process. hier, Win98 maps all memory allocations, dynamic
link libraries (KERNEL32.DLL, USER32.DLL, GDI32.DLL, ADVAPI32.DLL), memory
mapped files (MMF from now on) and Win16 applications. It is useful to say
that DLLs are always mapped to the same fixed virtual addresses.

From 0xC0000000 to 0xFFFFFFFF. Diese partition is means 1 GB long; hier is
where the operative system code resides. Unfortunately, this area is means
accessible to all win32 processes and that is why Win98 is more prone to
crashing than WinNT.

Now that you know how this wonderful 4 GB world is constrained by
invisible barriers, is time to discuss about the subject of this
tutorial.

Managing memory under win98 can be achieved by three different
strategies: virtual memory allocation, memory mapped files and heaps. Each
method is best suited for certain tasks. MMF is used to access large buffers
of data in memory, mainly files like EXE, DLL (which explains the name of
this method), to be more accurate, both the user and the operative system
can map files in memory, for instance, the operative system loads files like
kernel32.dll using this feature.
[/quote:9033556722]
fountain: mmf.txt (somewhere from the Iczelion-universe)

Best wishes
Michael Wodrich
 
Programmieren, das spannendste Detektivspiel der Welt.
09/07/06  
 



Hello Michael...

only short überflogen:
in the item goes it circa windows95/98 => the runs NT something differently. under windows95/98 can 3GB address, NT only 2GB. The DLLs are NT into Speicherbereich of ca 1GB To 2GB gemappt. the on Adressen of 0xC0000000 To 0xFFFFFFFF ditto of all Prozessen from zugegriffen go can, stops I first times for one rumour (see TNT). Lies time there Info over The address -16 under windows98 from . the The Adressen but on The equal real Speicherbereiche verweisen, have myself already vermutet.
under windows95/98 must no memory for Zugriffsrechte Sicherheitsbeschreibungen or whom Token provided go - such things knows only NT - therefore is here the not zugängliche Speicherbereich too integral small.

@IF:
CompileMarkSeparation
Def @OpenProcess(3) !"KERNEL32","OpenProcess"
Def @CloseHandle(1) !"KERNEL32","CloseHandle"
Def @GetCurrentProcessID(0) !"KERNEL32","GetCurrentProcessId"
Declare Prozess_SYSTEM&,Prozess&,ID$,ID2$,Prozess2&
Windowstyle 31
Windowtitle "Handletest"
Window 0,0-640,440
LET ID$=@INPUT$("ID eines Prozesses eingeben:","Prozess-ID",@STR$(@INT(@GetCurrentProcessID())))
LET ID2$=@INPUT$("ID eines Prozesses eingeben:","Prozess-ID",@STR$(@INT(@GetCurrentProcessID())))
LET Prozess&=@OpenProcess($400,0,@GetCurrentProcessID())
LET Prozess2&=@OpenProcess($400,0,@GetCurrentProcessID())
LET Prozess_SYSTEM&=@OpenProcess($400,0,8)
@CloseHandle(Prozess_SYSTEM&)
@CloseHandle(Prozess2&)
@CloseHandle(Prozess&)
PRINT "Handle des ersten Prozesses: "+@STR$(Prozess&)
PRINT "Handle des zweiten Prozesses: "+@STR$(Prozess2&)
PRINT "Handle von System: "+@STR$(Prozess_SYSTEM&)

While 0=0

    Waitinput

wend


The number the Handles is tributary of it, when to the lever opens. between whom individual Handles exists one stood off of 4 - shine itself means, like at memory, Adressen behind it To hide. with sharing can itself there unfortunately nothing to charge, because The number the Handles says nothing above from, whether it validly or not. the only, what Perhaps from the number the Handles ersehen could, would The manner the lever.

differently sees with the the ID the Prozesses from:
The ID the Prozesses system lying always with 8. The next Process places then again with over 100 go.
at that Disassemblen the functions, The with the system-lever fehl hit, could I but nirgendwo a 8 discover . Perhaps is there in reference on The ID a small-as-request with a plunge include?

PS: the lever the Prozesses system get You first, if You whom View source as service with Systemrechten launch.
 
09/08/06  
 



...I Have me The of system loaded Module over again with TNT respected:
system läd WIN32k.SYS and the NTDLL.DLL, but not The KERNEL32.DLL.
the can really only mean, the WIN32k.SYS whom Kernelspeicher self ausliest - or, take off me first once wahrscheinlicher is, undokumentierte functions from the NTDLL.DLL for uses.
 
09/08/06  
 




Jac
de
Lad
I had time heard, that windows 98 ur 512 MB Hauptspeicher manage can, but these information is now evident superfluously...
 
