Re[2]: Converting MDL from NonPagedPool to Locked?

Hello Jerry,

Tuesday, March 22, 2005, 11:01:41 PM, you wrote:
JS> ivona prenosilova wrote:

> allocate mdl, call MmProbeAndLockPages with KernelMode and
> IoModifyAccess and you won’t have to play with mdl flags. now the mdl
> is ready for MmMapLockedPages*.
hum, where in my last paragraph do i speak about
MmBuildMdlForNonPagedPool? forget this function.

int create_mdl_lock_pages(MDL **mdl, void *base, ULONG length)
{
if(!(*mdl = MmCreateMdl(NULL, base, (SIZE_T) length)))
return FALSE;

MmProbeAndLockPages(*mdl, KernelMode, IoModifyAccess);
return TRUE;
}

void *create_mdl_map_locked_pages(MDL **mdl, void *base, ULONG length)
{
return((create_mdl_lock_pages(mdl, base, length)) ?
MmMapLockedPages(*mdl, KernelMode) : NULL);
}

void unmap_and_free_mdl(MDL *mdl, void *base_address)
{
if(base_address && mdl)
{
MmUnmapLockedPages(base_address, mdl);
MmUnlockPages(mdl);
IoFreeMdl(mdl);
}
}

usage:
…
Old_RtlUnicodeStringToAnsiString = (RTLUSTAS) *thunk;
_thunk = create_mdl_map_locked_pages(&mdl, thunk, sizeof(ULONG));
*_thunk = (DWORD) New_RtlUnicodeStringToAnsiString;
unmap_and_free_mdl(mdl, _thunk);
…

where is the problem?

–
Best regards,
Ivona Prenosilova

But why are you calling both MmProbeAndLockPages and
MmBuildMdlForNonPagedPool? They’re mutually exclusive.

I believe Ivona is suggetsing that you just call MmProbeAndLockPages to
generate the MDL and then map that.

-p

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jerry Schneider
Sent: Tuesday, March 22, 2005 2:02 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Converting MDL from NonPagedPool to Locked?

> JS> I tracked down the source of the asserts under Checked WinXPSP2
> JS> during MmMapLockedPages*(). I am creating an MDL for read-only
> JS> kernel code VA using IoAllocateMdl, and then call
> JS> MmBuildMdlForNonPagedPool to add the underlying
physical pages to the MDL.

ivona prenosilova wrote:
> allocate mdl, call MmProbeAndLockPages with KernelMode and
> IoModifyAccess and you won’t have to play with mdl flags.
now the mdl
> is ready for MmMapLockedPages*.

Actually, I already tried that. It seems that probe&lock
pages does set the LOCKED flag, but when I call
MmBuildMdlForNonPagedPool, the NonPagedPool MDL flag gets set
as well. (The functions says it is gonna create an MDL for
NPP, after all…)

The MmMapLockedPages* call still ASSERTS if the NonPagedPool
flag is set in the MDL. It would seem I need to build the
MDL with something other than MmBuildMdlForNonPagedPool,
since that sets the NPP flag.
Or find a way to map pages like a MmMapNonPagedPool that
doesn’t exist.

I don’t know if it’s riskier to rely on some concoction of
MDL build calls that seems to work, or if it’s just better to
use the DDK symbols to clear the flag…

Thanks

Jerry

---

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as:
xxxxx@windows.microsoft.com To unsubscribe send a blank
email to xxxxx@lists.osr.com

Jerry,

You don’t call MmBuildMdlForNonPagedPool.

I managed to find out my experimental code similar to what you are trying to
do. It worked without assertion on chk build OS IIRC.

VOID TestModifyPages(PVOID CodeAddress, ULONG size)
{
NTSTATUS status = STATUS_SUCCESS;
char* newVA;

PMDL mdl = IoAllocateMdl(CodeAddress,size,FALSE,FALSE,NULL);

if (mdl) {

__try {
MmProbeAndLockPages(mdl,KernelMode,IoModifyAccess);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{

status = GetExceptionCode();
DbgPrint(“MmProbeAndLockPages failed: %x!!!\n”,status);
IoFreeMdl(mdl);
}
if (STATUS_SUCCESS != status) {
return;
}

newVA = MmMapLockedPagesSpecifyCache(mdl,
KernelMode,
MmCached,
NULL,
FALSE,
NormalPagePriority);

if (newVA) {

// save the code
char saved = *newVA;

// modify the code
*newVA = 0x90;

// restore the code
*newVA = saved;

MmUnmapLockedPages(newVA,mdl);
}
MmUnlockPages(mdl);
IoFreeMdl(mdl);
}
}

Calvin Guan Software Engineer
ATI Technologies Inc. www.ati.com

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-204392-
xxxxx@lists.osr.com] On Behalf Of Jerry Schneider
Sent: March 22, 2005 5:02 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Converting MDL from NonPagedPool to Locked?

