How to read physical memory from user mode - sample code

[Gary Nebbett]

Hello,

The following short program demonstrates, using only documented functions,
how to read physical memory from user mode under Windows NT.

Also demonstrated is a technique for including both windows.h and ntddk.h
in one file with the minimum number of name collisions.

The protection on the PhysicalMemory section allows BUILTIN\Administrators
read access and SYSTEM read/write access.

Gary Nebbett

#define WIN32_NO_STATUS
#include <windows.h>

#undef MAKELANGID
#undef PRIMARYLANGID
#undef SUBLANGID
#undef MAKELCID
#undef LANGIDFROMLCID
#undef SORTIDFROMLCID
#undef UInt32x32To64
#undef WIN32_NO_STATUS

namespace NT {

extern "C" {

#include <ntddk.h>

}
}
using NT::NTSTATUS;

#include <assert.h>

int main()
{
HANDLE hSect;

WCHAR s[] = L"\\Device\\PhysicalMemory";

NT::UNICODE_STRING name = {sizeof s - sizeof (WCHAR), sizeof s, s};

NT::OBJECT_ATTRIBUTES oa = {sizeof oa, 0, &name, OBJ_CASE_INSENSITIVE, 0,
0};

NTSTATUS rv = NT::ZwOpenSection(&hSect, SECTION_MAP_READ, &oa);
assert(rv == STATUS_SUCCESS);

PVOID p = MapViewOfFile(hSect, FILE_MAP_READ, 0, 0, 0x400);
assert(p != 0);

return 0;
}

[Roger]

Gary Nebbett <gary.n...@cp.novartis.com> wrote in message
01bdc5f2$e2ec33d0$1eadf6a8@caopi2...

>The following short program demonstrates, using only documented functions,
>how to read physical memory from user mode under Windows NT.
>
>Also demonstrated is a technique for including both windows.h and ntddk.h
>in one file with the minimum number of name collisions.

[snip]

> namespace NT {
> extern "C" {
#include <ntddk.h>
> }
> }

[snip]

Very clever use of namespaces. Why didn't I think of that???

Thanks,
Roger