Shouldn't memory manager bring back paged out memory in PASSIVE_LEVEL IRQL?

I am directly calling some functions in other drivers (calling the DriverEntry of that driver)

The problem is that the page that contains that function seems to be paged out, because MmIsAddressValid returns false and also windbg says this when i try to go to that address :

Memory access error in 'u 0xF72BA57F'

But the address is correct (the symbol get resolved and i can see that this in fact is the driverentry for that driver)

So my question is how can i bring the paged out code back to memory so i can call it? i don’t mess with IRQL in my code and its running at default IRQL. i thought when i am running at default IRQL the memory manager will take care of the paged out stuff and bring it back to memory when i try to jump to it, but it seems to not do it since i get BSOD

by default IRQL i mean PASSIVE_LEVEL, based on my understanding the default in drivers is this if we don’t mess with it.

I think using MmProbeAndLock might help, But I’m not sure how can i convert the address of EntryPoint of the driver to an MDL? because it seems to need an IRP to construct an MDL, but i am not sending an IRP i am just jumping there?

I also heard that this might be because of the target driver using

#pragma alloc_text(INIT, DriverEntry)

Is this true? if so, how to bring it back to memory?

Hmmmm… it’s hard to know where to start.

Why in the world would you call the DriverEntry entrypoint of another driver. Just don’t do that. Don’t. Do. It.

And, yes… if the target driver has placed DriverEntry into the INIT segment, the memory is discarded. So, it can’t be brought back into memory.

And, finally… why are you guessing at what IRQL you’re running at? What does KeGetCurrentIrql tell you? Note that many driver entry points are called (or can be called) at IRQL DISPATCH_LEVEL.

Bottom line: What you want to do (call DriverEntry of another driver) is unsupported, dangerous, and very silly.

What is it that you are trying to accomplish? What’s the big picture here that you think you’re solving by calling another driver’s DriverEntry?

Peter

If you have access to the source code of the target driver:

/SECTION:INIT,!D

Otherwise, you simply can’t. (I mean you sort of can if you read the file on disk and re-allocate the INIT section’s memory but I wont give you any example or code because you’re stupid for trying to do this)
Looking at OP’s post history, ‘kernelboi’ is most likely writing some bad-bad russian/chinese anti-cheat and tries to manually map and execute some of their kernel components/drivers. Please don’t.

most likely writing some bad-bad russian/chinese anti-cheat

As long as we believe he’s not writing malware, per se, I’ll let him keep his account here (all things being equal).

If the general consensus becomes that he’s writing malware, I’ll ban him.

Peter

1 Like

At the moment it just appears to be idiot-ware. But as we have learned,
beware the idiots on the march.

Mark Roddy

Now why in the world MmProbeAndLock would help to ‘bring back’ a function in a discarded section I cannot comprehend, but it has made me laugh.

i thought when i am running at default IRQL the memory manager will take care of the paged out stuff and bring it back to memory when i try to jump to it,

Yes, it will. You don’t have “paged out stuff”. You have discarded stuff. That isn’t backed by the page file, and will never come back. Fortunately, you don’t need it to. If the driver has been loaded, so that DriverEntry is discarded, then DriverEntry has already been called.

Is this a device driver or an import driver?

Its funny how yall comparing writing cheats to writing malware and acting like its some disgraceful thing to do…

guess what, me writing some cheat so some kid can bypass an anti cheat and cheat in his favorite video game DOESNT HURT ANYONE, and its not illegal to do… matter of fact we are doing anti cheat companies favors too because without us they are out of job… but go ahead and ban me for doing honest work to earn money for myself.

Its funny how yall comparing writing cheats to writing malware

Well… We question the motives of anyone who clearly doesn’t know how to write Windows kernel mode software, and wants to do exceptionally unusual and unsupported things in kernel mode that do not “fit” with the things one does when writing ordinary Windows drivers. We have learned, over the many years we’ve been here, that this is often the pattern of semi-amateur malware developers. And we try not to help malware developers here.

That’s all. I don’t care if you want to build a game cheat or game anti-cheat. But knowing what you’re doing helps me decide how hard I’m willing to work to answer your questions… and if I want to help at all.

Peter

1 Like

On a side note, I am of the opinion that noone should be banned for
asking for help in writing exploits, or discussing exploits.

As ridcolous as it may seem to some, public discussion, and even
helping, will open a lot more developers to the type of thinking, and
make them think about securing their code.

Of course, it should not be allowed to overflow all other discussions,
but just as a thread or so around.

we are doing anti cheat companies favors too because without us they are out of job
yeah~ criminal sounds~

Sounds of idiots who don’t know what’s more important and more valuable.

guess what, me writing some cheat so some kid can bypass an anti cheat and cheat in his favorite video game DOESNT HURT ANYONE, and its not illegal to do.

Of course it hurts someone. It hurts the other competitors who do not have the advantage of your “cheat”. Many of these games have monetary or non-monetary prizes, which brings you into conspiracy to commit fraud. And, of course, you are violating the license agreement, and that certainly has the force of law.

Morals are important.

I second the idea that security by obscurity is no security at all and that open a frank discussions on security holes that exist should be actively encouraged. This may not be the proper forum, but I’ll leave that up the the discretion of he who runs it (sometimes known as the hanging judge)

I my mind that extends into the detailed discussion of technical flaws. Especially from the point of view of why mistakes get made in general - and by extension what mistakes I am likely to make and how to be aware of them and avoid them; but not into the realm of helping people to exploit flaws that exist.

I have not really cared about computer games since the decision not to port the NTVDM to x64. Since then, I haven’t been able to play any of the 16 bit games I knew so well

… which brings you into conspiracy to commit fraud. And, of course, you are violating the license agreement,
and that certainly has the force of law.

As a general rule, whenever someone who does not happen to be a lawyer starts speaking about the legal issues, they normally have a pretty good chance of starting sounding like a dimwit who perpetuates the various “suburban myths” that, despite all their apparent popularity with not-so-bright “average Joe”(as well as with his wife Jane), may sound really funny to anyone “in the know”.

For not-so-obvious (at least to me) reasons, I’ve got a weird feeling that this may very well be the case in this particular situation. Whenever I recall that the laws may (and actually do) vary across the jurisdictions, this feeling intensifies greatly,…

Morals are important.

When it comes to morals, this is, indeed, the area of the above mentioned couple’s expertize. Therefore, I would rather recommend you to stick to this particular domain. After all, you seem to be really good at moralizing…

Anton Bassov

Blablabla, he is writing a cheat (which is similar to a malware/rootkit nowadays), so no one is going to help him.
It’s unethical, immoral, and usually against the game’s tos. I don’t know what’s hard to understand.

There are enough other obscure forums full of children for that kind of stuff.

we are doing anti cheat companies favors too because without us they are out of job

Sounds of idiots who don’t know what’s more important and more valuable.

Actually, the OP presents quite an interesting argument. After all, if you stretch your imagination a bit, you can extend this logic not only to the malware writers who can be claimed “to do a favour to the AV companies”, but to the burglars as well. Imagine a lawyer claiming that his
client who stands a trial on the burglary charges had actually “tried to do a favour to the security firm, because it would be out of business otherwise”. I just wonder what the judge’s reaction would be like…

Anton Bassov

1 Like