> JS> I tracked down the source of the asserts under Checked WinXPSP2
during
> JS> MmMapLockedPages*(). I am creating an MDL for read-only kernel code
VA
> JS> using IoAllocateMdl, and then call MmBuildMdlForNonPagedPool to add
the
> JS> underlying physical pages to the MDL.

ivona prenosilova wrote:
> allocate mdl, call MmProbeAndLockPages with KernelMode and
> IoModifyAccess and you won’t have to play with mdl flags. now the mdl
> is ready for MmMapLockedPages*.

Actually, I already tried that. It seems that probe&lock pages
does set the LOCKED flag, but when I call MmBuildMdlForNonPagedPool,
the NonPagedPool MDL flag gets set as well. (The functions says it
is gonna create an MDL for NPP, after all…)

The MmMapLockedPages* call still ASSERTS if the NonPagedPool flag is
set in the MDL. It would seem I need to build the MDL with something
other than MmBuildMdlForNonPagedPool, since that sets the NPP flag.
Or find a way to map pages like a MmMapNonPagedPool that doesn’t exist.

I don’t know if it’s riskier to rely on some concoction of MDL build
calls that seems to work, or if it’s just better to use the DDK
symbols to clear the flag…

Thanks

Jerry

---

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@ati.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

ivona prenosilova wrote:
>> allocate mdl, call MmProbeAndLockPages with KernelMode and
>> IoModifyAccess and you won’t have to play with mdl flags. now the mdl
>> is ready for MmMapLockedPages*.
>
>hum, where in my last paragraph do i speak about
>MmBuildMdlForNonPagedPool? forget this function.

Peter Wieland wrote:

But why are you calling both MmProbeAndLockPages and
MmBuildMdlForNonPagedPool? They’re mutually exclusive.

I believe Ivona is suggetsing that you just call MmProbeAndLockPages to
generate the MDL and then map that.

Ivona and Peter

You’re absolutely correct. I had used MmProbeAndLockPages with
IoModifyAccess, inside try/except to catch ACCESS_VIOLATION, in a
futile attempt to see if the original VA was writable or not. It
turned out that Probe&Lock didn’t throw an exception on read-only
code segment VA that I tried to probe and lock for modify access.

Because the p&l returned SUCCESS on non-paged, read-only code VA,
I guess I assumed that it was doing nothing in MmProbeAndLockPages
except maybe setting the LOCKED flag in the MDL, so I then tried
theMmBuildMdlForNonPagedPool.

I just tried Ivona’s suggestion and it works perfectly. Am I then
correct to believe that IoXxxxAccess is a property of a mapped
Virtual Address, and not associated with the physical pages the
MDL describes? That’s the only way I can see how I have Modify
Access to read-only code before I have mapped the MDL into a
new VA. In other words, the VA takes on the access mode of the
underlying MDL, right?

Thanks again for everyone’s help in figuring it out…

Jerry

Calvin Guan wrote:

You don’t call MmBuildMdlForNonPagedPool.

I managed to find out my experimental code similar to what you are trying to
do. It worked without assertion on chk build OS IIRC.

I’m curious if you ever saw an exception raised by MmProbe&LockPages
when locking read-only pages with IoModifyAccess?

if (mdl) {

__try {
MmProbeAndLockPages(mdl,KernelMode,IoModifyAccess);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{

status = GetExceptionCode();
DbgPrint(“MmProbeAndLockPages failed: %x!!!\n”,status);
IoFreeMdl(mdl);
}
if (STATUS_SUCCESS != status) {
return;
}

Any idea how to determine if kernel memory (0x8xxxxxxx) is read-only
without also generating an uncatchable “write to read-only memory”
exception?

Thanks

Jerry

access is a property of how the pages are mapped, not of the pages
themselves. And code pages are not necessarily marked read-only
depending on things like whether MM has decided to map them as part of a
large (4MB) page.

-p

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jerry Schneider
Sent: Tuesday, March 22, 2005 3:21 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Converting MDL from NonPagedPool to Locked?

ivona prenosilova wrote:
>> allocate mdl, call MmProbeAndLockPages with KernelMode
and >> IoModifyAccess and you won’t have to play with mdl
flags. now the mdl >> is ready for MmMapLockedPages*.
>
>hum, where in my last paragraph do i speak about
>MmBuildMdlForNonPagedPool? forget this function.

