PAEne in the ass

Banton Assov, rides again, *toot*ing his horn or heraldry for the one true king, Anton!

I’m back with curiosity again (don’t hate me because I’m curious?last time people got helpful eventually and I learned a lot). Today I want to know how kernel page tables are for PAE systems. The way I am thinking things work on PAE != the way they must work != the way they work on non-PAE. Specifically I’m trying to understand how tool like mandiant memoryze (http://www.mandiant.com/products/free_software/memoryze/) can load a kernel module which reconstructs user process from kernel. So first I describe non-PAE which makes sense (and maybe my description will leave something useful for some future googler :slight_smile:

First I pick unused VA.

kd> lm

fa239000 fa239d00 dxgthk (deferred)

kd> dd fa239000 L1
fa239000 00905a4d
(mapped)

kd> dd fa23A000 L1
fa23a000 ???
(unmapped)

My first unused VA where I will map page directory is fa23A000. So I need to find PTE for it to hack in windbag.

kd> !pte fa239000
VA fa239000
PDE at C0300FA0 PTE at C03E88E4
contains 01773963 contains 00EDF963
pfn 1773 -G-DA–KWEV pfn edf -G-DA–KWEV

kd> dd C03E88E4 L4
c03e88e4 00edf963 00000000 00000000 00000000

yay, PTEs after fa239000 for fa23A000, fa23B000, fa23C000 are all unused. I will map userspace process PD to fa23A000, PT to fa23B000, and page to fa23C000

So how to get page?

!process 0 0

PROCESS 822d0928 SessionId: 0 Cid: 06c8 Peb: 7ffda000 ParentCid: 0734
DirBase: 08307000 ObjectTable: e23bb9c0 HandleCount: 176.
Image: wscript.exe

ok, wscript is last, so use that.

So as everyone says, DirBase == CR3 == physical address. So I will hack PTE by just copying bottom 12 flag bits from existing entry and adding to physical address of DirBase.

kd> dd C03E88E4 L4
c03e88e4 00edf963 08307963 00000000 00000000

Now if I let debugger update

kd> dd fa23A000 L1
fa23a000 0823e867
(mapped page dir to previously unused memory)

OK, so where do I want to go? Well, PE headers say base VA for wscript.exe is 0x01000000. Break that up upper 10 bits PD index , next 10 bits page table index and you get PDI = 4, PTI = 0. PDI * sizeof(PDE) = 4 * 4 = 0x10, so pointer to physical memory for page table should be at fa23a000 + 0x10.

kd> dd fa23A000+0x10 L1
fa23a010 085c0867

so physical address = 0x085C0000, let’s hack another PTE to map that physical to virtual

kd> dd C03E88E4 L4
c03e88e4 00edf963 08307963 085c0963 00000000

(let debugger update)

kd> dd fa23B000 L1
fa23b000 0afb7005
(mapped page table to previously unused memory)

now we said that PTI = 0, so AFB7000 is the physical for page! hack PTE again:

kd> dd C03E88E4 L4
c03e88e4 00edf963 08307963 085c0963 0afb7963

kd> db fa23c000 L2
fa23c000 4d 5a MZ
:smiley: all is great! we found the first page of wscript.exe! do I know that could have been paged out? yes. do I know that to do fully like mandiant does, I would have to read page file? yes. do I know anything about page file? no. do I want to? yes. did I google it? no. do you want to tell me the best link for learning about page files? yes. :slight_smile:

ANYWAY, everything is happy in non-PAE land. let’s see evil PAE land.

(reboot)
(followed by wish I wouldn’t have rebooted before I showed you that the DirBase was different for each process)

!process 0 0

PROCESS 821bdca8 SessionId: 0 Cid: 073c Peb: 7ffd4000 ParentCid: 02b8
DirBase: 027002e0 ObjectTable: e23af508 HandleCount: 94.
Image: VMUpgradeHelper.exe

PROCESS 82030858 SessionId: 0 Cid: 079c Peb: 7ffd5000 ParentCid: 0424
DirBase: 02700300 ObjectTable: e23c3ee8 HandleCount: 144.
Image: wuauclt.exe

PROCESS 821d35a8 SessionId: 0 Cid: 01d8 Peb: 7ffde000 ParentCid: 02b8
DirBase: 02700280 ObjectTable: e2421100 HandleCount: 101.
Image: alg.exe

what?! How can everyone have the same upper 20 bits?! they would all be in the same memory space, which shouldn’t be true in userspace. OK, well google says know DirBase == KPROCESS.DirectoryTableBase, and KPROCESS is at the beginning of EPROCESS, so?

kd> dt _KPROCESS 821d35a8
ntdll!_KPROCESS
+0x000 Header : _DISPATCHER_HEADER
+0x010 ProfileListHead : _LIST_ENTRY [0x821d35b8 - 0x821d35b8]
+0x018 DirectoryTableBase : [2] 0x2700280

ok, it’s an array, so let’s see what’s in other DWORD.

kd> dd 821d35a8+0x18 L2
821d35c0 02700280 0000d73a

ok, doesn’t mean anything to me. If I display it as a qword, it’s to big to be a PAE physical address which can still only be 36 bits I think (intel manual implies it can go bigger but I don’t think anyone does go bigger.) So my options are maybe treat physical address as 0x2700000 or maybe 0x280000 or maybe 0xd73a000? This is obviously where I go back to hacking PTEs, but no guess for how to interpret the DirBase has successfully lead me to the image base of a userspace proces :frowning: (and actually if I try the 0xd73a000 it locked up my debug session!

