4MB to 1024 x 4KB...
2007-08-13 11:05
183 查看
By: c0de90e7
Have you used pagetable tricks ( INT 0Eh hooking + P bit clearing in PTEs ) for execution breakpoints in code pages ?
This is something I wrote some time ago when playing around with pagetable tricks. Now I have added some comments and ascii art schematics, but it is far from being good enough for general use out of PoC field...
Well, back then, I was experimenting all kind of page tricks and one thing I thought of was using page tricks for executable code breakpoints ( i.e., not data access ones but code execution access ones, why ? because I wanted to do hooks without touching the code itself -similar to DRx...- ).
So I implemented the thing and everything was fine... until I tried the experiments in a machine with far more ram... ntoskrnl.exe module was mapped into a 4MB page so problems were evident:
- If I wanted to put a breakpoint in, say, ntosknrl.exe!NtOpenFile and ntoskrnl.exe was mapped in a 4MB page, I would need to mark the whole 4MB page as nonpresent, making the OS almost unable to run with that many pagefaults.
- INT 0Eh handler itself was into that 4MB page, so even if I hooked INT 0Eh by IDT entry manipulation, many problems would arise...
- Other later and more subtle problems which I don't fully remember, but not important, since first problem already made the thing unviable...
So I thought, ok, I could disable 4MB page use in boot time ( by registry keys and in other ways ) and it would be ok. But that wouldn't do in direct load scenarios, I need to split those 4MB pages on the fly.
That's what led me to write the routine:
http://www.rootkit.com/vault/c0de90e7/SPLIT4M-4K.INC
The theory behind it is pretty simple, as the tittle says, just change the 4MB PDE into a 1024x4KB PDE and create a PT with 1024 PTEs that map the same physical address space by aliasing those 4MBs.
It was written in NASM ( I use NASM whenever I experiment with stuff or have an idea... ). I might write a driver in C and implement this and PAE supporting routines also, I don't know.
P.S.: Just in case you someone wonders... when I try ideas and so on that need ring0, I use a small loader that goes ring0 by /Device/PhysicalMemory edition. It's just a quick&easy template for NASM experiments
Have you used pagetable tricks ( INT 0Eh hooking + P bit clearing in PTEs ) for execution breakpoints in code pages ?
This is something I wrote some time ago when playing around with pagetable tricks. Now I have added some comments and ascii art schematics, but it is far from being good enough for general use out of PoC field...
Well, back then, I was experimenting all kind of page tricks and one thing I thought of was using page tricks for executable code breakpoints ( i.e., not data access ones but code execution access ones, why ? because I wanted to do hooks without touching the code itself -similar to DRx...- ).
So I implemented the thing and everything was fine... until I tried the experiments in a machine with far more ram... ntoskrnl.exe module was mapped into a 4MB page so problems were evident:
- If I wanted to put a breakpoint in, say, ntosknrl.exe!NtOpenFile and ntoskrnl.exe was mapped in a 4MB page, I would need to mark the whole 4MB page as nonpresent, making the OS almost unable to run with that many pagefaults.
- INT 0Eh handler itself was into that 4MB page, so even if I hooked INT 0Eh by IDT entry manipulation, many problems would arise...
- Other later and more subtle problems which I don't fully remember, but not important, since first problem already made the thing unviable...
So I thought, ok, I could disable 4MB page use in boot time ( by registry keys and in other ways ) and it would be ok. But that wouldn't do in direct load scenarios, I need to split those 4MB pages on the fly.
That's what led me to write the routine:
http://www.rootkit.com/vault/c0de90e7/SPLIT4M-4K.INC
The theory behind it is pretty simple, as the tittle says, just change the 4MB PDE into a 1024x4KB PDE and create a PT with 1024 PTEs that map the same physical address space by aliasing those 4MBs.
It was written in NASM ( I use NASM whenever I experiment with stuff or have an idea... ). I might write a driver in C and implement this and PAE supporting routines also, I don't know.
P.S.: Just in case you someone wonders... when I try ideas and so on that need ring0, I use a small loader that goes ring0 by /Device/PhysicalMemory edition. It's just a quick&easy template for NASM experiments
相关文章推荐
- 1024[MJ, Nowhere to Hide]
- max number of threads [1024] for user [lish] likely too low, increase to at least [2048]
- SQLException: ORA-01653: unable to extend table ... by 1024 in tablespace RISK_DATA
- Android Studio 遇到 maximum Java heap size to 1024 MB
- solr异常:maxClauseCount is set to 1024
- To run dex in process, the Gradle daemon needs a larger heap. It currently has 1024 MB. For faster b
- WARNING: Limit of open file descriptors is found to be 1024.
- looks so easy while hard to do -standby in 60minutes
- hdu 1800 flying to the mars(贪心算法)
- Integer to Roman
- What to do on TransactionTooLargeException?
- ABAP--How to use Toolbar control(SAP样例摘抄)
- 使用ACE日志策略时遇到的问题:DLL::open failed for ACE: Error: check log for details Unable to find service 'Logger'
- How to set NoStepInto for VS debugging
- How to execute spatial queries good
- [LeetCode]题解(python):121-Best Time to Buy and Sell Stock
- BZOJ 1024 [SCOI2009]生日快乐
- Error:org.gradle.api.internal.changedetection.state.FileCollectionSnapshotImpl cannot be cast to org
- Add One Row to Tree问题及解法
- UVA10469 To Carry or not to Carry【数字逻辑运算】