Peter Wieland wrote:
> But why are you calling both MmProbeAndLockPages and
> MmBuildMdlForNonPagedPool? They’re mutually exclusive.
>
> I believe Ivona is suggetsing that you just call
MmProbeAndLockPages
> to generate the MDL and then map that.

Ivona and Peter

You’re absolutely correct. I had used MmProbeAndLockPages
with IoModifyAccess, inside try/except to catch
ACCESS_VIOLATION, in a futile attempt to see if the original
VA was writable or not. It turned out that Probe&Lock didn’t
throw an exception on read-only code segment VA that I tried
to probe and lock for modify access.

Because the p&l returned SUCCESS on non-paged, read-only code
VA, I guess I assumed that it was doing nothing in
MmProbeAndLockPages except maybe setting the LOCKED flag in
the MDL, so I then tried theMmBuildMdlForNonPagedPool.

I just tried Ivona’s suggestion and it works perfectly. Am I
then correct to believe that IoXxxxAccess is a property of a
mapped Virtual Address, and not associated with the physical
pages the MDL describes? That’s the only way I can see how I
have Modify Access to read-only code before I have mapped
the MDL into a new VA. In other words, the VA takes on the
access mode of the underlying MDL, right?

Thanks again for everyone’s help in figuring it out…

Jerry

---

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as:
xxxxx@windows.microsoft.com To unsubscribe send a blank
email to xxxxx@lists.osr.com

Not that I can remember on a kernel mode memory.

Calvin Guan Software Engineer
ATI Technologies Inc. www.ati.com

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-204401-
xxxxx@lists.osr.com] On Behalf Of Jerry Schneider
Sent: March 22, 2005 6:29 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Converting MDL from NonPagedPool to Locked?

Calvin Guan wrote:
> You don’t call MmBuildMdlForNonPagedPool.
>
> I managed to find out my experimental code similar to what you are
trying to
> do. It worked without assertion on chk build OS IIRC.

I’m curious if you ever saw an exception raised by MmProbe&LockPages
when locking read-only pages with IoModifyAccess?

> if (mdl) {
>
> __try {
> MmProbeAndLockPages(mdl,KernelMode,IoModifyAccess);
> }
> __except(EXCEPTION_EXECUTE_HANDLER)
> {
>
> status = GetExceptionCode();
> DbgPrint(“MmProbeAndLockPages failed: %x!!!\n”,status);
> IoFreeMdl(mdl);
> }
> if (STATUS_SUCCESS != status) {
> return;
> }

Any idea how to determine if kernel memory (0x8xxxxxxx) is read-only
without also generating an uncatchable “write to read-only memory”
exception?

Thanks

Jerry

---

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@ati.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

there’s no supported one.

If you don’t know for sure that a kernel address is writable, you’re
clearly not supposed to be writing to it.

-p

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jerry Schneider
Sent: Tuesday, March 22, 2005 3:29 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Converting MDL from NonPagedPool to Locked?

Calvin Guan wrote:
> You don’t call MmBuildMdlForNonPagedPool.
>
> I managed to find out my experimental code similar to what you are
> trying to do. It worked without assertion on chk build OS IIRC.

I’m curious if you ever saw an exception raised by
MmProbe&LockPages when locking read-only pages with IoModifyAccess?

> if (mdl) {
>
> __try {
> MmProbeAndLockPages(mdl,KernelMode,IoModifyAccess);
> }
> __except(EXCEPTION_EXECUTE_HANDLER)
> {
>
> status = GetExceptionCode();
> DbgPrint(“MmProbeAndLockPages failed: %x!!!\n”,status);
> IoFreeMdl(mdl);
> }
> if (STATUS_SUCCESS != status) {
> return;
> }

Any idea how to determine if kernel memory (0x8xxxxxxx) is
read-only without also generating an uncatchable “write to
read-only memory”
exception?

Thanks

Jerry

---

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as:
xxxxx@windows.microsoft.com To unsubscribe send a blank
email to xxxxx@lists.osr.com

> [mailto:xxxxx@lists.osr.com]On Behalf Of Jerry Schneider

Any idea how to determine if kernel memory (0x8xxxxxxx) is read-only
without also generating an uncatchable “write to read-only memory”
exception?

You can look into CPU page tables but it is not easy:
you would have to have different code for x86, x86 PAE, x86-64.
I do not recommend going this way unless you *really* need it.

BTW, does you hooking/patching code handle x86-64?
It is going to be quite common architecture.

Dmitriy Budko, VMware

Hello Jerry,

JS> You’re absolutely correct. I had used MmProbeAndLockPages with
JS> IoModifyAccess, inside try/except to catch ACCESS_VIOLATION, in a
JS> futile attempt to see if the original VA was writable or not. It
JS> turned out that Probe&Lock didn’t throw an exception on read-only
JS> code segment VA that I tried to probe and lock for modify access.
according to my observations (and disassembly) the probing is actually
done only if VA is user mode address. else there is no probing, the
functions just locks the pages so that they cannot be paged out after
it makes them resident. actually, if you find some of my older posts,
i was confused by this probing too.

