Kernel de Windows: ¿hay algo como ExGetPoolsForTag (pool_tag)?

this is about Windows kernel driver and memory management.

I am really curious about if there is a function (or even any inconvinent approach) to get (or iterate) all memory allocations for a specific pool-tag ?? These are allocated using ExAllocatePoolWithTag(type, size, tag) ...

There are kernel functions using a specific Pool-Tag, now i need to find all allocations made using that Tag?

I am relatively sure that this is not possible (for security reasons), but still need the confirmation about that.

Saludos, Will


Update: (about the WinDbg comment below)

kd> !poolfind ObFl

Scanning large pool allocation table for Tag: ObFl (fffffa8002290000 : fffffa8002350000)

Searching NonPaged pool (fffffa8001772000 : ffffffe000000000) for Tag: ObFl

... So this means we have to find a generic way to find the "pool allocation table" or the bounds of the non-paged pool (if required). Sounds promising.


Update2: There are some ntoskrnl exports: nt!PoolBigPageTable nt!PoolBigPageTableSize nt!PoolBigPageTableHash that i need to check....

preguntado el 01 de febrero de 12 a las 22:02

It can't really be due to security reasons, since kernel mode code already has full privileges. Probably more about encapsulation. -

I believe those tags are solely for debug purpose. Almost sure there's no "effective" way to enumerate all the allocations for specific tag. Anyway, why do you need this (apart from debugging)? -

2 Respuestas

There's no documented way that I am aware of that allows for this from code, however the Windows Kernel Debugger (WinDBG) will allow you to get at this.

Consulte nuestra página los docs for the !pool, !poolused, !poolfind commands.

Respondido 02 Feb 12, 04:02

So you mean there has to be a programmatic way... we will see. :> - mschmoock

no documented way means that an application shouldn't use it, since it might change in later versions of windows, breaking your application. - CódigosInChaos

Kernel allocations can be allocated and freed at any time. If you are iterating over the internal data structures, they may suddenly disappear out from under you and you will bugcheck.

The debugger can walk these structures since it freezes the system first.

contestado el 06 de mayo de 12 a las 21:05

No es la respuesta que estás buscando? Examinar otras preguntas etiquetadas or haz tu propia pregunta.