Profan² 2.6 bis XProfan 11.1+XPSE+XPIA+XPRR (und irgendwann XIDE)
Core2Duo E8500/T2250, 8192/1024 MB, Radeon HD4850/Radeon XPress 1250, Vista64/XP
09/08/06  
 



Hello Jacob...

it's about whom virtual Prozessspeicher, not around the real memory. eachone Process manages a ´virtuellen Prozessspeicher of ca.4GB. Diesen virtual Prozesspeicher must You you as an manner Landkarte present, with the each address of/ one real address in the RAM or in the Auslagerungsdatei zugeordnet go can. can is, not each address must absolutely RAM zugeordnet his, separate Adressen can also unbelegt his. The downstairs 2GB this Speichers can the User manage and describe /with not NT based Systemen The downstairs 3GB), the Rest is for Use the Betriebsystems reserved. I hope, I have something Klarheit into thing brought.

my Überlegung: If it gelänge, through Patching of Betriebsystem DLLs in memory of their own processes one gültiges lever on the system Process To obtain circa DLLs there To injizieren, could one evtl. too Access to Speicherbereiche receive, The really only the OS benefit can and man could quasi windows The underwear take off circa a look on naked lowdown To obtain...

 
09/08/06  
 




Jac
de
Lad
Hello Andreas,

thanks for process. Jaja, I know what virtueller memory is, but I thought It's all right here circa physikalischen memory. moreover have I but nothing To say.

Jac
 
Profan² 2.6 bis XProfan 11.1+XPSE+XPIA+XPRR (und irgendwann XIDE)
Core2Duo E8500/T2250, 8192/1024 MB, Radeon HD4850/Radeon XPress 1250, Vista64/XP
09/08/06  
 



 
- Page 2 -


on some to put have I in this Thread because I it bislang not rather knew something Mist verzapft:

in the Process system find itself under windows2000 The Module WIN32k.SYS, HAL.DLL and NTOS and Ntoskrnl.exe, but not The NTDLL.DLL.
The Ntoskrnl.exe corresponds to in many sharing the NTDLL.DLL, and gives itself in Header apparently as these from.

The virtual address geladener Systemmodule verweist still in all Prozessen on The same reale Speicheradresse. writes one but into geladenes Module, go these changed Bytes (accurate said, The gesammte Speicherseite, The these Bytes surrounding) on another reale Speicheradresse written, and the virtual address in the Process verweist then on these place (mapping). For this are too The Zugriffsrechte copy-on-write and copy-on-read.

One Prefix, the me in reference the Reading the Kernelspeichers particularly auffällt, is Zw. time see, whether I so weiterkomme (without directly a driver To write).

Greeting

Andreas
 
09/11/06  
 



Mmh...

How I the in the moment see, must I in ring 0 come. the can I only, if I a service, a Kernel driver, write.
Mmmh.... a service over The API To install is Yes yet right simply - but if I the right understood have, must thereafter a Callback-function registered go, The ongoing a Statusbericht gives. has someone Idea of Services and How these Callback auszusehen has? How one a service installs, white I. has someone interest, with me To tüfteln?

Greeting

Andreas
 
09/13/06  
 



there must anyhow MASM since, I Have whom local, the is not with Profan. Werd me into next Meet first time around the service concern.

And then Gibts there To guter letzt yet the trouble, How one Contact to the Desktop aufnimmt, circa Results Show To let or whom Scanner To valet - difficult, difficult...
 
09/16/06  
 



Habs time with a driver and ZwQueryVirtualMemory attempts => totaler Fehlschlag. Access to Speicherbereiche Pipe.pcu 2GB have I in a driver, the standing solid (tested). I must the complete others ways go - Have already a idea, How the weg could.

another couple ask:
How very sees the Speicherbereich Pipe.pcu 2GB in a Process from? sees the with all Prozessen same from? Verweisen means The virtual Adressen in this area always on The equal real Speicheradressen, or there there differences?

has someone Idea or imaginations??

Greeting

Andreas
 
11/29/06  
 



my Thesen:
1 driver are alleProzesse gemappt and these gemappten Adressen verweisen in the rule (see windows98) on The equal real Speicheradressen.
2.) Prozessspezifische Structures only in the jeweiligen Prozessspeicher to find.

Why think I the? there's inside the Native API a Special function to that loading of Treibern, its existence I me differently not explain can.
 
11/29/06  
 



Breakthrough! have today a Possibility found, auslesbare Adressen in the Kernel To to determine!
 
12/03/06  
 




Answer


Topictitle, max. 100 characters.
 

Systemprofile:

no Systemprofil laid out. [anlegen]

XProfan:

 Posting  Font  Smilies  ▼ 

Please register circa a Posting To verfassen.
 

Topic-Options

4.682 Views

Untitledvor 0 min.
Christof Neuß09/19/18

Themeninformationen



Admins  |  AGB  |  Applications  |  Authors  |  Chat  |  Privacy Policy  |  Download  |  Entrance  |  Help  |  Merchantportal  |  Imprint  |  Mart  |  Interfaces  |  SDK  |  Services  |  Games  |  Search  |  Support

One proposition all XProfan, The there's!


My XProfan
Private Messages
Own Storage Forum
Topics-Remember-List
Own Posts
Own Topics
Clipboard
Log off
 Deutsch English Français Español Italia
Translations

Privacy Policy


we use Cookies only as Session-Cookies because of the technical necessity and with us there no Cookies of Drittanbietern.

If you here on our Website click or navigate, stimmst You ours registration of Information in our Cookies on XProfan.Net To.

further Information To our Cookies and moreover, How You The control above keep, find You in ours nachfolgenden Datenschutzerklärung.


all rightDatenschutzerklärung
i want none Cookie