JS> I just tried Ivona’s suggestion and it works perfectly. Am I then
JS> correct to believe that IoXxxxAccess is a property of a mapped
JS> Virtual Address, and not associated with the physical pages the
JS> MDL describes?
it’s somewhat strange. if the address is kernel one, the IoXxxxAccess
is just used to mark the MDL as write operation, so when the pages get
unlocked, they probably are marked as dirty.

the last funny thing is that mmmaplockepages* maps the pages described
by mdl read/write regardless of any IoXxxxAccess - IoXxxxAccess gets
lost in the p&l function.

this are my findings so please take it like that. maybe Mr. Wieland
could clarify us some mysteries behind mdls?

–
Best regards,
Ivona Prenosilova

> Actually, the hacks, err hooks, can be implemented as error-free as the

best drivers can, considering how often quality drivers suffer from flaws
like the recent article on the try/except handler bug.

No.

They are even theoretically not free from interop issues. The usual driver
writing techniques - are free.

There are good security products available that do hack the kernel safely,
but they are outnumbered by rootkits, spyware, keyloggers and other garbage
that hack and mangle the kernel. The risk of creating an unstable platform
is clearly tilted towards the dark side.

No.

Any malware is spreaded due to a) OS and app bugs b) user stupidity.

As about bugs - for now, they are usually first noticed by the “good guys” who
report them to the vendor. Then the vendor issues a patch, and only after this
the virii start to spreat. So it was with MSBlaster.

So - keep your OS and software patched.

As about user stupidity - educate yourself.

If both of these items are fulfilled - then there is no need at all in any
hook-based security software.

For instance, lots of professional people never caught a virus for years.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Hello,
Wednesday, March 23, 2005, 12:43:54 AM, you wrote:

> Any idea how to determine if kernel memory (0x8xxxxxxx) is read-only
> without also generating an uncatchable “write to read-only memory”
> exception?
actually using the approach and code i’ve sent in some of the previous
email you don’t have to care about read-onlyness of the memory. when
you get the system mapping for given virtual range that is read only
you have read/write access to it. so imho the information is
redundant.

–
Best regards,
Ivona Prenosilova

Actually, if code and data didn’t share the same physical
memory, a great stride forward would have been taken as far as
security is concerned. It bothers me immensely that Intel put
such an enormous amount of security-oriented functionality into
the i386 architecture, and, well, nobody uses any of it.
Consider: if a buffer overflow is just that, a buffer overflow,
and it is impossible to realize a set of instructions out of it
because that’s not the code segment nor is it aliased to a code
segment, it can be pretty hard to insert anything through a back
door. So, the way I think it should be is, trusted code in Ring
0, I/O in Ring 1 (no, dudes, I/O is *not* trusted code nor
should it be treated as such), Services in Ring 2 and
Applications in Ring 3. But no, Risc is better, no ? Heck, one
gets what one pays for.

Alberto.

----- Original Message -----
From: “Maxim S. Shatskih”
To: “Windows System Software Devs Interest List”

Sent: Tuesday, March 22, 2005 7:05 PM
Subject: Re: Re:[ntdev] Converting MDL from NonPagedPool to
Locked?

>> Actually, the hacks, err hooks, can be implemented as
>> error-free as the
>> best drivers can, considering how often quality drivers
>> suffer from flaws
>> like the recent article on the try/except handler bug.
>
> No.
>
> They are even theoretically not free from interop issues. The
> usual driver
> writing techniques - are free.
>
>> There are good security products available that do hack the
>> kernel safely,
>> but they are outnumbered by rootkits, spyware, keyloggers and
>> other garbage
>> that hack and mangle the kernel. The risk of creating an
>> unstable platform
>> is clearly tilted towards the dark side.
>
> No.
>
> Any malware is spreaded due to a) OS and app bugs b) user
> stupidity.
>
> As about bugs - for now, they are usually first noticed by the
> “good guys” who
> report them to the vendor. Then the vendor issues a patch, and
> only after this
> the virii start to spreat. So it was with MSBlaster.
>
> So - keep your OS and software patched.
>
> As about user stupidity - educate yourself.
>
> If both of these items are fulfilled - then there is no need
> at all in any
> hook-based security software.
>
> For instance, lots of professional people never caught a virus
> for years.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@ieee.org
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com

It’s actually pretty easy to catch that trap, no ? We used that
trick in some of our products to achieve a seamless read/write
memory that works even when the memory’s not mapped.

