https://github.com/life45/pmm

Arbitrary physical memory access from any process by page table manipulation
https://github.com/life45/pmm

arbitrary driver kernel memory paging physical windows

Last synced: about 1 year ago
JSON representation

Arbitrary physical memory access from any process by page table manipulation

• Host: GitHub
• URL: https://github.com/life45/pmm
• Owner: Life45
• Created: 2024-11-27T00:37:38.000Z (over 1 year ago)
• Default Branch: main
• Last Pushed: 2024-11-27T01:02:08.000Z (over 1 year ago)
• Last Synced: 2025-04-23T06:18:44.242Z (about 1 year ago)
• Topics: arbitrary, driver, kernel, memory, paging, physical, windows
• Language: C++
• Homepage:
• Size: 176 KB
• Stars: 4
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# PMM

Physical Memory Map (PMM)

This repository provides a PoC demonstrating direct physical memory access from usermode through virtual address mapping.

The technique works by manipulating a specific PML4 entry to create a 1:1 mapping of physical memory.

In IA-32e (x64) paging, virtual addresses are translated using a 4-level paging structure:

- Bits 0-11: Page Offset

- Bits 12-20: PT Index

- Bits 21-29: PD Index

- Bits 30-38: PDPT Index

- Bits 39-47: PML4 Index

The PoC works by:

1. Allocating kernel memory for new paging structures (PML4E, PDPT, and PDs)

2. Setting up these structures to create 2MB large pages that directly map to physical memory

3. Replacing a specific PML4 entry (256 in this PoC) to point to our new paging structures

4. Using a canonical virtual address that references this PML4 entry to access physical memory

For example, using PML4 index 256:

- Raw virtual address: 0x0000800000000000 (non-canonical)

- Sign-extended address: 0xFFFF800000000000 (canonical, anatomically the same as the non-canonical address)

To access physical address 0x1000, we add it to our base address:

0xFFFF800000000000 + 0x1000 -> Accesses physical memory at 0x1000

The usermode code demonstrates this on an allocated non paged pool.

The current implementation maps 64GB of physical memory using 2MB large pages for efficiency.

Note: This PoC is for educational purposes only, demonstrating x64 paging mechanisms. It is not meant to be used in production or for any malicious purposes. This will most likely cause lots of problems in production code.

I was mostly inspired by [jonomango's hypervisor](https://github.com/jonomango/hv). If you are interested in hypervisors, it's a great source.