'Equivalent to ZwQueryVirtualMemory that works on system memory?

ZwQueryVirtualMemory reports on virtual memory in the address space of a process. I would like to do the same thing, but for paged memory in system space. Is there an equivalent function that deals with system space instead of process space?

windowskernel


Solution 1:[1]

You could use ZwQuerySystemInformation with SystemModuleInformation to get all running drivers. Then you can find the entry you want and get the base and size of the driver. You could if you want to do it properly only get the base of a driver with using the same method of above or using the PsLoadedModuleList to get the base of the targeted driver and then just walk the sections manually with the headers.

Also a tip, if you are going to copy it to dump it, use MmCopyMemory.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Zpes

Related Questions

Using TensorFlow in IDE on Windows

Using TensorFlow in IDE on Windows

Using TensorFlow in IDE on Windows

Using TensorFlow in IDE on Windows

What does "Beta: Use Unicode UTF-8 for worldwide language support" actually do?

What does "Beta: Use Unicode UTF-8 for worldwide language support" actually do?

PowerShell Cannot dot-source this command because it was defined in a different language mode

I am making a calculator and I get TypeError: can only concatenate str (not "int") to str [closed]

libtorch throws c10::error after build on Windows 10 (VS2019)

SQLite3.exe shell not successfully creating database?

Is it possible to use output redirections from a cmd file using start?

Unable to create '/git/index.lock': File exists - but it doesn't

Set up Python simpleHTTPserver on Windows [duplicate]

Powershell - windows hard-disk health status is giving inconsistent results

TOX can't find the browser binary