ufrisk
commented
1 year ago Not all memory in memory address space is readable. Some parts of the address space will belong to memory mapped IO (PCIe devices and such). Other parts will be off limits for things like system management mode (SMM).
Also if you have VT-d and Hyper-V enabled the Hyper-V hypervisor memory and some additional memory will be mapped away.
The probe command does not really care about the memory map so you'll see failed pages running it.
Hope this explains at least a bit about what's going on.
0xGabriella
Hi Ulf, always wishing u for good luck!. Previously with my old PC setup, i can get most of pages read successfully with low amount of fail (1%~2%). Now im using the newer generation of Intel i5-12400F cpu, some part of memories like an allocated pool im trying to read thats residing in kernel space cant be read (failed), then i did a probe and dump even with memmap, provided by SysInternals RamMap, im having 14% pages failed (which i believe some of them are kernel memories im trying to read). Also to make sure the memory im trying to read is not empty, i used kernel driver which is working fine (the same VA of allocated pool im trying to read). Can you try to assume on probably whats going on? Thank you so much. ` C:\Users\dmaexperiment\Desktop\dmaexperiment\pcileech>pcileech probe -memmap physmemmap.txt -vv
LcMemMap_AddRange: 0000000000001000-000000000009dfff -> 0000000000001000 LcMemMap_AddRange: 000000000009f000-000000000009ffff -> 000000000009f000 LcMemMap_AddRange: 0000000000100000-00000000471dcfff -> 0000000000100000 LcMemMap_AddRange: 0000000049bff000-0000000049bfffff -> 0000000049bff000 LcMemMap_AddRange: 0000000100000000-00000004afffffff -> 0000000100000000 Memory Map: START END #PAGES 0000000000000000 - 000000000009ffff 000000a0 00000000000c0000 - 0000000049ffffff 00049f40 000000004c010000 - 000000004e5fffff 000025f0 000000004e800000 - 000000004effffff 00000800 0000000100000000 - 00000004afffffff 003b0000
Current Action: Probing Memory Access Mode: Normal Progress: 19200 / 19200 (100%) Speed: 282 MB/s Address: 0x00000004B0000000 Pages read: 4181456 / 4915200 (85%) Pages failed: 733744 (14%) Memory Probe: Completed.
C:\Users\dmaexperiment\Desktop\dmaexperiment\pcileech>pcileech dump -memmap physmemmap.txt
Memory Dump: Initializing ... Done. Current Action: Dumping Memory Access Mode: Normal Progress: 19200 / 19200 (100%) Speed: 121 MB/s Address: 0x0000000100000000 Pages read: 4157820 / 4915200 (84%) Pages failed: 757380 (15%) Memory Dump: Successful.
`