[sdf90090]

Hello,

Quick question: I'm analyzing a piece of code that is using a signed driver to read PhysicalMemory.

A IOCTL makes the driver map physical memory:

Code: Select all

	RtlInitUnicodeString(&DestinationString, L"\\Device\\PhysicalMemory");
	ZwOpenSection(&hPhysicalMemory, 0xF001Fu, &ObjectAttributes);
	ObReferenceObjectByHandle(hPhysicalMemory, 0xF001Fu, 0i64, 0, &Object, 0i64);
	ZwMapViewOfSection( hPhysicalMemory, 0xFFFFFFFFFFFFFFFFi64, pVirtualAddress, 0, dwSize, &paPhysAddr, &dwSize2, ViewShare, 0, 0x204u);

But then there is a call right after to immediately unmap it. Is there a way to detect mappings of this type? Possibly through the VAD tree?

Thanks,
sdf

[gandolf]

VADs are only used to track usermode memory allocations. This code seems to be in kernel mode, if you are also somehow in kernel you could use MDL to request a copy of the physical pages backing the virtual address returned by the ZwMapViewOfSection call.