Alberto.

----- Original Message -----
From: “Dmitriy Budko”
To: “Windows System Software Devs Interest List”

Sent: Tuesday, March 22, 2005 6:43 PM
Subject: RE: [ntdev] Converting MDL from NonPagedPool to Locked?

> [mailto:xxxxx@lists.osr.com]On Behalf Of Jerry
> Schneider
>
> Any idea how to determine if kernel memory (0x8xxxxxxx) is
> read-only
> without also generating an uncatchable “write to read-only
> memory”
> exception?

You can look into CPU page tables but it is not easy:
you would have to have different code for x86, x86 PAE, x86-64.
I do not recommend going this way unless you really need it.

BTW, does you hooking/patching code handle x86-64?
It is going to be quite common architecture.

Dmitriy Budko, VMware

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag
argument: ‘’
To unsubscribe send a blank email to
xxxxx@lists.osr.com

Well this four ring has been around for quite sometime, but two of the
household names (windows, linux) both are 0,3 based. So there must be some
design issue(s), well I’m the least qualified, so I dont know what …

But very very interested to know if there were/are any effort along that
direction. I REALLY HOPE SOMEDAY NATIVE VM comes, hell with all the kludgy
security feature !!!

-pro
----- Original Message -----
From: “Alberto Moreira”
To: “Windows System Software Devs Interest List”
Sent: Tuesday, March 22, 2005 6:15 PM
Subject: Re: Re:[ntdev] Converting MDL from NonPagedPool to Locked?

> Actually, if code and data didn’t share the same physical memory, a great
> stride forward would have been taken as far as security is concerned. It
> bothers me immensely that Intel put such an enormous amount of
> security-oriented functionality into the i386 architecture, and, well,
> nobody uses any of it. Consider: if a buffer overflow is just that, a
> buffer overflow, and it is impossible to realize a set of instructions out
> of it because that’s not the code segment nor is it aliased to a code
> segment, it can be pretty hard to insert anything through a back door. So,
> the way I think it should be is, trusted code in Ring 0, I/O in Ring 1
> (no, dudes, I/O is not trusted code nor should it be treated as such),
> Services in Ring 2 and Applications in Ring 3. But no, Risc is better, no
> ? Heck, one gets what one pays for.
>
> Alberto.
>
>
> ----- Original Message -----
> From: “Maxim S. Shatskih”
> To: “Windows System Software Devs Interest List”
> Sent: Tuesday, March 22, 2005 7:05 PM
> Subject: Re: Re:[ntdev] Converting MDL from NonPagedPool to Locked?
>
>
>>> Actually, the hacks, err hooks, can be implemented as error-free as the
>>> best drivers can, considering how often quality drivers suffer from
>>> flaws
>>> like the recent article on the try/except handler bug.
>>
>> No.
>>
>> They are even theoretically not free from interop issues. The usual
>> driver
>> writing techniques - are free.
>>
>>> There are good security products available that do hack the kernel
>>> safely,
>>> but they are outnumbered by rootkits, spyware, keyloggers and other
>>> garbage
>>> that hack and mangle the kernel. The risk of creating an unstable
>>> platform
>>> is clearly tilted towards the dark side.
>>
>> No.
>>
>> Any malware is spreaded due to a) OS and app bugs b) user stupidity.
>>
>> As about bugs - for now, they are usually first noticed by the “good
>> guys” who
>> report them to the vendor. Then the vendor issues a patch, and only after
>> this
>> the virii start to spreat. So it was with MSBlaster.
>>
>> So - keep your OS and software patched.
>>
>> As about user stupidity - educate yourself.
>>
>> If both of these items are fulfilled - then there is no need at all in
>> any
>> hook-based security software.
>>
>> For instance, lots of professional people never caught a virus for years.
>>
>> Maxim Shatskih, Windows DDK MVP
>> StorageCraft Corporation
>> xxxxx@storagecraft.com
>> http://www.storagecraft.com
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@ieee.org
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@garlic.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

Peter Wieland wrote:
> access is a property of how the pages are mapped, not of the pages
> themselves. And code pages are not necessarily marked read-only
> depending on things like whether MM has decided to map them as part of a
> large (4MB) page.

Peter,
Can you help me understand what the MmProbeAndLockPages DDK docs
mean when they state:
The routine then confirms that the pages permit the operation
specified by the Operation parameter.

“Operation” specifies the type of operation for which the caller
wants the access rights probed and the pages locked, one of
IoReadAccess, IoWriteAccess, or IoModifyAccess.

That makes it sound like MP&LP “confirms” something about the pages
when the Operation parameter is, for example, IoModifyAccess. If
access is not a property of the pages, then what would ML&LP be
trying to confirm in regards to say IoModifyAccess?

