Использование native kernel32 функций для получения проекции физической памяти

Code:

unit PhysMemWorks;

interface

uses windows;

type

NTSTATUS = LongInt;

PLARGE_INTEGER = ^LARGE_INTEGER;

TSectionInherit = (ViewNone,ViewShare,ViewUnmap);

SECTION_INHERIT = TSectionInherit;

PHYSICAL_ADDRESS = record

LowPart : DWORD ;

HighPart : DWORD;

end;

TNtAnsiString = packed record

Length : Word;

MaximumLength : Word;

Buffer : PChar;

end;

PNtAnsiString = ^TNtAnsiString;

ANSI_STRING = TNtAnsiString;

TNtUnicodeString = packed record

Length : Word;

MaximumLength : Word;

Buffer : PWideChar;

end;

UNICODE_STRING = TNtUnicodeString;

PNtUnicodeString = ^TNtUnicodeString;

TNtObjectAttributes = packed record

Length : ULONG;

RootDirectory : THandle;

ObjectName : PNtUnicodeString;

Attributes : ULONG;

SecurityDescriptor : Pointer;

SecurityQualityOfService : Pointer;

end;

OBJECT_ATTRIBUTES = TNtObjectAttributes;

PNtObjectAttributes = ^TNtObjectAttributes;

function OpenPhysicalMemory:dword;

function MapPhysicalMemory (hPhysMem:tHANDLE; pdwAddress:DWORD; pdwLength:DWORD; pdwBaseAddress:pDWORD):dword;

///////////

const DLL = 'ntdll.dll';

function RtlAnsiStringToUnicodeString( DestinationString : PNtUnicodeString; SourceString : PNtAnsiString;

AllocateDestinationString : Boolean ) : NTSTATUS; stdcall; external DLL name 'RtlAnsiStringToUnicodeString';

procedure RtlInitAnsiString( DestinationString : PNtAnsiString; SourceString : PChar ); stdcall; external DLL name 'RtlInitAnsiString';

function NtMapViewOfSection(SectionHandle : THandle;ProcessHandle : THandle; var BaseAddress : PDWORD;

ZeroBits : ULONG; CommitSize : ULONG; SectionOffset : PLARGE_INTEGER; ViewSize : DWORD;

InheritDisposition : SECTION_INHERIT;

AllocationType : ULONG; Protect : ULONG) : NTSTATUS; stdcall; external DLL name 'NtMapViewOfSection';

function NtUnmapViewOfSection(const ProcessHandle : THandle;

const BaseAddress : Pointer) : NTSTATUS; stdcall; external DLL name 'NtUnmapViewOfSection';

function NtOpenSection(out SectionHandle : THandle; const DesiredAccess : ACCESS_MASK;

ObjectAttributes : PNtObjectAttributes) : NTSTATUS; stdcall; external DLL name 'NtOpenSection';

implementation

const

OBJ_KERNEL_HANDLE = $0000200;

var

status: dword;

procedure InitializeObjectAttributes(InitializedAttributes : PNtObjectAttributes;

pObjectName : PNtUnicodeString; const uAttributes : ULONG; const hRootDirectory : THandle;

pSecurityDescriptor : PSECURITY_DESCRIPTOR);

begin

with InitializedAttributes^ do

begin

Length := SizeOf(TNtObjectAttributes);

ObjectName := pObjectName;

Attributes := uAttributes;

RootDirectory := hRootDirectory;

SecurityDescriptor := pSecurityDescriptor;

SecurityQualityOfService := nil;

end;

end;

function OpenPhysicalMemory:dword;

var

hPhysMem:dword;

UniPhysicalMemory : TNtUnicodeString;

AnsiPhysicalMemory :TNtAnsiString ;

oa :TNtObjectAttributes;

begin

RtlInitAnsiString(@AnsiPhysicalMemory, '\Device\PhysicalMemory');

status:= RtlAnsiStringToUnicodeString(@UniPhysicalMemory, @AnsiPhysicalMemory, true);

InitializeObjectAttributes(@oa, @UniPhysicalMemory, OBJ_KERNEL_HANDLE, 0, nil) ;

status:= NtOpenSection(hPhysMem, SECTION_MAP_READ, @oa);

if status <> 0 then result:= 0 else result:= hPhysMem;

end;

function MapPhysicalMemory (hPhysMem:tHANDLE; pdwAddress:DWORD; pdwLength:DWORD; pdwBaseAddress:pDWORD):dword;

var

SectionOffset: pLARGE_INTEGER;

begin

SectionOffset.HighPart := 0;

SectionOffset.LowPart:= pdwAddress;

NtMapViewOfSection(hPhysMem, 0, pdwBaseAddress, 0, 0, nil,0, ViewNone, 0, PAGE_READONLY);

result:=1;

end;

function UnmapPhysicalMemory (dwBaseAddress:DWORD):dword;

begin

NtUnmapViewOfSection(0, @dwBaseAddress);

result:=1;

end;

end.