tags:

views:

473

answers:

1
Q: 

Python CreateFile Cannot Find PhysicalMemory

I am trying to access the Physical Memory of a Windows 2000 system (trying to do this without a memory dumping tool). My understanding is that I need to do this using the CreateFile function to create a handle. I have used an older version of win32dd to help me through this. Other documentation on the web points me to using either "\Device\PhysicalMemory" or "\\.\PhysicalMemory". Unfortunately, I get the same error for each.

Traceback (most recent call last):
   File "testHandles.py", line 101, in (module)
   File "testHandles.py", line 72, in createFileHandle
pywintypes.error: (3, 'CreateFile', 'The system cannot find the path specified.')

Actually, the error number returned is different for each run \\.\PhysicalMemory == 3 and \Device\PhysicalMemory == 2. Review of pywin32, win32file, createfile, pyhandle, and pywintypes did not produce information as to the different return values.

Here is my code. I am using py2exe to get this working on Windows 2000 (and yes it compiles successfully). I realize that I might also have a problem with DeviceIoControl but right now I am concentrating on CreateFile.

# testHandles.py

import ctypes
import socket
import struct
import sys
import win32file
import pywintypes

def createFileHandle():

    outLoc = pywintypes.Unicode("C:\\Documents and Settings\\Administrator\\My Documents\\pymemdump_dotPM.dd")
    handleLoc = pywintypes.Unicode("\\\\.\\PhysicalMemory")
    #handleLoc = pywintypes.Unicode("\\Device\\PhysicalMemory")
    placeHolder = 0
    BytesReturned = 0


    # Device =                                              CreateFile(L"\\\\.\\win32dd", GENERIC_ALL, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
    #                                                           CreateFile(fileName,                        desiredAccess ,          shareMode ,    attributes , creationDisposition ,      flagsAndAttributes ,                    hTemplateFile )
    #hMemHandle = win32file.CreateFile(handleLoc, GENERIC_ALL, SHARE_READ, None, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, None)
    hMemHandle = win32file.CreateFile(handleLoc, win32file.GENERIC_READ, win32file.FILE_SHARE_READ, None, win32file.OPEN_EXISTING, win32file.FILE_ATTRIBUTE_NORMAL, None)
    print "hMemHandle: %s" % hMemHandle
    if (hMemHandle == NO_ERROR):
        print "Could not build hMemHandle"
        sys.exit()

    # We send destination path to the driver.
    #if (!DeviceIoControl(hMemHandle, 0x19880922, outLoc, (ULONG)(wcslen(outLoc) + 1) * sizeof(TCHAR), NULL, 0, &BytesReturned, NULL))
    if (ctypes.windll.Kernel32.DeviceIoControl(hMemHandle, 0x19880922, outLoc, 5, NULL, 0, BytesReturned, NULL)):
        print "Error: DeviceIoControl(), Cannot send IOCTL.\n"
    else:
        print "[win32dd] Physical memory dumped. You can now check %s.\n" % outLoc

# Dump memory
createFileHandle()

Thank you, Cutaway

A: 

I don't believe it's possible to access the physical memory object from user mode land in Windows. As your win32dd link suggests, you will need to do it from kernel mode.

zdan  2009-09-23 22:09:01
The method I use here (once working) should be okay for everything pre-XPSP2 as it allows Physical Memory access from usermode land. You are correct, everything else XPSP2 and greater, will require kernel mode and is most likely not possible using Python.Thank you,Cutawa
Cutaway  2009-09-23 22:16:03
Ah, a little more digging and you appear to be correct. Though I would expect you would at the very least need to be running as an administrator to get this working. Perhaps that is the problem.
zdan  2009-09-24 00:04:15
I don't believe "Administrator" privilege is necessary but I could be wrong. I am running as this user on my test box.
Cutaway  2009-09-24 00:12:59
Well I don't know for certain if it is required, but I do know that it has always been required for \\.\PhysicalDrive access and I would not be surprised if that were the case here as well.
zdan  2009-09-24 01:13:17

related questions

CLR Profiler - Attaching to existing process
What's the maximum amount of RAM I can use in a Windows box?
.Net 2.0 - How efficient are Generic Lists?
Process Memory Size - Different Counters
C++ Memory management
Using MySQLi - which is better for closing queries
How Does A Stack Overflow Occur and How Do You Prevent It?
C Memory Management
How does .net managed memory handle value types inside objects?
FLVPlayback component memory issues
memset() causing data abort
Is Visual C++ memory managed by the Dot Net framework
Preventing Memory Leaks with Attached Behaviours
How to dispose a class in .net?
best way to persist data in .NET Web Service
Reading Other Process' Memory in Mac OS / BSD
Replicating load related crashes in non-production environments
Secure Memory Allocator in C++
Best way to wrap rsync progress in a gui?
Some kind of task manager for JavaScript in Firefox 3?
Of Memory Management, Heap Corruption, and C++
Understanding reference counting with Cocoa / Objective C
Setting Objects to Null/Nothing after use in .NET
Heap corruption under Win32; how to locate?
Anatomy of a "Memory Leak"