Using Rekall/Winpmem to get VT-d DMAR Tables

[jmk...@gmail.com]

I am trying to read the contents of VT-d tables under Windows 10.  I am getting the base address of a Hardware Definition unit from acpidump.exe

For Example:

[030h 0048   2]                Subtable Type : 0000 [Hardware Unit Definition]
[032h 0050   2]                       Length : 0018

[034h 0052   1]                        Flags : 01
[035h 0053   1]                     Reserved : 00
[036h 0054   2]           PCI Segment Number : 0000
[038h 0056   8]        Register Base Address : 00000000FEC10000

I can read the contents of this address by either using this base address using MmMapIoSpace in a driver, or I can read the physical address using WinDbg (!dd 0000000'0000FEC10000).  The data I get back from these methods seem to match the VT-d specifications.

After creating memory dumps with various formats and modes, I can't find this DMAR data by using _fseeki64 with the above address as the offset in C.  I also can't seem to find the data anywhere (searching for known DMAR data using hex editor).

Here is an example memory dump that I've tried with rekall:

rekal live

imagecopy "mem_image.raw"

I've also tried various formats by using winpmem under the aff4 repo, with the same result.

Is this because the memory from the dump isn't ordered in the same way?  Is there another decompression step I am missing?  Or are these memory dumping tools simply the wrong way to go about this?   I'd prefer be able to get this data without having to use unsigned driver code.

Thanks!