09-30-2008
Access process memory from kernel space
Hi,
I'm currently working on a project to help the analysis of malware from inside the kernel to avoid any kind of detection.
So I need to be able to read the process memory from my kernel module.
As of now, I'm stuck at converting a virtual memory address (for example 0x080483e8 found with gdb) to a kernel readable address.
I have found a way to track this address down to a page and then find the physical address of this page, but I get kernel oops every time I try to access it.
I have been reading and googling for days and I can't find the answer..
Thanks for you help !
10 More Discussions You Might Find Interesting
1. AIX
Hello AIX gurues...
In order to present the statistics of real memory usage I need to know how much real memory is used by the AIX 5L kernel. No the exact figures of course but some close to the reality.
The AIX is running in a 7GB real machine, it has a HACMP configuration and my concern is... (1 Reply)
Discussion started by: daniels
1 Replies
2. UNIX for Dummies Questions & Answers
Hellp all,
if there is 3G memory in my Unix server I want to know if all the 3G space can be used by ong sigle process. As i know, in Windows, one process can only access at most 1G memory despite there is probably more than 1G memory is equipped. (1 Reply)
Discussion started by: cy163
1 Replies
3. UNIX for Dummies Questions & Answers
Hi,
I need to know how to revoke the access/permission of Kernel for a group. In details, one of the group 'X' is having kernel access/permission and this group can control the Kernel at anytime. How can we revoke this permission/access ?
Thanks,
Rohit.. (13 Replies)
Discussion started by: ronix007
13 Replies
4. UNIX for Advanced & Expert Users
There is a tomcat webserver running that is used to host a java application. Sometime the service goes down with error logs. I see the following error messages in /var/log/messages:
kernel: Out of Memory: Killed process 2990 (co).
Out of Memory: Killed process 25671 (httpd)
Out of Memory:... (7 Replies)
Discussion started by: bsandeep_80
7 Replies
5. UNIX for Advanced & Expert Users
Can kernel process access user address space ? (2 Replies)
Discussion started by: subhotech
2 Replies
6. UNIX for Advanced & Expert Users
Hello, I'm searching for a proper way to let the kernel space ISR(implemented in a kernel module) wake up a user space thread on a hardware interrupt.
Except for sending a real-time signal, is it possible to use a semaphore?
I've searched it on google, but it seems impossible to share a... (0 Replies)
Discussion started by: aaronwong
0 Replies
7. UNIX for Dummies Questions & Answers
hi all,
i want to know y kernel is giving access for multiple users to access a file when one user may be the owner is executing that file. Because other user can manipulate that file when the other user is executing that file, it will give the unexpected result to owner . plz help me... (1 Reply)
Discussion started by: jimmyuk
1 Replies
8. Emergency UNIX and Linux Support
Can someone please help me with a script that will help in identifying the CPU & memory usage by a process name, rather than a process id.This is to primarily analyze the consumption of resources, for performance tweaking.
G (4 Replies)
Discussion started by: ggayathri
4 Replies
9. Solaris
Hi Experts,
Our servers running Solaris 10 with SAP Application. The memory utilization always >90%, but the process on SAP is too less even nothing.
Why memory utilization on solaris always looks high?
I have statement about memory on solaris, is this true:
Memory in solaris is used for... (4 Replies)
Discussion started by: edydsuranta
4 Replies
10. Solaris
Hi ,
In a server /tmp has almost reached 75% and i can see the File system utilization is 48Mb only , so i believe some process is using the /tmp space. I would like to know which process is using /tmp space.
# df -h /tmp
Filesystem size used avail capacity Mounted on
swap ... (9 Replies)
Discussion started by: chidori
9 Replies
LEARN ABOUT SUNOS
hat_getkpfnum
hat_getkpfnum(9F) Kernel Functions for Drivers hat_getkpfnum(9F)
NAME
hat_getkpfnum - get page frame number for kernel address
SYNOPSIS
#include <sys/types.h>
#include <sys/ddi.h>
#include <sys/sunddi.h>
pfn_t hat_getkpfnum(caddr_t addr);
INTERFACE LEVEL
This interface is obsolete. A driver devmap(9E) entry point should be provided instead.
PARAMETERS
addr The kernel virtual address for which the page frame number is to be returned.
DESCRIPTION
hat_getkpfnum() returns the page frame number corresponding to the kernel virtual address, addr.
addr must be a kernel virtual address which maps to device memory. ddi_map_regs(9F) can be used to obtain this address. For example,
ddi_map_regs(9F) can be called in the driver's attach(9E) routine. The resulting kernel virtual address can be saved by the driver (see
ddi_soft_state(9F)) and used in mmap(9E). The corresponding ddi_unmap_regs(9F) call can be made in the driver's detach(9E) routine. Refer
to mmap(9E) for more information.
RETURN VALUES
The page frame number corresponding to the valid, device-mapped virtual address addr. Otherwise the return value is undefined.
CONTEXT
hat_getkpfnum() can be called only from user or kernel context.
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
|Interface stability |Obsolete |
+-----------------------------+-----------------------------+
SEE ALSO
attach(9E), detach(9E), devmap(9E), mmap(9E), ddi_map_regs(9F), ddi_soft_state(9F), ddi_unmap_regs(9F)
Writing Device Drivers
NOTES
For some devices, mapping device memory in the driver's attach(9E) routine and unmapping device memory in the driver's detach(9E) routine
is a sizeable drain on system resources. This is especially true for devices with a large amount of physical address space. Refer to
mmap(9E) for alternative methods.
SunOS 5.10 13 June 2004 hat_getkpfnum(9F)