Banton Assov, rides again, *toot*ing his horn or heraldry for the one true king, Anton!
I’m back with curiosity again (don’t hate me because I’m curious?last time people got helpful eventually and I learned a lot). Today I want to know how kernel page tables are for PAE systems. The way I am thinking things work on PAE != the way they must work != the way they work on non-PAE. Specifically I’m trying to understand how tool like mandiant memoryze (http://www.mandiant.com/products/free_software/memoryze/) can load a kernel module which reconstructs user process from kernel. So first I describe non-PAE which makes sense (and maybe my description will leave something useful for some future googler
First I pick unused VA.
kd> lm
fa239000 fa239d00 dxgthk (deferred)
kd> dd fa239000 L1 fa239000 00905a4d (mapped)
kd> dd fa23A000 L1 fa23a000 ??? (unmapped)
My first unused VA where I will map page directory is fa23A000. So I need to find PTE for it to hack in windbag.
kd> !pte fa239000 VA fa239000 PDE at C0300FA0 PTE at C03E88E4 contains 01773963 contains 00EDF963 pfn 1773 -G-DA–KWEV pfn edf -G-DA–KWEV
yay, PTEs after fa239000 for fa23A000, fa23B000, fa23C000 are all unused. I will map userspace process PD to fa23A000, PT to fa23B000, and page to fa23C000
So as everyone says, DirBase == CR3 == physical address. So I will hack PTE by just copying bottom 12 flag bits from existing entry and adding to physical address of DirBase.
kd> dd fa23A000 L1 fa23a000 0823e867 (mapped page dir to previously unused memory)
OK, so where do I want to go? Well, PE headers say base VA for wscript.exe is 0x01000000. Break that up upper 10 bits PD index , next 10 bits page table index and you get PDI = 4, PTI = 0. PDI * sizeof(PDE) = 4 * 4 = 0x10, so pointer to physical memory for page table should be at fa23a000 + 0x10.
kd> dd fa23A000+0x10 L1 fa23a010 085c0867
so physical address = 0x085C0000, let’s hack another PTE to map that physical to virtual
kd> db fa23c000 L2 fa23c000 4d 5a MZ all is great! we found the first page of wscript.exe! do I know that could have been paged out? yes. do I know that to do fully like mandiant does, I would have to read page file? yes. do I know anything about page file? no. do I want to? yes. did I google it? no. do you want to tell me the best link for learning about page files? yes.
ANYWAY, everything is happy in non-PAE land. let’s see evil PAE land.
(reboot) (followed by wish I wouldn’t have rebooted before I showed you that the DirBase was different for each process)
what?! How can everyone have the same upper 20 bits?! they would all be in the same memory space, which shouldn’t be true in userspace. OK, well google says know DirBase == KPROCESS.DirectoryTableBase, and KPROCESS is at the beginning of EPROCESS, so?
ok, doesn’t mean anything to me. If I display it as a qword, it’s to big to be a PAE physical address which can still only be 36 bits I think (intel manual implies it can go bigger but I don’t think anyone does go bigger.) So my options are maybe treat physical address as 0x2700000 or maybe 0x280000 or maybe 0xd73a000? This is obviously where I go back to hacking PTEs, but no guess for how to interpret the DirBase has successfully lead me to the image base of a userspace proces (and actually if I try the 0xd73a000 it locked up my debug session!
So I know someone here knows: how do I interpret a PAE DirBase as a physical address/PFN?
BA
p.s. yes I searched google and the old OSR list posts, no one has described PAE DirBase
p.p.s. remember: it’s anton’s world, we’re just living in it
So you’re telling me the name Scott No One is real? I always assumed that was an alias to protect your privacy.
As I said (or at least implied) before, I’m *not* a professional, I am just a student trying to understand real OSes vs what’s taught in school. If you don’t like my playful attitude, I’m sure I can find another alias to post under, but I have no particular desire to see my name in lights in google searches.
As I can understand, you are also trying to take care about privacy.
