Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Access process memory from kernel space
Top Forums Programming Access process memory from kernel space Post 302241841 by anonymoose on Tuesday 30th of September 2008 12:12:52 PM
Old 09-30-2008
Access process memory from kernel space
Hi,

I'm currently working on a project to help the analysis of malware from inside the kernel to avoid any kind of detection.

So I need to be able to read the process memory from my kernel module.

As of now, I'm stuck at converting a virtual memory address (for example 0x080483e8 found with gdb) to a kernel readable address.

I have found a way to track this address down to a page and then find the physical address of this page, but I get kernel oops every time I try to access it.

I have been reading and googling for days and I can't find the answer..

Thanks for you help !
 

10 More Discussions You Might Find Interesting

1. AIX

Kernel use of real memory

Hello AIX gurues... In order to present the statistics of real memory usage I need to know how much real memory is used by the AIX 5L kernel. No the exact figures of course but some close to the reality. The AIX is running in a 7GB real machine, it has a HACMP configuration and my concern is... (1 Reply)
Discussion started by: daniels
1 Replies

2. UNIX for Dummies Questions & Answers

upper limit of accessible memory space for a single process in Unix/Linux

Hellp all, if there is 3G memory in my Unix server I want to know if all the 3G space can be used by ong sigle process. As i know, in Windows, one process can only access at most 1G memory despite there is probably more than 1G memory is equipped. (1 Reply)
Discussion started by: cy163
1 Replies

3. UNIX for Dummies Questions & Answers

Revoke Kernel Access..

Hi, I need to know how to revoke the access/permission of Kernel for a group. In details, one of the group 'X' is having kernel access/permission and this group can control the Kernel at anytime. How can we revoke this permission/access ? Thanks, Rohit.. (13 Replies)
Discussion started by: ronix007
13 Replies

4. UNIX for Advanced & Expert Users

kernel: Out of Memory: Killed process 2990

There is a tomcat webserver running that is used to host a java application. Sometime the service goes down with error logs. I see the following error messages in /var/log/messages: kernel: Out of Memory: Killed process 2990 (co). Out of Memory: Killed process 25671 (httpd) Out of Memory:... (7 Replies)
Discussion started by: bsandeep_80
7 Replies

5. UNIX for Advanced & Expert Users

Can kernel process access user address space ?

Can kernel process access user address space ? (2 Replies)
Discussion started by: subhotech
2 Replies

6. UNIX for Advanced & Expert Users

wake up user space thread from kernel space ISR

Hello, I'm searching for a proper way to let the kernel space ISR(implemented in a kernel module) wake up a user space thread on a hardware interrupt. Except for sending a real-time signal, is it possible to use a semaphore? I've searched it on google, but it seems impossible to share a... (0 Replies)
Discussion started by: aaronwong
0 Replies

7. UNIX for Dummies Questions & Answers

kernel giving access for multiple users to access files

hi all, i want to know y kernel is giving access for multiple users to access a file when one user may be the owner is executing that file. Because other user can manipulate that file when the other user is executing that file, it will give the unexpected result to owner . plz help me... (1 Reply)
Discussion started by: jimmyuk
1 Replies

8. Emergency UNIX and Linux Support

CPU and memory utilization of a process, by process name

Can someone please help me with a script that will help in identifying the CPU & memory usage by a process name, rather than a process id.This is to primarily analyze the consumption of resources, for performance tweaking. G (4 Replies)
Discussion started by: ggayathri
4 Replies

9. Solaris

[DOUBT] Memory high in idle process on Solaris 10 (Memory Utilization > 90%)

Hi Experts, Our servers running Solaris 10 with SAP Application. The memory utilization always >90%, but the process on SAP is too less even nothing. Why memory utilization on solaris always looks high? I have statement about memory on solaris, is this true: Memory in solaris is used for... (4 Replies)
Discussion started by: edydsuranta
4 Replies

10. Solaris

Process holding /tmp space, need to know the process details

Hi , In a server /tmp has almost reached 75% and i can see the File system utilization is 48Mb only , so i believe some process is using the /tmp space. I would like to know which process is using /tmp space. # df -h /tmp Filesystem size used avail capacity Mounted on swap ... (9 Replies)
Discussion started by: chidori
9 Replies

LEARN ABOUT SUNOS

hat_getkpfnum

hat_getkpfnum(9F)					   Kernel Functions for Drivers 					 hat_getkpfnum(9F)

NAME

       hat_getkpfnum - get page frame number for kernel address

SYNOPSIS

       #include <sys/types.h>
       #include <sys/ddi.h>
       #include <sys/sunddi.h>

       pfn_t hat_getkpfnum(caddr_t addr);

INTERFACE LEVEL

       This interface is obsolete. A driver devmap(9E) entry point should be provided instead.

PARAMETERS

       addr	The kernel virtual address for which the page frame number is to be returned.

DESCRIPTION

       hat_getkpfnum() returns the page frame number corresponding to the kernel virtual address, addr.

       addr  must  be  a  kernel  virtual  address  which maps to device memory. ddi_map_regs(9F) can be used to obtain this address. For example,
       ddi_map_regs(9F) can be called in the driver's attach(9E) routine. The resulting kernel virtual address can be saved  by  the  driver  (see
       ddi_soft_state(9F))  and  used in mmap(9E). The corresponding ddi_unmap_regs(9F) call can be made in the driver's detach(9E) routine. Refer
       to mmap(9E) for more information.

RETURN VALUES

       The page frame number corresponding to the valid, device-mapped virtual address addr. Otherwise the return value is undefined.

CONTEXT

       hat_getkpfnum() can be called only from user or kernel context.

ATTRIBUTES

       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Interface stability	     |Obsolete			   |
       +-----------------------------+-----------------------------+

SEE ALSO

       attach(9E), detach(9E), devmap(9E), mmap(9E), ddi_map_regs(9F), ddi_soft_state(9F), ddi_unmap_regs(9F)

       Writing Device Drivers

NOTES

       For some devices, mapping device memory in the driver's attach(9E) routine and unmapping device memory in the driver's  detach(9E)  routine
       is  a  sizeable	drain  on  system  resources.  This is especially true for devices with a large amount of physical address space. Refer to
       mmap(9E) for alternative methods.

SunOS 5.10							   13 June 2004 						 hat_getkpfnum(9F)
All times are GMT -4. The time now is 07:29 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy