Skip to content

x86 Kernel Memory Space Visualization (KernelMAP v0.0.1)

Ten post nie jest dostępny w języku polskim!

{ 11 } Comments

  1. genuine | 05-sty-10 at 05:20:23 | Permalink

    This is very nice work j00ru, i’ll take a look at it when i get home, on my win7 :) another quality blog post

  2. Dmitry Vostokov | 27-kwi-10 at 03:27:43 | Permalink

    > every virtual page is represented by a single pixel on the board.

    Looks good and interesting idea :-) Please have a look about static memory visualization (bit-byte-dword-qword representation):

    and realtime dynamic memory visualization:

    I’ll introduce your approach on my blog later today


  3. j00ru | 28-kwi-10 at 08:53:39 | Permalink

    Hi Dmitry! ;>

    Wow, so you’re apparently a memory visualisation specialist ;)

    Impressive, colorful graphics – KernelMAP was however designed to be as informative as possible in terms of kernel memory layout – might not be a perfect material for a book cover ;D


  4. Dmitry Vostokov | 29-kwi-10 at 06:31:30 | Permalink

    Isn’t memory exciting?! :-)
    I summarized some tools intially:

  5. j00ru | 29-kwi-10 at 07:48:35 | Permalink

    @Dmitry: You’re perfectly right, thanks for mentioning about KernelMAP ;>

  6. AD | 09-paź-10 at 12:55:14 | Permalink


    I wrote a tool (MemMAP) that was inspired by KernelMAP. You can see screenshots and download it here:


  7. j00ru | 09-paź-10 at 13:15:06 | Permalink

    @AD: Wow, nice project ;> it’s always nice to become the inspiration for something bigger. Good job!

  8. Ashutosh Mehra | 20-sie-11 at 06:30:26 | Permalink

    One other useful address info leakage is in Win32k/User32. There, user32!gSharedInfo contains the address of a shared memory region (mapped in user mode) that contains the entire _HANDLEENTRY table for the session; plus there’s the ulSharedDelta to help map userkernel addresses. On Win7, gSharedInfo is exported by User32, so coding is even more easy.

    Alex Ionescu’s Recon 2011 presentation and Tarjei Mandt’s BH 2001 paper describe this in detail.

  9. j00ru | 20-sie-11 at 08:26:51 | Permalink

    @Ashutosh Mehra: Yeah, that’s right. In his utility called MemMAP, AD (who also commented in this post) included the win32k.sys shared section information you mentioned.

  10. Ashutosh Mehra | 20-sie-11 at 08:51:05 | Permalink

    Thanks. AD’s tool clearly shows GDI kernel objects in cyan color.

  11. j00ru | 20-sie-11 at 09:06:34 | Permalink

    @Ashutosh Mehra: You’re most welcome!

{ 2 } Trackbacks

  1. […] the program is that it was originally inspired by what I released in January this year: the tiny KernelMAP. AD's application greatly enhances my idea of memory visualization, by including additional kernel […]

  2. IDELIT | 2010-01-04 at 14:54:54 | Permalink

    x86 Kernel Memory Space Visualization – KernelMAP v0.0.1…

    What I would like to write about today is a subject I have been playing with for quite some time – Windows kernel vulnerability exploitation techniques. While digging through various articles and ot……

Post a Comment

Your email is never published nor shared. Required fields are marked *