OSDev.org

The Place to Start for Operating System Developers
https://f.osdev.org/

[WINDOWS]Page Entry replacement

https://f.osdev.org/viewtopic.php?t=23168

Page 1 of 1

[WINDOWS]Page Entry replacement

Posted: Sat Feb 19, 2011 5:38 am
by Zerith
Hello, I'm developing a driver which will hook the Page Fault Handler, wait for a specific page to be requested to be loaded,
and point his Page Entry's page frame to my own allocated page.
**It might seem like malware :), but it is not.
The code is pretty much logical, the page frame is indeed replaced.
BUT, as soon as i try to IRET back to user-mode, I get a 'memory corruption' BSOD telling me that the PTE is corrupt.

Code: Select all

 MEMORY_MANAGEMENT (1a) 
# Any other values for parameter 1 must be individually examined.
 Arguments: 
Arg1: 00041284, A PTE or the working set list is corrupt. 
Arg2: 00401001 
Arg3: 00000000 
Arg4: c0883000

My code can be viewed here: http://codepad.org/ZJgaamFa
The header file included with the file above can be viewed here: http://codepad.org/8Un7E3Kg
My question is, what could be wrong with the Page Entry?
Could it be the type of memory which is assigned to the entry is incorrect? are some fields of the entry incorrect?

Thanks in advance.

Re: [WINDOWS]Page Entry replacement

Posted: Sat Feb 19, 2011 5:41 am
by thepowersgang
Ok, first, this is not a windows forum, it's about hobby OS development.

Second, windows probably tries to protect itself from exactly what you are trying to do.

And thirdly, why are you doing an IRET, isn't that the job of the code that called you?

Re: [WINDOWS]Page Entry replacement

Posted: Sat Feb 19, 2011 6:20 am
by Zerith
Thank you very much! your comment allowed me to investigate the stack once the IRET is being executed, and it seems i forgot to
add esp, 4 :)

Now my only problem is that it loads an entirely different memory area than i was expecting lol.

Re: [WINDOWS]Page Entry replacement

Posted: Sat Feb 19, 2011 7:27 am
by Chandra
Hmm... so you write driver for WINDOWS? Interesting....
Can I hire you to write driver for my OS ?

Re: [WINDOWS]Page Entry replacement

Posted: Thu Feb 24, 2011 3:09 pm
by a5498828
hmm, when you go straight forward approach and hook IDT entry, and then return control to original code there is no way you get bsod.
If pages are writeable or that thing (WP) in one of crs is disabled (ring0 ignore nonwritable page).

Dont wait on page fault hander for page access because it might never happen. What to do is:
- You dont want any interruptions on any cpu that has access to victim process address space. You have to sind a spinlock wich is used to modify cr3 table.
- Hook page fault, replace entry in PTE/PDE with something that have present bit clear and flush TLB
- Wait on page fault handler untill cr4 points to your page (execute access only)
- replace pte entry with your own, flush it, and revert back. On context switch original value will be flushed, so you get another oage fault when process gets his time
- do all modyficaitons under spinlock (i dont know where it is)
All times are UTC-06:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited