MmProtectMdlSystemAddress Question

Hello all,

I am trying to patch a kernel32 function from kernel mode in a specific
Process COntext. FOr that I have to change the page protection first.
Unformtunately in kernel mode there is no exported equivalent of
ZwProtectVIrtuslMemory.

hence I Created a SystemAddress MDl out of the virtual address with Write
access and wrote to it.

But unfortunately the code chanegd across the system Copy-on-write was not
honoured

Anybody knows how to change protection of a page from kernel mmode and
honour Copy-on-write

Thanks
Ahmad

Are you saying that after you changed the kernel32 code, the change was not propagated to new processes?

mm

Well it propogated to all processes :slight_smile: not selectively the process I
desired as we expect in Copy-onwrite

On Wed, May 5, 2010 at 4:40 PM, wrote:

> Are you saying that after you changed the kernel32 code, the change was not
> propagated to new processes?
>
>
> mm
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>


Ahmad

You’re undercutting the memory manager by doing this.

mm

As far as I know, by using Copy-On-Write, different references to the same file ( in this case DLLs ) that its data were not changed makes several process to refer to the same memory pages until someone makes a write on it. When someone makes a change, this one gains a new page with its private change not affecting the ones with previous references. That’s how Copy-On-Write works.

Disabling this will make all the previous references to see the change you’ll do. So you can’t select which process will see the change by disabling Copy-On-Write. One alternative to make the selective process to happen is change the data on each new reference a DLL will gain (keeping Copy-On-Write), by this way only the process you change the data will see the change.

Regards,

Fernando Roberto da Silva
DriverEntry Kernel Development
http://www.driverentry.com.br

Yes precisely I wanna change the Protection of a PArticular Virtual Page of
a particluar process from kernel mode something like ProtectVirtualMemory()
call in Kernel mode.

So anyone knows this

On Wed, May 5, 2010 at 6:38 PM, wrote:

> As far as I know, by using Copy-On-Write, different references to the same
> file ( in this case DLLs ) that its data were not changed makes several
> process to refer to the same memory pages until someone makes a write on it.
> When someone makes a change, this one gains a new page with its private
> change not affecting the ones with previous references. That’s how
> Copy-On-Write works.
>
> Disabling this will make all the previous references to see the change
> you’ll do. So you can’t select which process will see the change by
> disabling Copy-On-Write. One alternative to make the selective process to
> happen is change the data on each new reference a DLL will gain (keeping
> Copy-On-Write), by this way only the process you change the data will see
> the change.
>
> Regards,
> –
> Fernando Roberto da Silva
> DriverEntry Kernel Development
> http://www.driverentry.com.br
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>


Ahmad

>But unfortunately the code chanegd across the system Copy-on-write was not honoured

Impossible, Windows MM does not support such things.

Since the file of kernel32.dll is read-only, the mapping cannot be mapped with Write access, only Read or COW.

And, COW will allocate a private page for this process and copy there. Other processes will not see the update.

Why are you using hooking? maybe there are better ways of doing such things?


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

> >But unfortunately the code chanegd across the system Copy-on-write

> was not honoured

Impossible, Windows MM does not support such things.

Since the file of kernel32.dll is read-only, the mapping cannot be
mapped with Write access, only Read or COW.

And, COW will allocate a private page for this process and copy
there. Other processes will not see the update.

If you modify a page through an MDL mapping, COW will not be
triggered so the modification will be visible in all processes (kind of
like setting a user mode breakpoint from kd).

Executable images are in fact supposed to be read-only, so if the
modified page is trimmed it will not be written back to the image.
It will instead become backed by the pagefile (but still shared, like
a pagefile-backed section page).


Pavel Lebedinsky/Windows Fundamentals Test
This posting is provided “AS IS” with no warranties, and confers no rights.