|
Access to \device\physicalmemory
Hi!
I have a question: How can i store some bytes in physical memory address like 00c0000? (video bios information). Is it possible. Note: Running on NT2000, Admin access. Platform: Delphi/Asm. If can, does this data can be accessed by other programs using ntmapxxxxxxxxxx () functions to read \device\physicalMemory?? hank you! |
get KmdKit By Four-F and go through them he also has a sample code on
PhysMemViewer ObjectManger etc also some basic drivers and thier code sources look through them probably you may get an answer to your query also visit FasmBoard there are some interesting threads that deal with PhysMem and such edit i actually didnt have the link at the time i posted so i edit here take a look at http://www.security.org.sg/code/sdtrestore.html this tool supposedly writes to devphysmem (get the pdf and the tool and reverse it to find how it is coded :) btw take a look at credits and find posts by the ppl :) |
Snippet from the famous Gary Nebbett:
h??p://groups.google.com/groups?selm=01bdc5f2%24e2ec33d0%241eadf6a8%40caopi2&oe=utf-8 |
Here you can find a great Phrack Article about it:
-> http://www.phrack.org/phrack/59/p59-0x10.txt The code is written in C but it's well commented so you should understand it too. |
Thanks.
i've read this. but at this address $c0000 is video card firmware and i can't write to it... Can it be possible to intercept read attempts to such address and return the data bytes other than original??? |
you have read what the phrack article or from the link i posted
any way here is a dump from my old little comp using physmembrowser Code:
000C0000: 55 AA 40 EB 3D 37 34 30-30 30 30 30 30 30 30 30 Uª@ë=74000000000so it must be possible in your case too i would assume :) any way good luck |
Example of reading descriptor tables using PhysicalMemory:
http://ry.pl/~omega/asm/sdt.zip Example of writing to PhysicalMemory: http://ry.pl/~omega/asm/ring0nt.zip |
heh, thanks to omega_red.
enjoed with bsod.. no prob.. Suggestion to all Ring0-jumperz: Don't use Call_Gates, they are incompatible with Win-Ring0-stack architecture..(designed for INTs only) simple use INTs |
I've tried something similar but the only thing i managed was to destroy my bios and it recognized only HDD and not CD-r and floppy
|
But you can't insert a new int from user-mode or how do you mean that?
(Even in Kernel-Mode you must edit CR0 to play with the IDT) Argh,... sure,... we have \device\physicalmemory ^^,... but no sidt!? |
of course, using same tool you can setup one IDT-entry (instead of GDT),
& go to Ring0. in XP from 42h to FFh INTs are reserved, so enjoy with them. huh, why you need CR0 for write in IDT?? nop [edit]: forgot, when you will in Ring0, perform same action, wich does other system INTs.. save in same order registers, load then in FS-reg 30h..then only can be STI.. (stack should lowered on 68h or more from entered position) |
so, a get into ring0 by driver, (TVICHHW for Delphi) and trying to write into \\device\physicalmemory.... but exception Access violation popups....
Trying to change bytes at physical address $c0000 with SoftIce - if changed, after second they will be the same as original.... May be i need to intercept some native API??? |
Quote:
In DOS times there was some trick used by chpset to speed-up BIOS access (EEPROM was much slower that RAM). BIOS was copied into RAM and that RAM region was marked as Read-only and mapped in address space instead of BIOS. And for some chpsets there was known way to unlock mapped region of RAM, modify its content (e.g. replace font characters bitmap) and lock region back. But mapping of RAM instead of BIOS ROM was supported by chipset, not by CPU itself... |
but is it possible to emulate read attempts to that addresses???
Which tools can be useful to determine, which API used to read this memory area? API SPY does not show it... in code there called ntMapOfView... |
Quote:
- use hardware breakpoint to catch read attempt at some address and handle it - if you know how exactly (by means of which function) video BIOS is mapped in address space of calling process, intercept that function and return pointer to some other region containing any data. |
Thanks!
my asm not so good, can it be done using Delphi? C++? Please, some basic concepts, only skeleton of possible routines... |
well i dont understand you still but i hope
you looked at four-f phymenbrowser and those links that are posted as far as i know video bios is also viewable by using plain old debug.com i did a quick googling around to snoop about the specific address viz c0000 i landed in some bios forums which gave me these infos you can use a com file and use interrupts to create a file and copy it to some file there are utilities to that automatically too now this memory is in read only memory called rom you need some flash utility to write to read only memory there are flashers available around and there are exhaustive documents floating around ( icant recommend any specific because i dont have any ideas about what you are intending to achieve by writing there for example if you want to change the logo that is showed when you booting like the green blah for award bios there were mention of bmptocpa there were some talk about modbin.exe etc etc i would suggest you to look at bioscentral,wimsbios or plain google with bios c***** h***** (your favourite word here ) :) Quote:
also ida free could load the bin and do a good dissembly provided you specified the entry point now it all depends on your intent that is what are you trying to do which seems unclear at the moment to me atleast |
Ok, thanks, but i don't want to change ROM (FLASH) of video bios.
Because it's read-only memory range, i need a solution to emulate this memory address range by software. Can it be doen by hooking some native API??? Regards, souz |
| All times are GMT +8. The time now is 05:39. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX