How to find information about a shared memory section

Question

How to find information about a shared memory section

ReeceXW opened this issue 10 months ago · 2 comments

I'm looking in sys/objects/objects.txt and have information about sections of shared memory in the format

09d9 ffffe48d292c5a50 Section       \\Sessions\1\BaseNamedObjects\GenericBuffer
0cfa ffffe48d2ee10ed0 Section       \\Sessions\1\BaseNamedObjects\GenericBufferInfo
0ebb ffffb685366e3260 Mutant        \\Sessions\1\BaseNamedObjects\GenericBufferMutex

I can't read anything at these addresses, the reads fail. How do I get information, like the physical address of this memory buffer? For reference I want to read and write to this generic buffer through DMA

Answer 1 · 2024-02-29T20:37:00.000Z

Read at that address from PID 4 (system / kernel). Shared memory is quite complex though so it may be that it's not as simple as reading that object at the kernel address.

Also, for random questions about how to read things it might be better (and faster) to use the Discord for that: https://discord.gg/BCmfBhDPXX

The Github issues are more for reporting of bugs and things like that. Even if I haven't been very strict with regards to keeping it only to that.

Answer 2 · 2024-03-23T09:59:53.000Z

I'm closing this issue. Some shared memory sections have always been in-memory. A while ago I added naming info about those already-in-memory sections to the VAD map though.