Savely scanning windows kernel memory (0xffff0800`00000000 - 0xffffffff`ffffffff)

0

I'm searching for a fast and (crash) reliable way to scan the whole allocated system kernel memory (in the range 0xffff080000000000 - 0xffffffffffffffff) from a windows kernel driver. I tried to list the VAD tree entires (like the "!vad" from windbg) and scan the associated sections but it seems like not all sections are listed in the tree. Is there any way to list the whole allocated system memory address ranges so i can scan those with the code below?

inline BOOLEAN CompareByteArray(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
    for (; *szMask; ++szMask, ++pData, ++bMask)
        if (*szMask == 'x' && *pData != *bMask)
            return 0;

    return (*szMask) == 0;
}

UINT64 FindPattern(const UINT64 dwAddress, const UINT64 dwLen, const BYTE* bMask, const char* szMask)
{
    for (UINT64 i = 0; i < dwLen; i++)
        if (CompareByteArray((BYTE*)(dwAddress + i), bMask, szMask))
            return (UINT64)(dwAddress + i);

    return 0;
}

Edit #1: I have to do a realtime scan (less than one minute per scan) of the memory and im only searching static values like strings/codesignatures in the kernel memory space.

c
windows
kernel
driver
asked on Stack Overflow Oct 3, 2020 by user11219928 • edited Oct 4, 2020 by user11219928

0 Answers

Nobody has answered this question yet.


User contributions licensed under CC BY-SA 3.0