Well, from what I’ve noticed you post only in European time, which gives me
hints that most likely, you live somewhere between GMT and GMT + 1 (maybe
+2) in Europe. Now, you say that you don’t want your name to be shown in
google, gives already a hint that you are a person, who has something behind
his shoulders, and you are definitly, not a student
It will be interesting if group moderators would reveal your IP address here
so that we can work on further on your privacy issues
wrote in message news:xxxxx@ntdev…
So you’re telling me the name Scott No One is real? I always assumed that
was an alias to protect your privacy.
As I said (or at least implied) before, I’m *not* a professional, I am just
a student trying to understand real OSes vs what’s taught in school. If you
don’t like my playful attitude, I’m sure I can find another alias to post
under, but I have no particular desire to see my name in lights in google
searches.
Did it occur to you, Banton, that the name Noone might be genuine, and might be pronounced just like the hour at the middle of the day?
This community has been very accommodating of students who do their homework before asking questions here. It’s not so helpful to those who show up and post disrespectfully. This list mostly comports itself as if it was a face-to-face community. Act that way.
If you don’t want to show up in Google searches, don’t post here.
Phil
Philip D Barila
So you’re telling me the name Scott No One is real? I always assumed that
was an alias to protect your privacy.
As I said (or at least implied) before, I’m *not* a professional, I am just
a student trying to understand real OSes vs what’s taught in school. If you
don’t like my playful attitude, I’m sure I can find another alias to post
under, but I have no particular desire to see my name in lights in google
searches.
Phil: It did occur to me, that’s why I just wanted to get a confirmation. Because it really looked like an alias to me.
Also, are you really claiming based on my post that I didn’t do my homework? Do you want me to post the windbg output where I map the 0x2700000 address and don’t find memory that corresponds to memory seen by windbg within the VM, despite the present bit being set? I don’t see how I could have done more homework than this…
Volodymyr: Are you kidding me? Not wanting my real name on the internet is somehow suspicious??? Tell that to the Skape’s and Skywings who posted to this list before ever revealing their real names, once they eventually became smart enough to be respected. I didn’t want to take it in this direction, but I’m not like you professionals in that I am trying to gain status points with my peers, or contracts for my business. I just want to understand how things work, and I come to you reluctantly after days of failed googling. (man…with all the talk of kids being stupid and posting stuff on facebook that will come back to bite them later, is it really that impossible to believe that some kids are smart enough to *not* want their entire life archived on the internet?)
I know the list is under no obligations whatsoever to help me. But I think the people who actually bother to spend their free time answering questions (vs. those who I think are paid to) in this list know that their influence goes beyond just helping one person. Your responses are archived and often top hits on google, which help other kernel devs who never need to post thanks to past answers. So I’m appealing to you for the future people and past people out there who’ve asked and not got answers
It occurs to me that you do not care at all how much of a flaming
asshole you are.
Mark Roddy
On Fri, Nov 19, 2010 at 11:53 AM, wrote: > So you’re telling me the name Scott No One is real? I always assumed that was an alias to protect your privacy. > > As I said (or at least implied) before, I’m not a professional, I am just a student trying to understand real OSes vs what’s taught in school. If you don’t like my playful attitude, I’m sure I can find another alias to post under, but I have no particular desire to see my name in lights in google searches. > > BA > > — > NTDEV is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer >
So you’re telling me the name Scott No One is real? I always assumed that was an alias to protect your >privacy.
I see you’ve never heard of Herman’s Hermits (unfortunately the only famous Noone that I know of).
I’m sure I can find another alias to post under, but I have no particular desire to see my name in lights >in google searches.
Then post under Fred Flintstone or Andy Pandy instead of taking jabs at another community member. I suspect that until you do every post that you make is going to be met with the same attitude as this one.
To avoid this spiralling out of control I’m locking the thread.
all is great! we found the first page of wscript.exe! do I know that could have been paged out? yes. do I know that to do fully like mandiant does, I would have to read page file? yes. do I know anything about page file? no. do I want to? yes. did I google it? no. do you want to tell me the best link for learning about page files? yes. 
(and actually if I try the 0xd73a000 it locked up my debug session!