4

I understand that each user process is given a virtual address space, and that can be dumped. But is there a way to dump the Physical Address Space? Suppose I have 32-bit system with 4GB memory, can i write a program to print each physical memory location.

I understand it violates memory protection etc. but if its possible how can convert this into a kernel process or lower level process to allow me access to the entire memory..?

I'd like to know how to write such code (if possible) on Windows/Linux platform( or kernel).. OR in case I've to use Assembly or something like that, how to shift to that privilege level.

rkhb
  • 14,159
  • 7
  • 32
  • 60
shreedhar
  • 444
  • 5
  • 13
  • You probably can (I personally have never tried) but it will require some OS calls at a minimum. User processes does not have access to physical memory. If there isn't a known way to do this in code, you could always crash the OS and get the memory dump that way. – Jeff Mercado Feb 07 '11 at 07:52
  • haha! any idea how to crash the OS? :P – shreedhar Feb 07 '11 at 07:54
  • There are tools that will do that for you, such as Sysinternals Notmyfault. You can also configure a registry key so that the system will crash when presented with a certain keyboard combination. – Sasha Goldshtein Feb 07 '11 at 07:57
  • You can, a program called CheatEngine does it. It's opensource I think so you can check how it does that. – Daniel Sep 13 '11 at 03:32
  • related link [ntmio](http://ntmio.com/flatpress/) A windows command line to access hardware resources –  Sep 13 '11 at 03:26

5 Answers5

2

In Linux, you can open and map the device file /dev/mem (if you have read permission to it). This corresponds to physical memory.

caf
  • 233,326
  • 40
  • 323
  • 462
0

Try this NTMIO - A WINDOWS COMMAND LINE TO ACCESS HARDWARE RESOURCES http://siliconkit.com/ocart/index.php?route=product/product&keyword=ntmio&category_id=0&product_id=285

user3366258
  • 31
  • 3
0

can i write a program to print each physical memory location.

I think no operating system gives the user access to physical memory location. So, you cann't. What ever, you are seeing are virtual addresses produced by the Operating System.

Mahesh
  • 34,573
  • 20
  • 89
  • 115
0

It is possible, on Windows, to access physical memory directly. Some of the things you can do:

  • Use the Device\PhysicalMemory object -- you can't access all physical memory, and user-mode access to it is restricted starting from Windows Server 2003 SP1.
  • Use Address Windowing Extensions -- you can control your own virtual-to-physical address mappings, so in a sense you are accessing physical memory directly, although still through page tables.
  • Write a kernel-mode driver -- there are kernel-mode APIs to access physical memory directly, to allocate physical memory pages, etc. One reason for that is DMA (Direct Memory Access).

None of these methods will give you easy, unrestricted access to any physical memory location. If I may ask, what are you trying to accomplish?

Sasha Goldshtein
  • 3,499
  • 22
  • 35
0

I'm thinking you could probably do it with a kernel mode driver, but the result would be gibberish as what is in the user section of RAM at the time you grabbed it would be what the OS had paged in, it may be part of one application or a mish mash of a whole bunch. This previous SO question may also be helpful: How does a Windows Kernel mode Driver, access paged memory ?

Community
  • 1
  • 1
slugster
  • 49,403
  • 14
  • 95
  • 145