So I know someone here knows: how do I interpret a PAE DirBase as a physical address/PFN?

BA

p.s. yes I searched google and the old OSR list posts, no one has described PAE DirBase

p.p.s. remember: it’s anton’s world, we’re just living in it

> So I know someone here knows: how do I interpret a PAE DirBase as a physical address/PFN?

You know, if you dropped your stupid act I would even give you a hint…

Anton Bassov

:cry:
TT

They say “never meet your heroes”… :frowning:

BA

Oh right…and I thought we went over this last time…english as a third language != stupid act

BA

Stupid act == hiding behind an alias that is an insulting play on the name of a member of this community. And this probably belongs on NTTALK.

>Stupid act == hiding behind an alias that is an insulting play on the name

of a member of this community.

EXACTLY. This is a list for professionals, not children. Drop the alias and
maybe you’ll get some help, otherwise take the question elsewhere.

-scott

Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

So you’re telling me the name Scott No One is real? I always assumed that was an alias to protect your privacy.

As I said (or at least implied) before, I’m *not* a professional, I am just a student trying to understand real OSes vs what’s taught in school. If you don’t like my playful attitude, I’m sure I can find another alias to post under, but I have no particular desire to see my name in lights in google searches.

BA

As I can understand, you are also trying to take care about privacy.

Well, from what I’ve noticed you post only in European time, which gives me
hints that most likely, you live somewhere between GMT and GMT + 1 (maybe
+2) in Europe. Now, you say that you don’t want your name to be shown in
google, gives already a hint that you are a person, who has something behind
his shoulders, and you are definitly, not a student :slight_smile:

It will be interesting if group moderators would reveal your IP address here
so that we can work on further on your privacy issues :slight_smile:

wrote in message news:xxxxx@ntdev…

So you’re telling me the name Scott No One is real? I always assumed that
was an alias to protect your privacy.

As I said (or at least implied) before, I’m *not* a professional, I am just
a student trying to understand real OSes vs what’s taught in school. If you
don’t like my playful attitude, I’m sure I can find another alias to post
under, but I have no particular desire to see my name in lights in google
searches.

BA

Did it occur to you, Banton, that the name Noone might be genuine, and might be pronounced just like the hour at the middle of the day?
This community has been very accommodating of students who do their homework before asking questions here. It’s not so helpful to those who show up and post disrespectfully. This list mostly comports itself as if it was a face-to-face community. Act that way.
If you don’t want to show up in Google searches, don’t post here.
Phil
Philip D Barila

Yes, it’s a real name. In fact, it’s the real name of one of the people who
work to provide this list for us.

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: Friday, November 19, 2010 11:54 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] PAEne in the ass

So you’re telling me the name Scott No One is real? I always assumed that
was an alias to protect your privacy.

As I said (or at least implied) before, I’m *not* a professional, I am just
a student trying to understand real OSes vs what’s taught in school. If you
don’t like my playful attitude, I’m sure I can find another alias to post
under, but I have no particular desire to see my name in lights in google
searches.

BA


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Phil: It did occur to me, that’s why I just wanted to get a confirmation. Because it really looked like an alias to me.

Also, are you really claiming based on my post that I didn’t do my homework? Do you want me to post the windbg output where I map the 0x2700000 address and don’t find memory that corresponds to memory seen by windbg within the VM, despite the present bit being set? I don’t see how I could have done more homework than this…

Volodymyr: Are you kidding me? Not wanting my real name on the internet is somehow suspicious??? Tell that to the Skape’s and Skywings who posted to this list before ever revealing their real names, once they eventually became smart enough to be respected. I didn’t want to take it in this direction, but I’m not like you professionals in that I am trying to gain status points with my peers, or contracts for my business. I just want to understand how things work, and I come to you reluctantly after days of failed googling. (man…with all the talk of kids being stupid and posting stuff on facebook that will come back to bite them later, is it really that impossible to believe that some kids are smart enough to *not* want their entire life archived on the internet?)

I know the list is under no obligations whatsoever to help me. But I think the people who actually bother to spend their free time answering questions (vs. those who I think are paid to) in this list know that their influence goes beyond just helping one person. Your responses are archived and often top hits on google, which help other kernel devs who never need to post thanks to past answers. So I’m appealing to you for the future people and past people out there who’ve asked and not got answers :slight_smile:

BA

It occurs to me that you do not care at all how much of a flaming
asshole you are.

Mark Roddy

On Fri, Nov 19, 2010 at 11:53 AM, wrote:
> So you’re telling me the name Scott No One is real? I always assumed that was an alias to protect your privacy.
>
> As I said (or at least implied) before, I’m not a professional, I am just a student trying to understand real OSes vs what’s taught in school. If you don’t like my playful attitude, I’m sure I can find another alias to post under, but I have no particular desire to see my name in lights in google searches.
>
> BA
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>

Mark: Just like Anton! :smiley:

BA

Completely OT now…

So you’re telling me the name Scott No One is real? I always assumed that was an alias to protect your >privacy.

I see you’ve never heard of Herman’s Hermits (unfortunately the only famous Noone that I know of).

I’m sure I can find another alias to post under, but I have no particular desire to see my name in lights >in google searches.

Then post under Fred Flintstone or Andy Pandy instead of taking jabs at another community member. I suspect that until you do every post that you make is going to be met with the same attitude as this one.

To avoid this spiralling out of control I’m locking the thread.

-scott