| |
|
|
- Page 1 - |
|
| Hello people...
The virtual memory each Prozesses is in two pieces unterteilt: One area To ca. 2GB, the for User einseh and auslesbar is and a area Pipe.pcu 2GB, into Structures the Kernels stored go (How well z.B. the Access-Token). my größter wish is it sometime and somehow once whom Kernelspeicher reading to,
I can with my Process (z.B. with [...] ) whom Kernelspeicher not read - but I think, some Process (or one part of it) becomes this well can. The Process system is me diesbezüglich something in that eye fallen - not only the Namens because of, separate too because of another stories: I have of course The ID the Prozesses and can a handle with all possible Zugriffsrecchten open, but only one part the APIs functions too really of these lever. the Reading of Modulen z.B. works not and the einschleusen of/ one DLL through [...] neither, though I a handle on system with the erforderlichen Zugriffsrechten open can.
[box:176c01f1f3] can system whom Kernelspeicher reading?
what could very cause, the single APIs not this lever functions? lying the on installed inquire on The Process-ID (or ähnlichem) inside the APIs, or lying it Perhaps even on the lever self? [/box:176c01f1f3] what think your? Git it somewhere Info? everything I bislang found have, is NT related and well antiquated. |
|
|
| |
|
|
|
| |
|
- Page 1 - |
|
Michael Wodrich | in a whether the already everything was or only the part inside the Text-Tutorials. but these everything I wiederfand - Sorry:
[quote:9033556722] Win95/98 Virtual Address Space Memory Layout: --------------------------------------------- From 0x00000000 to 0x00000FFF. These ridge 4KB is used to maintain compatibility with Win16 and DOS programs. It is unaccessible to any process raising on exception if a read/write attempt occurs.
From 0x00001000 to 0x003FFFFF. Diese 4 MB area is means used for compatibility issues but is accessible by any process. Off course, it is hardship recommended to play with this area.
From 0x00400000 to 0x7FFFFFFF. Diese 2 GB partition is the private address space assigned to every running process. Each win32 application receives on unshared, private 2 GB chunk of virtual address space (dont forget to subtract the bottom 4MB describe above). At this point, you should hardship confuse yourself, windows does hardship assign 2 GB of your precious memory to every running thread; this is virtual address space, hardship physical memory. Win95/98 (Win98 from now on) judiciously commits and maps physical storage the every process virtual address space according to its growing necessities.
From 0x80000000 to 0xBFFFFFFF. Diese partition is 1 GB long and is shared among all Win32 process. hier, Win98 maps all memory allocations, dynamic link libraries (KERNEL32.DLL, USER32.DLL, GDI32.DLL, ADVAPI32.DLL), memory mapped files (MMF from now on) and Win16 applications. It is useful to say that DLLs are always mapped to the same fixed virtual addresses.
From 0xC0000000 to 0xFFFFFFFF. Diese partition is means 1 GB long; hier is where the operative system code resides. Unfortunately, this area is means accessible to all win32 processes and that is why Win98 is more prone to crashing than WinNT.
Now that you know how this wonderful 4 GB world is constrained by invisible barriers, is time to discuss about the subject of this tutorial.
Managing memory under win98 can be achieved by three different strategies: virtual memory allocation, memory mapped files and heaps. Each method is best suited for certain tasks. MMF is used to access large buffers of data in memory, mainly files like EXE, DLL (which explains the name of this method), to be more accurate, both the user and the operative system can map files in memory, for instance, the operative system loads files like kernel32.dll using this feature. [/quote:9033556722] fountain: mmf.txt (somewhere from the Iczelion-universe)
Best wishes Michael Wodrich |
|
|
| Programmieren, das spannendste Detektivspiel der Welt. | 09/07/06 ▲ |
|
|
|
|
| Hello Michael...
only short überflogen: in the item goes it circa windows95/98 => the runs NT something differently. under windows95/98 can 3GB address, NT only 2GB. The DLLs are NT into Speicherbereich of ca 1GB To 2GB gemappt. the on Adressen of 0xC0000000 To 0xFFFFFFFF ditto of all Prozessen from zugegriffen go can, stops I first times for one rumour (see TNT). Lies time there Info over The address -16 under windows98 from . the The Adressen but on The equal real Speicherbereiche verweisen, have myself already vermutet. under windows95/98 must no memory for Zugriffsrechte Sicherheitsbeschreibungen or whom Token provided go - such things knows only NT - therefore is here the not zugängliche Speicherbereich too integral small.
