Hello,
I’m developing a driver which will hook the Page Fault Handler, wait for a specific page to be requested to be loaded, and point his Page Entry’s page frame to my own allocated page.
**It might seem like malware :), but it is not.
The code is pretty much logical, the page frame is indeed replaced.
BUT, as soon as i try to IRET back to user-mode, I get a ‘memory corruption’ BSOD telling me that the PTE is corrupt.
MEMORY_MANAGEMENT (1a)
# Any other values for parameter 1 must be individually examined.
Arguments:
Arg1: 00041284, A PTE or the working set list is corrupt.
Arg2: 00401001
Arg3: 00000000
Arg4: c0883000
My question is, what could be wrong with the Page Entry?
Could it be the type of memory which is assigned to the entry is incorrect?
are some fields of the entry incorrect?
This is not going to work, Windows has additional structures about
paging that are not documented or easily locatable and which if not
updated will cause a crash. So even though you claim to not be doing
malware all you are doing is corrupting the system. This will never
work.
> Hello, > I’m developing a driver which will hook the Page Fault Handler, wait for a specific page to be requested to be loaded, and point his Page Entry’s page frame to my own allocated page. > **It might seem like malware :), but it is not. > > The code is pretty much logical, the page frame is indeed replaced. > BUT, as soon as i try to IRET back to user-mode, I get a ‘memory corruption’ BSOD telling me that the PTE is corrupt. > <br>> MEMORY_MANAGEMENT (1a)<br>> # Any other values for parameter 1 must be individually examined.<br>> Arguments:<br>> Arg1: 00041284, A PTE or the working set list is corrupt.<br>> Arg2: 00401001<br>> Arg3: 00000000<br>> Arg4: c0883000<br>> > > My code can be viewed here: > http://codepad.org/ZJgaamFa > > My question is, what could be wrong with the Page Entry? > Could it be the type of memory which is assigned to the entry is incorrect? > are some fields of the entry incorrect? > > Thanks in advance.
I will be glad to hear about those nondocumented structures.
P.s, i’ve managed to get the page replaced and the program to work properly.
Although, as soon as the i exit the program - i get a “PFN list Corrupt” BSOD.
What part of undocumented don’t you understand? There are things like
the page frame database that you need to update, but which are
undocumented and not particularly locatable. Microsoft has been
aggressive improving the memory manager for better performance, and this
work is not documented anywhere, so even if you get something working on
one version of Windows, you are likely to break the others.
> I will be glad to hear about those nondocumented structures. > > P.s, i’ve managed to get the page replaced and the program to work properly. > Although, as soon as the i exit the program - i get a “PFN list Corrupt” BSOD.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Saturday, February 19, 2011 10:52 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Page Entry replacement.
I will be glad to hear about those nondocumented structures.
P.s, i’ve managed to get the page replaced and the program to work properly.
Although, as soon as the i exit the program - i get a “PFN list Corrupt”
BSOD.
