[WINDOWS]Page Entry replacement

Programming, for all ages and all languages.
Post Reply
Zerith
Posts: 14
Joined: Sun Jul 05, 2009 4:01 pm

[WINDOWS]Page Entry replacement

Post by Zerith »

Hello, I'm developing a driver which will hook the Page Fault Handler, wait for a specific page to be requested to be loaded,
and point his Page Entry's page frame to my own allocated page.
**It might seem like malware :), but it is not.
The code is pretty much logical, the page frame is indeed replaced.
BUT, as soon as i try to IRET back to user-mode, I get a 'memory corruption' BSOD telling me that the PTE is corrupt.

Code: Select all

 MEMORY_MANAGEMENT (1a) 
# Any other values for parameter 1 must be individually examined.
 Arguments: 
Arg1: 00041284, A PTE or the working set list is corrupt. 
Arg2: 00401001 
Arg3: 00000000 
Arg4: c0883000

My code can be viewed here: http://codepad.org/ZJgaamFa
The header file included with the file above can be viewed here: http://codepad.org/8Un7E3Kg
My question is, what could be wrong with the Page Entry?
Could it be the type of memory which is assigned to the entry is incorrect? are some fields of the entry incorrect?

Thanks in advance.
Top
User avatar
thepowersgang
Member
Member
Posts: 734
Joined: Tue Dec 25, 2007 6:03 am
Libera.chat IRC: thePowersGang
Location: Perth, Western Australia
Contact:
Contact thepowersgang

Re: [WINDOWS]Page Entry replacement

Post by thepowersgang »

Ok, first, this is not a windows forum, it's about hobby OS development.

Second, windows probably tries to protect itself from exactly what you are trying to do.

And thirdly, why are you doing an IRET, isn't that the job of the code that called you?
Kernel Development, It's the brain surgery of programming.
Acess2 OS (c) | Tifflin OS (rust) | mrustc - Rust compiler
Currently Working on: mrustc
Top
Zerith
Posts: 14
Joined: Sun Jul 05, 2009 4:01 pm

Re: [WINDOWS]Page Entry replacement

Post by Zerith »

Thank you very much! your comment allowed me to investigate the stack once the IRET is being executed, and it seems i forgot to
add esp, 4 :)

Now my only problem is that it loads an entirely different memory area than i was expecting lol.
Top
User avatar
Chandra
Member
Member
Posts: 487
Joined: Sat Jul 17, 2010 12:45 am

Re: [WINDOWS]Page Entry replacement

Post by Chandra »

Hmm... so you write driver for WINDOWS? Interesting....
Can I hire you to write driver for my OS ?
Programming is not about using a language to solve a problem, it's about using logic to find a solution !
Top
a5498828
Member
Member
Posts: 99
Joined: Thu Aug 12, 2010 7:25 am

Re: [WINDOWS]Page Entry replacement

Post by a5498828 »

hmm, when you go straight forward approach and hook IDT entry, and then return control to original code there is no way you get bsod.
If pages are writeable or that thing (WP) in one of crs is disabled (ring0 ignore nonwritable page).

Dont wait on page fault hander for page access because it might never happen. What to do is:
- You dont want any interruptions on any cpu that has access to victim process address space. You have to sind a spinlock wich is used to modify cr3 table.
- Hook page fault, replace entry in PTE/PDE with something that have present bit clear and flush TLB
- Wait on page fault handler untill cr4 points to your page (execute access only)
- replace pte entry with your own, flush it, and revert back. On context switch original value will be flushed, so you get another oage fault when process gets his time
- do all modyficaitons under spinlock (i dont know where it is)
Top
Post Reply

Return to “General Programming”