@IF: CompileMarkSeparationDef @OpenProcess(3) !"KERNEL32","OpenProcess"
Def @CloseHandle(1) !"KERNEL32","CloseHandle"
Def @GetCurrentProcessID(0) !"KERNEL32","GetCurrentProcessId"
Declare Prozess_SYSTEM&,Prozess&,ID$,ID2$,Prozess2&
Windowstyle 31
Windowtitle "Handletest"
Window 0,0-640,440
LET ID$=@INPUT$("ID eines Prozesses eingeben:","Prozess-ID",@STR$(@INT(@GetCurrentProcessID())))
LET ID2$=@INPUT$("ID eines Prozesses eingeben:","Prozess-ID",@STR$(@INT(@GetCurrentProcessID())))
LET Prozess&=@OpenProcess($400,0,@GetCurrentProcessID())
LET Prozess2&=@OpenProcess($400,0,@GetCurrentProcessID())
LET Prozess_SYSTEM&=@OpenProcess($400,0,8)
@CloseHandle(Prozess_SYSTEM&)
@CloseHandle(Prozess2&)
@CloseHandle(Prozess&)
PRINT "Handle des ersten Prozesses: "+@STR$(Prozess&)
PRINT "Handle des zweiten Prozesses: "+@STR$(Prozess2&)
PRINT "Handle von System: "+@STR$(Prozess_SYSTEM&)
While 0=0
Waitinput
wend
The number the Handles is tributary of it, when to the lever opens. between whom individual Handles exists one stood off of 4 - shine itself means, like at memory, Adressen behind it To hide. with sharing can itself there unfortunately nothing to charge, because The number the Handles says nothing above from, whether it validly or not. the only, what Perhaps from the number the Handles ersehen could, would The manner the lever.
differently sees with the the ID the Prozesses from: The ID the Prozesses system lying always with 8. The next Process places then again with over 100 go. at that Disassemblen the functions, The with the system-lever fehl hit, could I but nirgendwo a 8 discover . Perhaps is there in reference on The ID a small-as-request with a plunge include?
PS: the lever the Prozesses system get You first, if You whom View source as service with Systemrechten launch. |
|
|
| |
|
|
|
| ...I Have me The of system loaded Module over again with TNT respected: system läd WIN32k.SYS and the NTDLL.DLL, but not The KERNEL32.DLL. the can really only mean, the WIN32k.SYS whom Kernelspeicher self ausliest - or, take off me first once wahrscheinlicher is, undokumentierte functions from the NTDLL.DLL for uses. |
|
|
| |
|
|
|
Jac de Lad | I had time heard, that windows 98 ur 512 MB Hauptspeicher manage can, but these information is now evident superfluously... |
|
|
| Profan² 2.6 bis XProfan 11.1+XPSE+XPIA+XPRR (und irgendwann XIDE) Core2Duo E8500/T2250, 8192/1024 MB, Radeon HD4850/Radeon XPress 1250, Vista64/XP | 09/08/06 ▲ |
|
|
|
|
| Hello Jacob...
it's about whom virtual Prozessspeicher, not around the real memory. eachone Process manages a ´virtuellen Prozessspeicher of ca.4GB. Diesen virtual Prozesspeicher must You you as an manner Landkarte present, with the each address of/ one real address in the RAM or in the Auslagerungsdatei zugeordnet go can. can is, not each address must absolutely RAM zugeordnet his, separate Adressen can also unbelegt his. The downstairs 2GB this Speichers can the User manage and describe /with not NT based Systemen The downstairs 3GB), the Rest is for Use the Betriebsystems reserved. I hope, I have something Klarheit into thing brought.
