Hi, when I try to read a lot of system nonpaged memory in driver, there is a
system hang, no crash I think.
code most like this :

for (i = 0xFFBE0000 - 0x10000000; i < 0xFFBE0000; i+=4)
{
bResult = MmIsAddressValid((PVOID)i);
if (TRUE == bResult)
{
ulTemp = *(PULONG)i
}
else
{
i -= 4;
i += 0x1000;//4k
}
}

and I also found in windbg document, it says:

kd> !dc e9000
physical memory read at e9000 failed
If you know the caching attributes used for the memory,
try specifying [c], [uc] or [wc], as in !dd [c] <params>.
WARNING: Incorrect use of these flags will cause unpredictable
processor corruption. This may immediately (or at any time in
the future until reboot) result in a system hang, incorrect data
being displayed or other strange crashes and corruption.

In my machine, also have this WARNING

lkd> !dd nt!MmNonPagedPoolEnd
Physical memory read at 80551d80 failed
If you know the caching attributes used for the memory,
try specifying [c], [uc] or [wc], as in !dd [c] <params>.
WARNING: Incorrect use of these flags will cause unpredictable
processor corruption. This may immediately (or at any time in
the future until reboot) result in a system hang, incorrect data
being displayed or other strange crashes and corruption.
lkd> dd 80551d80
80551d80 ffbe0000 e1000000 0007fff0 00003253
80551d90 00000003 0002290d 000371f4 c07fdff8
80551da0 c07fdf00 00000001 00000002 00000004
80551db0 00000008 00000010 02010000 03030302
80551dc0 04040403 04040404 00000004 00000064
80551dd0 00000032 0000001e 00000014 00000014
80551de0 00000007 0a0a0a01 0b0b0b0b 0a0a0a01
80551df0 0b0b0b0b 0a0a0a01 0b0b0b0b 0a0a0a01

Somebody help me, when will WARNING said system hang will happen, and why
that? Is there a secure way to read the kernel space? Please explain the
reasons system hangs, thank you :>

Sorry, I use the wrong command, !dd.
But use this piece of code ,the system hangs

"uty" <zhangmingbo@kingsoft.net> дÈëÏûÏ¢
news:ukLk7UGlIHA.5208@TK2MSFTNGP04.phx.gbl...

why are you touching memory you did not allocate? MmIsAddressValid does not
do what you think it does,
http://blogs.msdn.com/doronh/archive...09/547793.aspx. furthermore,
the answer is only valid for memory that your driver has allocated,
otherwise as soon as it returns the answer could be invalid and you will
touch an invalid pointer. furthermore, the memory you are touching could
very well be memory mapped io and your read could have disastrous state
changing effects on the device on which it is mapped.

d

--
Please do not send e-mail directly to this alias. this alias is for
newsgroup purposes only.
This posting is provided "AS IS" with no warranties, and confers no rights.


"uty" <zhangmingbo@kingsoft.net> wrote in message
news:ukLk7UGlIHA.5208@TK2MSFTNGP04.phx.gbl...

Thanks a lot

"Doron Holan [MSFT]" <doronh@online.microsoft.com> дÈëÏûÏ¢
news:OjsdhEHlIHA.1280@TK2MSFTNGP05.phx.gbl...

I was searching stuff in system nonpaged pool. That may help will the anti
malware work, still found not prober way to do that

"Doron Holan [MSFT]" <doronh@online.microsoft.com> дÈëÏûÏ¢
news:OjsdhEHlIHA.1280@TK2MSFTNGP05.phx.gbl...

there is no proper way to walk memory that your driver does not own. you
are guaranteed to cause more harm to the system then anything you think you
will help with

d

--
Please do not send e-mail directly to this alias. this alias is for
newsgroup purposes only.
This posting is provided "AS IS" with no warranties, and confers no rights.


"uty" <zhangmingbo@kingsoft.net> wrote in message
news:eAOeWdIlIHA.1184@TK2MSFTNGP04.phx.gbl...