{"id":26241653,"url":"https://github.com/life45/pmm","last_synced_at":"2025-04-23T06:18:51.694Z","repository":{"id":280192205,"uuid":"894769720","full_name":"Life45/PMM","owner":"Life45","description":"Arbitrary physical memory access from any process by page table manipulation","archived":false,"fork":false,"pushed_at":"2024-11-27T01:02:08.000Z","size":180,"stargazers_count":4,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-23T06:18:44.242Z","etag":null,"topics":["arbitrary","driver","kernel","memory","paging","physical","windows"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Life45.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-11-27T00:37:38.000Z","updated_at":"2025-03-03T12:08:56.000Z","dependencies_parsed_at":"2025-03-01T21:29:33.742Z","dependency_job_id":"e5330493-859f-40cd-85e2-0e285c287126","html_url":"https://github.com/Life45/PMM","commit_stats":null,"previous_names":["life45/pmm"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Life45%2FPMM","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Life45%2FPMM/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Life45%2FPMM/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Life45%2FPMM/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Life45","download_url":"https://codeload.github.com/Life45/PMM/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250379809,"owners_count":21420841,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["arbitrary","driver","kernel","memory","paging","physical","windows"],"created_at":"2025-03-13T08:32:41.900Z","updated_at":"2025-04-23T06:18:51.676Z","avatar_url":"https://github.com/Life45.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"# PMM\nPhysical Memory Map (PMM)\n\nThis repository provides a PoC demonstrating direct physical memory access from usermode through virtual address mapping.\nThe technique works by manipulating a specific PML4 entry to create a 1:1 mapping of physical memory.\n\nIn IA-32e (x64) paging, virtual addresses are translated using a 4-level paging structure:\n- Bits 0-11: Page Offset\n- Bits 12-20: PT Index\n- Bits 21-29: PD Index\n- Bits 30-38: PDPT Index\n- Bits 39-47: PML4 Index\n\nThe PoC works by:\n1. Allocating kernel memory for new paging structures (PML4E, PDPT, and PDs)\n2. Setting up these structures to create 2MB large pages that directly map to physical memory\n3. Replacing a specific PML4 entry (256 in this PoC) to point to our new paging structures\n4. Using a canonical virtual address that references this PML4 entry to access physical memory\n\nFor example, using PML4 index 256:\n- Raw virtual address: 0x0000800000000000 (non-canonical)\n- Sign-extended address: 0xFFFF800000000000 (canonical, anatomically the same as the non-canonical address)\n\nTo access physical address 0x1000, we add it to our base address:\n0xFFFF800000000000 + 0x1000 -\u003e Accesses physical memory at 0x1000\n\nThe usermode code demonstrates this on an allocated non paged pool.\n\nThe current implementation maps 64GB of physical memory using 2MB large pages for efficiency.\n\nNote: This PoC is for educational purposes only, demonstrating x64 paging mechanisms. It is not meant to be used in production or for any malicious purposes. This will most likely cause lots of problems in production code.\n\nI was mostly inspired by [jonomango's hypervisor](https://github.com/jonomango/hv). If you are interested in hypervisors, it's a great source.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flife45%2Fpmm","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flife45%2Fpmm","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flife45%2Fpmm/lists"}