How to find information about a shared memory section

ufrisk / pcileech

Direct Memory Access (DMA) Attack Software

GNU Affero General Public License v3.0

4.58k stars 695 forks source link

How to find information about a shared memory section #292

Closed ReeceXW closed 4 months ago

ReeceXW commented 4 months ago

I'm looking in sys/objects/objects.txt and have information about sections of shared memory in the format

09d9 ffffe48d292c5a50 Section       \\Sessions\1\BaseNamedObjects\GenericBuffer
0cfa ffffe48d2ee10ed0 Section       \\Sessions\1\BaseNamedObjects\GenericBufferInfo
0ebb ffffb685366e3260 Mutant        \\Sessions\1\BaseNamedObjects\GenericBufferMutex

I can't read anything at these addresses, the reads fail. How do I get information, like the physical address of this memory buffer? For reference I want to read and write to this generic buffer through DMA

ufrisk commented 4 months ago

Read at that address from PID 4 (system / kernel). Shared memory is quite complex though so it may be that it's not as simple as reading that object at the kernel address.

Also, for random questions about how to read things it might be better (and faster) to use the Discord for that: https://discord.gg/BCmfBhDPXX

The Github issues are more for reporting of bugs and things like that. Even if I haven't been very strict with regards to keeping it only to that.

ufrisk commented 4 months ago

I'm closing this issue. Some shared memory sections have always been in-memory. A while ago I added naming info about those already-in-memory sections to the VAD map though.