Retrieving MmPhysicalMemoryBlock regardless of the NT version.

Here is a method I’m using in the next version of Win32DD (1.2), to retrieve MmPhysicalMemoryBlock regardless of the NT Version. The main problem with KDDEBUGGER_DATA64 structure is the version dependency. Then, we have to rebuild this field by ourselves.

To retrieve physical memory runs, I’m using MmGetPhysicalMemoryRanges() *undocumented* function. This function usage had been documented by Mark Russinovich in 1999, in the Volume 1 Number 5 edition of the Sysinternals Newsletter.

Actually, this function is defined in DDK. Even if, MSDN says “The following routines are reserved for system use. Do not use them in your driver.”

#if (NTDDI_VERSION >= NTDDI_WIN2K)

NTKERNELAPI

PPHYSICAL_MEMORY_RANGE

MmGetPhysicalMemoryRanges (

VOID

);

#endif

MmPhysicalMemoryBlock is a structure that provides information regarding the physical memory ranges used by the system and also total physical memory size. These uses motivated me to write MmGetPhysicalMemoryBlock().

[…]

// NT 5.1 Addition

ULONG64 MmPhysicalMemoryBlock;

[..]

As we can read in the KDDEBUGGER_DATA64 definition, MmPhysicalMemoryBlock field is an NT 5.1 Addition.

definition.

typedef struct _PHYSICAL_MEMORY_RUN {

PFN_NUMBER BasePage;

PFN_NUMBER PageCount;

} PHYSICAL_MEMORY_RUN, *PPHYSICAL_MEMORY_RUN;



typedef struct _PHYSICAL_MEMORY_DESCRIPTOR {

ULONG NumberOfRuns;

PFN_NUMBER NumberOfPages; // NumberOfPages * PAGE_SIZE is physical memory size.

PHYSICAL_MEMORY_RUN Run[1]; // NumberOfRuns is the total entries.

} PHYSICAL_MEMORY_DESCRIPTOR, *PPHYSICAL_MEMORY_DESCRIPTOR;



PPHYSICAL_MEMORY_DESCRIPTOR

MmGetPhysicalMemoryBlock(

VOID

);

code.

/*++

Function Name: MmGetPhysicalMemoryBlock



Overview:

- This function aims at retrieving MmPhysicalMemoryBlock, regardless

of the host version.



The caller has to free the memory block.



Parameters:

-



Environment:

- Kernel Mode. PASSIVE_LEVEL.



Return Values:

- PPHYSICAL_MEMORY_DESCRIPTOR

–*/

PPHYSICAL_MEMORY_DESCRIPTOR

MmGetPhysicalMemoryBlock(VOID

)

{

PPHYSICAL_MEMORY_DESCRIPTOR MmPhysicalMemoryBlock;

PPHYSICAL_MEMORY_RANGE MmPhysicalMemoryRange;

ULONG MemoryBlockSize;

PFN_NUMBER NumberOfPages;

ULONG NumberOfRuns;

ULONG Run;



//

// PHYSICAL_MEMORY_DESCRIPTOR isn’t exported into KDDEBUGGER_DATA64

// NT 5.0 and below. But MmGetPhysicalMemoryRanges() computes

// PHYSICAL_MEMORY_RANGE with PHYSICAL_MEMORY_DESCRIPTOR. Then,

// We can easily rewrite PHYSICAL_MEMORY_DESCRIPTOR.

//

MmPhysicalMemoryRange = MmGetPhysicalMemoryRanges();



//

// Invalid ?

//

if (MmPhysicalMemoryRange == NULL) return NULL;



//

// Compute the number of runs and the number of pages

//

NumberOfRuns = 0;

NumberOfPages = 0;

while ((MmPhysicalMemoryRange[NumberOfRuns].BaseAddress.QuadPart != 0) &&

(MmPhysicalMemoryRange[NumberOfRuns].NumberOfBytes.QuadPart != 0))

{

NumberOfRuns++;

NumberOfPages += (PFN_NUMBER)BYTES_TO_PAGES(

MmPhysicalMemoryRange[NumberOfRuns].NumberOfBytes.QuadPart);

}



//

// Invalid ?

//

if (NumberOfRuns == 0) return NULL;



//

// Compute the size of the pool to allocate and then allocate

//

MemoryBlockSize = sizeof(ULONG) +

sizeof(PFN_NUMBER) +

sizeof(PHYSICAL_MEMORY_RUN) * NumberOfRuns;



MmPhysicalMemoryBlock = ExAllocatePoolWithTag(NonPagedPool,

MemoryBlockSize,

‘ mM’);



//

// Define PHYSICAL_MEMORY_DESCRIPTOR Header.=

//

MmPhysicalMemoryBlock->NumberOfRuns = NumberOfRuns;

MmPhysicalMemoryBlock->NumberOfPages = NumberOfPages;



for (Run = 0; Run < NumberOfRuns; Run++)

{

//

// BasePage

//

MmPhysicalMemoryBlock->Run[Run].BasePage =

(PFN_NUMBER)MI_CONVERT_PHYSICAL_TO_PFN(

MmPhysicalMemoryRange[NumberOfRuns].BaseAddress.QuadPart



);



//

// PageCount

//

MmPhysicalMemoryBlock->Run[Run].PageCount =

(PFN_NUMBER)BYTES_TO_PAGES(

MmPhysicalMemoryRange[Run].NumberOfBytes.QuadPart

);

}



return MmPhysicalMemoryBlock;

}