[KeBugCheck]

Hi everyone,

I was wondering what the safest way (no bugcheck) for accessing arbitrary kernel mode addresses from a ring0 driver is?

MmIsAddressValid is not a safe routine to use since memory can be paged out even after it returns TRUE.
Likewise MmProbeAndLockPages using AccessMode KernelMode does not cause exception on invalid kernel memory accesses (like it does for UserMode).

My question is similar to https://www.osronline.com/ShowThread.cfm?link=196332 , however, I found no answer.

What is a safe way of reading kernel mode virtual memory from ring0? And if the VM is valid, but paged out, how can I force it to be paged in?

[Vrtule]

I doubt there is something universal and 100 % secure. The address may be part of a block assigned to a memory-mapped device which means that reads and writes directed to that block may have a different sematnic that in the standard memory case.

If you do not search for a 100 % safe solution, you might try (as the OSR post may suggest) to look how WinDbg does this. In Windwos XP, there is the NtSystemDebugControl API that would probably help you. But AFAIK this API does not work any more on Vista and later versions.

[feryno]

Hi, perform the access inside try/except block.
If the access hits exception handler then the address is invalid.
Vrtule wrote about another possibility of problems, to solve that use MmGetSystemRoutineAddress to find and use the procedure with name MmGetPhysicalMemoryRanges