Is it possible to access the EFI System Table from the OS? I would like to know where the Runtime Services are mapped. The reason for this is that the Windows API only exposes the variable services to user mode (Get/SetFirmwareEnvironmentVariable), but I was wondering if it would be possible to use the rest of the services by accessing them directly in a custom driver. I know that the Windows loader is mapping the table containing the virtual addresses of the services into the kernel memory, but I have not found a way to locate and read it. Can somebody provide suggestions or directions on how to accomplish this goal?
A year old question but I will answer it and maybe it would help somebody else.
Long story short. No it's not possible. It's entirely Windows internals and if Microsoft doesn't expose it there is no way to access UEFI Run-time Services. As for the UEFI variables they are stored in a non-volatile RAM and only the UEFI firmware (BIOS) knows where all the variables are stored and how. So there are 2 possibilities either BIOS provides a way for Windows to get a pointer to UEFI Run-time Services or Microsoft has an agreement with BIOS vendors, like: - ok guys, if you want your systems to be compatible with Windows here it is the memory location where you must store the pointer to your UEFI Run-time Services period.
I saw programs writing to NVRAM using SetFirmwareEnvironmentVariable.
Related
I would like to be able to plug in a physical address, and read the data stored at that address.
Under Linux, I would use /dev/mem to acquire this data. Under Windows 8, I'm not sure what mechanism is available to do this.
My use case is inspecting a PCI Express device. The PCI Express device creates a ring buffer at a known address, that I can determine from the PCIe BAR. Once this address has been set, it won't change until the computer restarts.
Currently, I can use applications like RW Everything to see the data there, but I would like to be able to do this without user interaction (Without the GUI) so that I have fewer issues with the ring buffers wrapping before I can access the data.
Does anyone know if there is a privileged Windows system call I can make from userspace (to mmap a region for example) or do I need to use a custom kernel module to do this? I imagine that there is some way to do it without a custom kernel module, because I don't believe I installed one when I installed RW Everything.
Since Windows Server 2003 SP1, user-mode access to physical memory has not been possible. You will have to develop a driver to do it (or find a third-party tool that includes one).
From Technet:
In Windows Server 2003 SP1, user-mode access to the \Device\PhysicalMemory object is not permitted. All forms of access (read, write) are refused when the \Device\PhysicalMemory object is accessed from a user-mode application. Access to the \Device\PhysicalMemory object is refused regardless of the user context (Administrators, Users, Local System, etc.) the application is running in.
There are many windows software to access the physical memory, however, many of them cannot access the physical memory in windows vista or 7 because of physical memory protection feature in these OS's.
There are many windows tools similar to dev/mem unix's one, such as:
Belkasoft Live RAM Caputer
WindowsSCOPE Pro and Ultimate, available at http://www.windowsscope.com
WindowsSCOPE Live
winen.exe (Guidance Software - included with Encase 6.11 and higher)
Mdd (Memory DD) (ManTech)
MANDIANT Memoryze
Kntdd
Moonsols
HBGary
FTK Imager
OSForensics
WinPmem; and
Windows Memory Reader
Check this wiki for more info:
http://www.forensicswiki.org/wiki/Tools:Memory_Imaging
I need to read the HBA memory registers of the AHCI controller sitting on the PCI bus of the system. I have a driver using which I can read the config space of all the PCI devices in the system (using ReadConfig and WriteConfig). Through this I'm able to get the ABAR content which is the last BAR in AHCI device's config space. Now, I need to read the values of these memory registers. Does anybody has any idea how to do this? PCITree is able to do this, so I know that this is possible.
I'm new to driver development, so any help would be greatly appreciated... :)
AFAIK you can use winio to access memory under Windows NT/2000/XP/2003/Vista/7 and 2008. Please reference the link and click "winio" to download and use. There are samples and sources within it and you can easily transfer to your application.
I want to write a ACPI method for windows Operating System, as a part of my college project and I am new to this assembly level programming.
I want to know whether ACPI Method will be in BIOS or it can be present in OS and ACPI driver is able to execute that?
ALso how exactly the ACPI Methods are exposed to OS from BIOS of the Current ACPI Methods?
Honestly it sounds like you haven't done ANY research at all. The first result in google returned a wikipedia page that answers your first question:
"...the standard brings power management into operating system control (OSPM), as opposed to the previous BIOS central system, which relied on platform-specific firmware to determine power management and configuration policy..."
"The OSPM implementation must expose an ACPI-compatible environment to device drivers, which exposes certain system, device and processor states."
http://en.wikipedia.org/wiki/Advanced_Configuration_and_Power_Interface
The APIs for the OSPM in Windows are not documented as well as the rest of the Windows API, but atleast there's something...: http://msdn.microsoft.com/en-us/library/ff536161%28v=vs.85%29.aspx
good luck! :)
Does the windows version of Midnight Commander (MC) work independently from Windows libraries? I mean does it have it's own way of reading data off the disk or is it using the OS's abilities?
If it's not independent do you know of any file manager that is? (Is it possible?)
Any help is greatly appreciated.
Only the windows kernel, and device drivers, can access the disks directly; all user mode programs must use the windows API (e.g. FindFirstFile).
Do you want MC to access the HDD controller directly? If no, you'll deal with Windows file system driver stack no matter what file manager you use.
Is there any way to get the boot order programmatically, on Windows ?
On Windows 98 it was possible to read CMOS data (BIOS settings) by using the CPU ports.
If I'm not mistaken, Windows XP doesn't allow that anymore.
Motherboard manufacturers usually provide a utility for storing BIOS settings in a file.
Even with that information you'll probably need the specifications of the BIOS version so you can locate the right offset of "BOOT order" byte (assuming that it is stored in a single byte).
Update: I haven't tested it but check out SMBIOS Support in Windows.
And more specifically the GetSystemFirmwareTable Function.
If I understood correctly, with the above function you'll be able to get the BIOS data stored in the lowest 1MB of physical memory. Still, you must know where the boot order information is stored.
Yes, use Kernel Booting apis (internal, ordinal dynamic call)