Skip to content
Permalink
Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
59 lines (53 sloc) 1.85 KB
name: Windows.Sys.PhysicalMemoryRanges
description: List Windows physical memory ranges.
reference:
- https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/ns-wdm-_cm_resource_list
parameters:
- name: physicalMemoryKey
default: HKEY_LOCAL_MACHINE\HARDWARE\RESOURCEMAP\System Resources\Physical Memory\.Translated
- name: Profile
default: |
{
"CM_RESOURCE_LIST": [0, {
"Count": [0, ["uint32"]],
"List": [4, ["CM_FULL_RESOURCE_DESCRIPTOR"]]
}],
"CM_FULL_RESOURCE_DESCRIPTOR": [0, {
"PartialResourceList": [8, ["CM_PARTIAL_RESOURCE_LIST"]]
}],
"CM_PARTIAL_RESOURCE_LIST": [0, {
"Version": [0, ["uint16"]],
"Revision": [2, ["uint16"]],
"Count": [4, ["uint32"]],
"PartialDescriptors": [8, ["Array", {
"Target": "CM_PARTIAL_RESOURCE_DESCRIPTOR"
}]]
}],
"CM_PARTIAL_RESOURCE_DESCRIPTOR": [20, {
"Type": [0, ["char"]],
"ShareDisposition": [1, ["char"]],
"Flags": [2, ["uint16"]],
"Start": [4, ["int64"]],
"Length": [12, ["uint32"]]
}]
}
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
queries:
- |
SELECT Type.AsInteger as Type,
format(format="%#0x", args=Start.AsInteger) as Start,
format(format="%#0x", args=Length.AsInteger) as Length
FROM foreach(
row={
SELECT Data
FROM stat(filename=physicalMemoryKey, accessor='reg')
},
query={
SELECT Type, Start, Length, Data FROM binary_parse(
string=Data.value,
profile=Profile,
target="CM_RESOURCE_LIST",
start="List.PartialResourceList.PartialDescriptors")
})
You can’t perform that action at this time.