I'm searching for a fast and (crash) reliable way to scan the whole allocated system kernel memory (in the range 0xffff080000000000 - 0xffffffffffffffff) from a windows kernel driver. I tried to list the VAD tree entires (like the "!vad" from windbg) and scan the associated sections but it seems like not all sections are listed in the tree. Is there any way to list the whole allocated system memory address ranges so i can scan those with the code below?
inline BOOLEAN CompareByteArray(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
for (; *szMask; ++szMask, ++pData, ++bMask)
if (*szMask == 'x' && *pData != *bMask)
return 0;
return (*szMask) == 0;
}
UINT64 FindPattern(const UINT64 dwAddress, const UINT64 dwLen, const BYTE* bMask, const char* szMask)
{
for (UINT64 i = 0; i < dwLen; i++)
if (CompareByteArray((BYTE*)(dwAddress + i), bMask, szMask))
return (UINT64)(dwAddress + i);
return 0;
}
Edit #1: I have to do a realtime scan (less than one minute per scan) of the memory and im only searching static values like strings/codesignatures in the kernel memory space.
User contributions licensed under CC BY-SA 3.0