Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
Supervisor Mode Access Prevention (SMAP) is a newer mitigation that has been introduced to complement SMEP and further restrict access from the kernel to user-mode pages – it disallows both reads and writes. Just as SMEP, its status is stored as a bit in the CR4 register
So, does this mean that we should never access a user-mode address directly? But I have already written many drivers that accessed user mode address (for example in the process creation callback to access the PEB of the process, and obviously properly checking if the addresses are correct and putting it in a try catch), and have never got a BSOD from a customer regarding this access?
My questions are:
How common is for new hardware to have this SMAP feature? Anyone has experienced any issues with it?
If this feature is on, what will happen when I for example try to read a user-mode address from my driver? Will there be a exception that can be catched, or...?
If this feature means that we can no longer read a user-mode address, then how can I for example read a user-mode address of a specific process, for example PEB of a target process?
Considering that the ntoksrnl itself reads/writes to user-mode addresses as well (duh), then how can It do that with SMAP?! I am even confused about SMEP as well, because I am pretty sure win32k.sys calls user-mode functions directly too, then how the hell can win32k call a user-mode function directly?!
|Upcoming OSR Seminars|
|OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!|
|Kernel Debugging||30 January 2023||Live, Online|
|Developing Minifilters||20 March 2023||Live, Online|
|Internals & Software Drivers||17 April 2023||Live, Online|
|Writing WDF Drivers||22 May 2023||Live, Online|
AFAIK there's no SMAP on Windows because of the backwards compatibility. There's a brief but interesting paper here:
https://github.com/microsoft/MSRC-Security-Research/blob/master/papers/2020/Evaluating the feasibility of enabling SMAP for the Windows kernel.pdf
It would be nice if the OS started introducing user mode buffer accessor functions (e.g. like copy_to/from_user on Linux). That would pave the way for eventually turning SMAP on.