Abstract:The data of Windows kernel variables was used frequently on the analysis of memory. But locating these kernel variables was limited by the operating system. Former scholars have proposed some algorithms of Windows kernel variables locating. But after experiments, the result was not satisfactory. With an improvement on precedent algorithms, an algorithm based on virtual address translation was proposed for accurately locating kernel variables. It could improve the accuracy of locating the kernel variables. And, an innovative fast locating algorithm based on the Windows XP kernel variables was proposed. At last, a fast memory data export algorithm based on MmPhysicalMemoryBlock was suggested with the example of kernel variable MmPhysicalMemoryBlock application. The experiments showed that, these two kernel variables locating algorithm are able to locate kernel variables preciesly, the fast memory data export algorithm is able to export wanted memory data with accuracy and integrity.