can't access some kernel modules

Discussion in 'Windows Vista Drivers' started by Hannes, Apr 27, 2005.

  1. Hannes

    Hannes Guest

    Is there a "protected" (i.e. inaccessible) memory region starting at 0xbf... ?

    In my driver, I need to enumerate all loaded kernel modules (to obtain
    information such as checksum & timestamp).

    I can successfully access about ~100 loaded modules, but when trying to
    access the modules listed below, I get a bugcheck. Notice how their memory
    ranges all start at 0xbf...

    (this is part of the kd> lm output)
    start end module name
    bf800000 bf99e000 win32k (deferred)
    bf800000 bf9de000 win32k (deferred)
    bff80000 bff91000 dxg (deferred)
    bf9de000 bf9f4000 dxg (deferred)
    bf99e000 bf9ac000 ialmrnt5 (deferred)
    bf9ac000 bf9cb000 ialmdnt5 (deferred)
    bf9cb000 bf9ea000 ialmdev5 (deferred)
    bf9ea000 bfaa5000 ialmdd5 (deferred)
    bff60000 bff7e000 RDPDD (deferred)
    bf9f4000 bfaa9000 SiSGRV (deferred)

    None of the ~100 modules I successfully access are in this memory range at
    all, they're mostly around 0xf7..., 0xb9..., 0xba..., or 0xee...

    Is there some kind of protected memory block at 0xbf... that I can always
    assume to not be able to access, and hence avoid the bugcheck(s), or is this
    just a random coincidence. The above results seem valid both on XP and 2000.

    / Hannes.
    Hannes, Apr 27, 2005
    1. Advertisements

  2. Hannes

    Pavel A. Guest

    How exactly you "access" these modules?
    do you checksum these memory ranges??
    Pavel A., Apr 27, 2005
    1. Advertisements

  3. Hannes

    Hannes Guest

    After determining each module's base address (using ZwQuerySystemInformation
    etc), I try to access the (checksum & timestamp) information stored in the PE
    header, which appears a little bit further inside the module.

    The core problem is that the memory at some base addresses is not readable
    by my driver, I get a crash when I try. All the "inaccessible" ones seem to
    start with 0xbf...

    / Hannes.
    Hannes, Apr 28, 2005
  4. Hannes

    Tim Roberts Guest

    "Need" is hardly the right word here.
    It's possible they are simply paged out. Is this early in boot? Are you
    running at an elevated IRQL?
    Tim Roberts, Apr 29, 2005
  5. or maybe these modules are in session space (notice they are all video
    related) and you are not in the right session.

    Doron Holan [MS], Apr 29, 2005
  6. Hannes

    Hannes Guest

    That's a great clue! Thanks for noticing that!

    Is there any way my driver can find out the memory range for this
    "inaccessible" video memory? Or is it always at 0xbf... - ?

    / Hannes.
    Hannes, Apr 29, 2005
  7. I don't know. I would never assume a memory range is used for a particular
    type of memory.


    Please do not send e-mail directly to this alias. this alias is for
    newsgroup purposes only.
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Doron Holan [MS], Apr 30, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.