my Überlegung: If it gelänge, through Patching of Betriebsystem DLLs in memory of their own processes one gültiges lever on the system Process To obtain circa DLLs there To injizieren, could one evtl. too Access to Speicherbereiche receive, The really only the OS benefit can and man could quasi windows The underwear take off circa a look on naked lowdown To obtain...
|
|
|
| |
|
|
|
Jac de Lad | Hello Andreas,
thanks for process. Jaja, I know what virtueller memory is, but I thought It's all right here circa physikalischen memory. moreover have I but nothing To say.
Jac |
|
|
| Profan² 2.6 bis XProfan 11.1+XPSE+XPIA+XPRR (und irgendwann XIDE) Core2Duo E8500/T2250, 8192/1024 MB, Radeon HD4850/Radeon XPress 1250, Vista64/XP | 09/08/06 ▲ |
|
|
|
| |
|
- Page 2 - |
|
|
| on some to put have I in this Thread because I it bislang not rather knew something Mist verzapft:
in the Process system find itself under windows2000 The Module WIN32k.SYS, HAL.DLL and NTOS and Ntoskrnl.exe, but not The NTDLL.DLL. The Ntoskrnl.exe corresponds to in many sharing the NTDLL.DLL, and gives itself in Header apparently as these from.
The virtual address geladener Systemmodule verweist still in all Prozessen on The same reale Speicheradresse. writes one but into geladenes Module, go these changed Bytes (accurate said, The gesammte Speicherseite, The these Bytes surrounding) on another reale Speicheradresse written, and the virtual address in the Process verweist then on these place (mapping). For this are too The Zugriffsrechte copy-on-write and copy-on-read.
One Prefix, the me in reference the Reading the Kernelspeichers particularly auffällt, is Zw. time see, whether I so weiterkomme (without directly a driver To write).
Greeting
Andreas |
|
|
| |
|
|
|
| Mmh...
How I the in the moment see, must I in ring 0 come. the can I only, if I a service, a Kernel driver, write. Mmmh.... a service over The API To install is Yes yet right simply - but if I the right understood have, must thereafter a Callback-function registered go, The ongoing a Statusbericht gives. has someone Idea of Services and How these Callback auszusehen has? How one a service installs, white I. has someone interest, with me To tüfteln?
Greeting
Andreas |
|
|
| |
|
|
|
| there must anyhow MASM since, I Have whom local, the is not with Profan. Werd me into next Meet first time around the service concern.
And then Gibts there To guter letzt yet the trouble, How one Contact to the Desktop aufnimmt, circa Results Show To let or whom Scanner To valet - difficult, difficult... |
|
|
| |
|
|
|
| Habs time with a driver and ZwQueryVirtualMemory attempts => totaler Fehlschlag. Access to Speicherbereiche Pipe.pcu 2GB have I in a driver, the standing solid (tested). I must the complete others ways go - Have already a idea, How the weg could.
another couple ask: How very sees the Speicherbereich Pipe.pcu 2GB in a Process from? sees the with all Prozessen same from? Verweisen means The virtual Adressen in this area always on The equal real Speicheradressen, or there there differences?
has someone Idea or imaginations??
Greeting
Andreas |
|
|
| |
|
|
|
| my Thesen: 1 driver are alleProzesse gemappt and these gemappten Adressen verweisen in the rule (see windows98) on The equal real Speicheradressen. 2.) Prozessspezifische Structures only in the jeweiligen Prozessspeicher to find.
Why think I the? there's inside the Native API a Special function to that loading of Treibern, its existence I me differently not explain can. |
|
|
| |
|
|
|
| Breakthrough! have today a Possibility found, auslesbare Adressen in the Kernel To to determine! |
|
|
| |
|
|