mapping physical memory in system address space

[m0rethan3]

in my previous question #25 i described how i have access to kernel functions and system (kernel) address space. is it possible to map all physical memory to system address space? im trying to not leave traces in usermode program such as very big mapped region. my uc thread with code: https://www.unknowncheats.me/forum/general-programming-and-reversing/409449-mapping-physical-memory-system-address-space.html as you can see my code in post on uc is not working as it should is that even possible to do this?

[HoShiMin]

But what about ZwMapViewOfSection?
Anyway you can stuck with incompatible cache attributes: as physical memory regions have different cache attributes (for example, one is WriteBack and another one is Uncacheable) you're unable to map it as one region.

[m0rethan3]

as i know ZwMapViewOfSection maps memory to usermode address space and i tried it but im searching way to map it into system one to not leave traces in usermode

[HoShiMin]

Well, what about MmMapIoSpace? You can map physical memory without \Device\PhysicalMemory section.

[m0rethan3]

MmMapIoSpace cannot map page tables such as PTE/PDE after win 10 1803 build

[HoShiMin]

But if you need them, you can use MmGetVirtualForPhysical. In other cases MmMapIoSpace works perfectly. Is it critical for you to map all physical memory as one contiguous region? For what?

[m0rethan3]

because im using this library https://github.com/can1357/physical_mem_controller and dont want to rewrite code for appoach you described but it sounds good

[HoShiMin]

What exactly are you want? If you need to read memory of another processes or system regions you should use MDL and only it. Can's library is VERY unsafe and unpredictable, so, don't use it. There are documented and valid ways to do you want and you don't need to map physical memory.

[m0rethan3]

ok big thanks for explanation i think i'll try way you described

[HoShiMin]

And, at last, you should remember that any work with physical memory is unsafe at all as pageable memory has a constant virtual base but can move in physical memory and even swap to a hard drive - in this case, even if you have a virtual address, there are no corresponding mapping in physical memory. And ALL usermode memory is pageable. So, you shouldn't work with physical memory directly.