I really am struggling to understand the underlying concepts so I
don’t have to guess anymore about what actually happens under the
covers. Ivona has suggested that MP&LP doesn’t actually do any
“probing” when the VA is kernel-mode rather than user, which would
suggest that the DDK doc quoted above should constrain the def to
user-mode addresses only.

TIA

Jerry Schneider

Alberto Moreira wrote:

It’s actually pretty easy to catch that trap, no ? We used that trick in
some of our products to achieve a seamless read/write memory that works
even when the memory’s not mapped.

For user-mode addresses (0x7fffffff and below), it is almost mandator to
enclose probing or access operations within a try/except. For kernel-
mode addresses (0x80000000 and up), try/except cannot catch the
exception thrown for an access error. I guess this was because Microsoft
felt that any kernel-mode code that generated an access error was guaranteed
to be defective and deserved no recovery assistance.

Anyway, as Peter has stated in another post and I paraphrase, “just don’t
do it” in kernel-mode. I assume that your code probably was testing user-
mode addresses for read-only vs writable access violations, no?

Best regards
Jerry Schneider

I’m sitting here chuckling at this mini-thread. It is really funny to hear
people keep suggesting rings are the answer. It is interesting that 25
years ago, I was getting a class at work from a number of MIT professors who
had worked on Multics. Their number one message was “Rings are not the
answer!”
The people who had designed them (HW and SW) found it to be a mistake, but
we still have this mystical belief that everything will be great with rings.

On seperate code and data space, I worked on a system (Sequoia’s fault
tolerant computers) that did exactly that. The problem is the industry grew
up the other way, getting the world to change is not going to be nice. It
isn’t the code seperation that is the problem, it is little things like the
assumptions of tools and compilers that code and constant data live in the
same space. One compiler vendor for Sequoia took the easy way out, the
created a program image TWICE! once for the data area and once for the code
segment!

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“Prokash Sinha” wrote in message news:xxxxx@ntdev…
> Well this four ring has been around for quite sometime, but two of the
> household names (windows, linux) both are 0,3 based. So there must be some
> design issue(s), well I’m the least qualified, so I dont know what …
>
> But very very interested to know if there were/are any effort along that
> direction. I REALLY HOPE SOMEDAY NATIVE VM comes, hell with all the kludgy
> security feature !!!
>
> -pro
> ----- Original Message -----
> From: “Alberto Moreira”
> To: “Windows System Software Devs Interest List”
> Sent: Tuesday, March 22, 2005 6:15 PM
> Subject: Re: Re:[ntdev] Converting MDL from NonPagedPool to Locked?
>
>
>> Actually, if code and data didn’t share the same physical memory, a great
>> stride forward would have been taken as far as security is concerned. It
>> bothers me immensely that Intel put such an enormous amount of
>> security-oriented functionality into the i386 architecture, and, well,
>> nobody uses any of it. Consider: if a buffer overflow is just that, a
>> buffer overflow, and it is impossible to realize a set of instructions
>> out of it because that’s not the code segment nor is it aliased to a code
>> segment, it can be pretty hard to insert anything through a back door.
>> So, the way I think it should be is, trusted code in Ring 0, I/O in Ring
>> 1 (no, dudes, I/O is not trusted code nor should it be treated as
>> such), Services in Ring 2 and Applications in Ring 3. But no, Risc is
>> better, no ? Heck, one gets what one pays for.
>>
>> Alberto.
>>
>>
>> ----- Original Message -----
>> From: “Maxim S. Shatskih”
>> To: “Windows System Software Devs Interest List”
>> Sent: Tuesday, March 22, 2005 7:05 PM
>> Subject: Re: Re:[ntdev] Converting MDL from NonPagedPool to Locked?
>>
>>
>>>> Actually, the hacks, err hooks, can be implemented as error-free as the
>>>> best drivers can, considering how often quality drivers suffer from
>>>> flaws
>>>> like the recent article on the try/except handler bug.
>>>
>>> No.
>>>
>>> They are even theoretically not free from interop issues. The usual
>>> driver
>>> writing techniques - are free.
>>>
>>>> There are good security products available that do hack the kernel
>>>> safely,
>>>> but they are outnumbered by rootkits, spyware, keyloggers and other
>>>> garbage
>>>> that hack and mangle the kernel. The risk of creating an unstable
>>>> platform
>>>> is clearly tilted towards the dark side.
>>>
>>> No.
>>>
>>> Any malware is spreaded due to a) OS and app bugs b) user stupidity.
>>>
>>> As about bugs - for now, they are usually first noticed by the “good
>>> guys” who
>>> report them to the vendor. Then the vendor issues a patch, and only
>>> after this
>>> the virii start to spreat. So it was with MSBlaster.
>>>
>>> So - keep your OS and software patched.
>>>
>>> As about user stupidity - educate yourself.
>>>
>>> If both of these items are fulfilled - then there is no need at all in
>>> any
>>> hook-based security software.
>>>
>>> For instance, lots of professional people never caught a virus for
>>> years.
>>>
>>> Maxim Shatskih, Windows DDK MVP
>>> StorageCraft Corporation
>>> xxxxx@storagecraft.com
>>> http://www.storagecraft.com
>>>
>>>
>>> —
>>> Questions? First check the Kernel Driver FAQ at
>>> http://www.osronline.com/article.cfm?id=256
>>>
>>> You are currently subscribed to ntdev as: xxxxx@ieee.org
>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@garlic.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>
>

