Monthly Archives: September 2008

Retrieving MmPhysicalMemoryBlock regardless of the NT version.


Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /homepages/15/d187295720/htdocs/home/wp-content/plugins/deans_code_highlighter/geshi.php on line 2147

Here is a method I’m using in the next version of Win32DD (1.2), to retrieve MmPhysicalMemoryBlock regardless of the NT Version. The main problem with KDDEBUGGER_DATA64 structure is the version dependency. Then, we have to rebuild this field by ourselves.

To retrieve physical memory runs, I’m using MmGetPhysicalMemoryRanges() *undocumented* function. This function usage had been documented by Mark Russinovich in 1999, in the Volume 1 Number 5 edition of the Sysinternals Newsletter.

Actually, this function is defined in DDK. Even if, MSDN says “The following routines are reserved for system use. Do not use them in your driver.”

  1. #if (NTDDI_VERSION >= NTDDI_WIN2K)
  2. #endif

MmPhysicalMemoryBlock is a structure that provides information regarding the physical memory ranges used by the system and also total physical memory size. These uses motivated me to write MmGetPhysicalMemoryBlock().

  1. []
  2.     // NT 5.1 Addition

As we can read in the KDDEBUGGER_DATA64 definition, MmPhysicalMemoryBlock field is an NT 5.1 Addition.

definition.

  1. span class=”co1″>// NumberOfPages * PAGE_SIZE is physical memory size.
  2.     PHYSICAL_MEMORY_RUN Run[1]; // NumberOfRuns is the total entries.

code.

  1. /*++
  2. Function Name: MmGetPhysicalMemoryBlock
  3.  
  4. Overview:
  5.         – This function aims at retrieving MmPhysicalMemoryBlock, regardless
  6.         of the host version.
  7.  
  8.         The caller has to free the memory block.
  9.  
  10. Parameters:
  11.         –
  12.  
  13. Environment:
  14.         – Kernel Mode. PASSIVE_LEVEL.
  15.  
  16. Return Values:
  17.         – PPHYSICAL_MEMORY_DESCRIPTOR
  18. –*///
  19.     // PHYSICAL_MEMORY_DESCRIPTOR isn’t exported into KDDEBUGGER_DATA64
  20.     // NT 5.0 and below. But MmGetPhysicalMemoryRanges() computes
  21.     // PHYSICAL_MEMORY_RANGE with PHYSICAL_MEMORY_DESCRIPTOR. Then,
  22.     // We can easily rewrite PHYSICAL_MEMORY_DESCRIPTOR.
  23.     //
  24.     MmPhysicalMemoryRange = MmGetPhysicalMemoryRanges();
  25.  
  26.     //
  27.     // Invalid ?
  28.     //
  29. //
  30.     // Compute the number of runs and the number of pages
  31.     //
  32. //
  33.     // Invalid ?
  34.     //
  35. //
  36.     // Compute the size of the pool to allocate and then allocate
  37.     //
  38. ‘  mM’);
  39.  
  40.     //
  41.     // Define PHYSICAL_MEMORY_DESCRIPTOR Header.=
  42.     //
  43. //
  44.         // BasePage
  45.         //
  46.         MmPhysicalMemoryBlock->Run[Run].BasePage =
  47.             (PFN_NUMBER)MI_CONVERT_PHYSICAL_TO_PFN(
  48.             MmPhysicalMemoryRange[NumberOfRuns].BaseAddress.QuadPart
  49.  
  50.             );
  51.  
  52.         //
  53.         // PageCount
  54.         //