Retrieving MmPhysicalMemoryBlock regardless of the NT version.

 

Here is a method I’m using in the next version of Win32DD (1.2), to retrieve MmPhysicalMemoryBlock regardless of the NT Version. The main problem with KDDEBUGGER_DATA64 structure is the version dependency. Then, we have to rebuild this field by ourselves.

To retrieve physical memory runs, I’m using MmGetPhysicalMemoryRanges() *undocumented* function. This function usage had been documented by Mark Russinovich in 1999, in the Volume 1 Number 5 edition of the Sysinternals Newsletter.

Actually, this function is defined in DDK. Even if, MSDN says “The following routines are reserved for system use. Do not use them in your driver.”

1. #if (NTDDI_VERSION >= NTDDI_WIN2K)
2. NTKERNELAPI
3. PPHYSICAL_MEMORY_RANGE
4. MmGetPhysicalMemoryRanges (
5.     VOID
6.     );
7. #endif

MmPhysicalMemoryBlock is a structure that provides information regarding the physical memory ranges used by the system and also total physical memory size. These uses motivated me to write MmGetPhysicalMemoryBlock().

1. [… ]
2.     // NT 5.1 Addition
3.     ULONG64   MmPhysicalMemoryBlock;
4. [.. ]

As we can read in the KDDEBUGGER_DATA64 definition, MmPhysicalMemoryBlock field is an NT 5.1 Addition.

definition.

1. typedef struct _PHYSICAL_MEMORY_RUN {
2.     PFN_NUMBER BasePage;
3.     PFN_NUMBER PageCount;
4. } PHYSICAL_MEMORY_RUN, *PPHYSICAL_MEMORY_RUN;
5.  
6. typedef struct _PHYSICAL_MEMORY_DESCRIPTOR {
7.     ULONG NumberOfRuns;
8.     PFN_NUMBER NumberOfPages; // NumberOfPages * PAGE_SIZE is physical memory size.
9.     PHYSICAL_MEMORY_RUN Run [ 1 ]; // NumberOfRuns is the total entries.
10. } PHYSICAL_MEMORY_DESCRIPTOR, *PPHYSICAL_MEMORY_DESCRIPTOR;
11.  
12. PPHYSICAL_MEMORY_DESCRIPTOR
13. MmGetPhysicalMemoryBlock (
14.         VOID
15. );

code.

1. /*++
2. Function Name: MmGetPhysicalMemoryBlock
3.  
4. Overview:
5.         - This function aims at retrieving MmPhysicalMemoryBlock, regardless
6.         of the host version.
7.  
8.         The caller has to free the memory block.
9.  
10. Parameters:
11.         -
12.  
13. Environment:
14.         - Kernel Mode. PASSIVE_LEVEL.
15.  
16. Return Values:
17.         - PPHYSICAL_MEMORY_DESCRIPTOR
18. –*/
19. PPHYSICAL_MEMORY_DESCRIPTOR
20. MmGetPhysicalMemoryBlock ( VOID
21.                           )
22. {
23. PPHYSICAL_MEMORY_DESCRIPTOR MmPhysicalMemoryBlock;
24. PPHYSICAL_MEMORY_RANGE MmPhysicalMemoryRange;
25. ULONG MemoryBlockSize;
26. PFN_NUMBER NumberOfPages;
27. ULONG NumberOfRuns;
28. ULONG Run;
29.  
30.     //
31.     // PHYSICAL_MEMORY_DESCRIPTOR isn’t exported into KDDEBUGGER_DATA64
32.     // NT 5.0 and below. But MmGetPhysicalMemoryRanges() computes
33.     // PHYSICAL_MEMORY_RANGE with PHYSICAL_MEMORY_DESCRIPTOR. Then,
34.     // We can easily rewrite PHYSICAL_MEMORY_DESCRIPTOR.
35.     //
36.     MmPhysicalMemoryRange = MmGetPhysicalMemoryRanges ( );
37.  
38.     //
39.     // Invalid ?
40.     //
41.     if (MmPhysicalMemoryRange == NULL ) return NULL;
42.  
43.     //
44.     // Compute the number of runs and the number of pages
45.     //
46.     NumberOfRuns = 0;
47.     NumberOfPages = 0;
48.     while ( (MmPhysicalMemoryRange [NumberOfRuns ]. BaseAddress. QuadPart != 0 ) &&
49.             (MmPhysicalMemoryRange [NumberOfRuns ]. NumberOfBytes. QuadPart != 0 ) )
50.     {
51.         NumberOfRuns++;
52.         NumberOfPages += (PFN_NUMBER )BYTES_TO_PAGES (
53.             MmPhysicalMemoryRange [NumberOfRuns ]. NumberOfBytes. QuadPart );
54.     }
55.  
56.     //
57.     // Invalid ?
58.     //
59.     if (NumberOfRuns == 0 ) return NULL;
60.  
61.     //
62.     // Compute the size of the pool to allocate and then allocate
63.     //
64.     MemoryBlockSize = sizeof (ULONG ) +
65.         sizeof (PFN_NUMBER ) +
66.         sizeof (PHYSICAL_MEMORY_RUN ) * NumberOfRuns;
67.  
68.     MmPhysicalMemoryBlock = ExAllocatePoolWithTag (NonPagedPool,
69.                                                   MemoryBlockSize,
70.                                                   ‘  mM’ );
71.  
72.     //
73.     // Define PHYSICAL_MEMORY_DESCRIPTOR Header.=
74.     //
75.     MmPhysicalMemoryBlock->NumberOfRuns = NumberOfRuns;
76.     MmPhysicalMemoryBlock->NumberOfPages = NumberOfPages;
77.  
78.     for (Run = 0; Run < NumberOfRuns; Run++ )
79.     {
80.         //
81.         // BasePage
82.         //
83.         MmPhysicalMemoryBlock->Run [Run ]. BasePage =
84.             (PFN_NUMBER )MI_CONVERT_PHYSICAL_TO_PFN (
85.             MmPhysicalMemoryRange [NumberOfRuns ]. BaseAddress. QuadPart
86.  
87.             );
88.  
89.         //
90.         // PageCount
91.         //
92.         MmPhysicalMemoryBlock->Run [Run ]. PageCount =
93.             (PFN_NUMBER )BYTES_TO_PAGES (
94.             MmPhysicalMemoryRange [Run ]. NumberOfBytes. QuadPart
95.             );
96.     }
97.  
98.     return MmPhysicalMemoryBlock;
99. }