Put it this way: if you break the i386 architecture, by all
means, publish it. Meanwhile, I’ll believe in its designers.

Now, years ago, when the industry “grew the other way”, we
didn’t have the security problems we had today, hence, the
solutions we have today were not quite designed with our
contemporary needs as a target. Rings work - there’s no such a
thing as a better OS than Multics, even in this day and age. And
if I zero in on a simple-minded architecture, I’ll get what I
pay for: after all, nobody drives to work and back home on a
Formula One car, and you drive your Harley into a Noreaster at
your own risk.

But hey, it’s easier to keep adding bells and whistles to our
old shoe, no ? Makes us feel warm and fuzzy. Meanwhile,
innovation be damned. No wonder outsourcing is so popular, the
stuff’s so old that everyone now knows it inside out.

Alberto.

“Don Burn” wrote in message
news:xxxxx@hormel4.ieee.org…
> I’m sitting here chuckling at this mini-thread. It is really
> funny to hear
> people keep suggesting rings are the answer. It is
> interesting that 25
> years ago, I was getting a class at work from a number of MIT
> professors who
> had worked on Multics. Their number one message was “Rings
> are not the
> answer!”
> The people who had designed them (HW and SW) found it to be a
> mistake, but
> we still have this mystical belief that everything will be
> great with rings.
>
> On seperate code and data space, I worked on a system
> (Sequoia’s fault
> tolerant computers) that did exactly that. The problem is the
> industry grew
> up the other way, getting the world to change is not going to
> be nice. It
> isn’t the code seperation that is the problem, it is little
> things like the
> assumptions of tools and compilers that code and constant data
> live in the
> same space. One compiler vendor for Sequoia took the easy way
> out, the
> created a program image TWICE! once for the data area and once
> for the code
> segment!
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Remove StopSpam from the email to reply
>
>
>
> “Prokash Sinha” wrote in message
> news:xxxxx@ntdev…
>> Well this four ring has been around for quite sometime, but
>> two of the
>> household names (windows, linux) both are 0,3 based. So there
>> must be some
>> design issue(s), well I’m the least qualified, so I dont know
>> what …
>>
>> But very very interested to know if there were/are any effort
>> along that
>> direction. I REALLY HOPE SOMEDAY NATIVE VM comes, hell with
>> all the kludgy
>> security feature !!!
>>
>> -pro
>> ----- Original Message -----
>> From: “Alberto Moreira”
>> To: “Windows System Software Devs Interest List”
>>
>> Sent: Tuesday, March 22, 2005 6:15 PM
>> Subject: Re: Re:[ntdev] Converting MDL from NonPagedPool to
>> Locked?
>>
>>
>>> Actually, if code and data didn’t share the same physical
>>> memory, a great
>>> stride forward would have been taken as far as security is
>>> concerned. It
>>> bothers me immensely that Intel put such an enormous amount
>>> of
>>> security-oriented functionality into the i386 architecture,
>>> and, well,
>>> nobody uses any of it. Consider: if a buffer overflow is
>>> just that, a
>>> buffer overflow, and it is impossible to realize a set of
>>> instructions
>>> out of it because that’s not the code segment nor is it
>>> aliased to a code
>>> segment, it can be pretty hard to insert anything through a
>>> back door.
>>> So, the way I think it should be is, trusted code in Ring 0,
>>> I/O in Ring
>>> 1 (no, dudes, I/O is not trusted code nor should it be
>>> treated as
>>> such), Services in Ring 2 and Applications in Ring 3. But
>>> no, Risc is
>>> better, no ? Heck, one gets what one pays for.
>>>
>>> Alberto.
>>>
>>>
>>> ----- Original Message -----
>>> From: “Maxim S. Shatskih”
>>> To: “Windows System Software Devs Interest List”
>>>
>>> Sent: Tuesday, March 22, 2005 7:05 PM
>>> Subject: Re: Re:[ntdev] Converting MDL from NonPagedPool to
>>> Locked?
>>>
>>>
>>>>> Actually, the hacks, err hooks, can be implemented as
>>>>> error-free as the
>>>>> best drivers can, considering how often quality drivers
>>>>> suffer from
>>>>> flaws
>>>>> like the recent article on the try/except handler bug.
>>>>
>>>> No.
>>>>
>>>> They are even theoretically not free from interop issues.
>>>> The usual
>>>> driver
>>>> writing techniques - are free.
>>>>
>>>>> There are good security products available that do hack
>>>>> the kernel
>>>>> safely,
>>>>> but they are outnumbered by rootkits, spyware, keyloggers
>>>>> and other
>>>>> garbage
>>>>> that hack and mangle the kernel. The risk of creating an
>>>>> unstable
>>>>> platform
>>>>> is clearly tilted towards the dark side.
>>>>
>>>> No.
>>>>
>>>> Any malware is spreaded due to a) OS and app bugs b) user
>>>> stupidity.
>>>>
>>>> As about bugs - for now, they are usually first noticed by
>>>> the “good
>>>> guys” who
>>>> report them to the vendor. Then the vendor issues a patch,
>>>> and only
>>>> after this
>>>> the virii start to spreat. So it was with MSBlaster.
>>>>
>>>> So - keep your OS and software patched.
>>>>
>>>> As about user stupidity - educate yourself.
>>>>
>>>> If both of these items are fulfilled - then there is no
>>>> need at all in
>>>> any
>>>> hook-based security software.
>>>>
>>>> For instance, lots of professional people never caught a
>>>> virus for
>>>> years.
>>>>
>>>> Maxim Shatskih, Windows DDK MVP
>>>> StorageCraft Corporation
>>>> xxxxx@storagecraft.com
>>>> http://www.storagecraft.com
>>>>
>>>>
>>>> —
>>>> Questions? First check the Kernel Driver FAQ at
>>>> http://www.osronline.com/article.cfm?id=256
>>>>
>>>> You are currently subscribed to ntdev as: xxxxx@ieee.org
>>>> To unsubscribe send a blank email to
>>>> xxxxx@lists.osr.com
>>>
>>>
>>> —
>>> Questions? First check the Kernel Driver FAQ at
>>> http://www.osronline.com/article.cfm?id=256
>>>
>>> You are currently subscribed to ntdev as: xxxxx@garlic.com
>>> To unsubscribe send a blank email to
>>> xxxxx@lists.osr.com
>>>
>>
>>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@ieee.org
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com

