How to Read Directly from Physical Memory on Windows

Read physical memory under Windows 8

Since Windows Server 2003 SP1, user-mode access to physical memory has not been possible. You will have to develop a driver to do it (or find a third-party tool that includes one).

From Technet:

In Windows Server 2003 SP1, user-mode access to the \Device\PhysicalMemory object is not permitted. All forms of access (read, write) are refused when the \Device\PhysicalMemory object is accessed from a user-mode application. Access to the \Device\PhysicalMemory object is refused regardless of the user context (Administrators, Users, Local System, etc.) the application is running in.

Map physical memory address to a user space application in windows

Device drivers can map physical memory into the address space of a user-mode process using MmMapLockedPagesSpecifyCache and the related functions. To the best of my knowledge, there is no way to do this without a device driver.

Is possible to read virtual memory on Unix/Linux? And on Windows?

For Windows, if you need to read memory from a process, you'll need to request the PROCESS_VM_READ when you get your handle to the process (ReadProcessMemory is the appropriate call). In order to get that Handle, it's usually easier to start the process yourself with OpenProcess.

How to Read Directly from Physical Memory on Windows

Read physical memory under Windows 8

Map physical memory address to a user space application in windows

Is possible to read virtual memory on Unix/Linux? And on Windows?

Related Topics

Leave a reply