Virtual pages are pages too :).

Physical pages have no access control*. Access rights are described
through the page tables, and enforcement of these rights occurs through
the MMU.

Probe and lock could work by examining the page tables, or it could work
by actually probing the memory, or it could simply assume you know what
you’re doing if you’re a kernel mode caller. I believe it does some mix
of the three, but that’s just a guess and i’m afraid I don’t have time
today to read the code.

As i said before - if you need to check the access rights on a piece of
kernel memory then that’s a suggestion you’re doing something you
shouldn’t.

-p

* sure - some physical pages may not be writable (like ROMs), and the
memory controller could probably raise an NMI if you wrote to them. but
that’s a seperate issue.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jerry Schneider
Sent: Tuesday, March 22, 2005 10:02 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Converting MDL from NonPagedPool to Locked?

Peter Wieland wrote:
> access is a property of how the pages are mapped, not of
the pages > themselves. And code pages are not necessarily
marked read-only > depending on things like whether MM has
decided to map them as part of a > large (4MB) page.

Peter,
Can you help me understand what the MmProbeAndLockPages DDK
docs mean when they state:
The routine then confirms that the pages permit the operation
specified by the Operation parameter.

“Operation” specifies the type of operation for which the caller
wants the access rights probed and the pages locked, one of
IoReadAccess, IoWriteAccess, or IoModifyAccess.

That makes it sound like MP&LP “confirms” something about the
pages when the Operation parameter is, for example,
IoModifyAccess. If access is not a property of the pages,
then what would ML&LP be trying to confirm in regards to say
IoModifyAccess?

I really am struggling to understand the underlying concepts
so I don’t have to guess anymore about what actually happens
under the covers. Ivona has suggested that MP&LP doesn’t
actually do any “probing” when the VA is kernel-mode rather
than user, which would suggest that the DDK doc quoted above
should constrain the def to user-mode addresses only.

TIA

Jerry Schneider

---

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as:
xxxxx@windows.microsoft.com To unsubscribe send a blank
email to xxxxx@lists.osr.com