Writing to read-only memory (was Re: Regmon?)

Maxim S. Shatskih wrote:

Two ways:

  • remap the syscall table page via a MDL and patch the remapped version
  • set the “Write Enable” bit in PTE manually.

While reading along this thread, the latter approach seemed the more obvious one
(as virtually all my experience is in userland, I actually was thinking more
along the lines of a call to VirtualProtect, but in the end, the relevant page
is marked writable). However, this remapping of memory via “MDL” sounds very
intriguing. If I recall correctly, MDLs are somehow used to do DMA requests.
How would this remapping approach work, exactly?

  • Stevie-O

Real Programmers use COPY CON PROGRAM.EXE

> ----------

From: xxxxx@qrpff.net[SMTP:xxxxx@qrpff.net]
Reply To: xxxxx@lists.osr.com
Sent: Wednesday, July 30, 2003 4:14 AM
To: xxxxx@lists.osr.com
Subject: [ntdev] Writing to read-only memory (was Re: Regmon?)

Real Programmers use COPY CON PROGRAM.EXE

Real Programmers clear WP bit in CR0 :wink:

Best regards,

Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]

That’s true, MDL is used to support DMA requests, it is a structure that
describes what physical pages represent given buffer. But beside this it
allows to create separate virtual address for the same physical pages as the
original buffer. When MDL is created desired access to the memory is
specified. This separate virtual address could be used to update physical
pages that are read-only when accessed through original virtual address.

Alexei.

“Stevie-O” wrote in message news:xxxxx@ntdev…
>
> Maxim S. Shatskih wrote:
> > Two ways:
> > - remap the syscall table page via a MDL and patch the remapped version
> > - set the “Write Enable” bit in PTE manually.
> >
>
> While reading along this thread, the latter approach seemed the more
obvious one
> (as virtually all my experience is in userland, I actually was thinking
more
> along the lines of a call to VirtualProtect, but in the end, the relevant
page
> is marked writable). However, this remapping of memory via “MDL” sounds
very
> intriguing. If I recall correctly, MDLs are somehow used to do DMA
requests.
> How would this remapping approach work, exactly?
>
> –
> - Stevie-O
>
> Real Programmers use COPY CON PROGRAM.EXE
>
>
>
>

>>

>Real Programmers use COPY CON PROGRAM.EXE
>
Real Programmers clear WP bit in CR0 :wink:

Best regards,

Michal Vodicka

:stuck_out_tongue:

Where did I leave my copy of the IA-32 spec…

The last time I did programming this low-level, memory addresses were 20 bits
(seg*16+offset) and ExitProcess() was ‘MOV AH, 4Ch / INT 21h’.

  • Stevie-O

Real Programmers use COPY CON PROGRAM.EXE

> intriguing. If I recall correctly, MDLs are somehow used to do DMA requests.

Not necessary, it is a bit more powerful thing.

How would this remapping approach work, exactly?

IoAllocateMdl to describe the buffer
MmBuildMdlForNonPagedPool
MmMapLockedPages(KernelMode)

then MmUnmapPages and IoFreeMdl.

Max

Actually, (1) real programmers use debug.exe to enter programs, what’s
“copy” ? and (2) real programmers don’t use the INT instruction. :slight_smile:

Alberto.

-----Original Message-----
From: Stevie-O [mailto:xxxxx@qrpff.net]
Sent: Tuesday, July 29, 2003 11:27 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] RE: Writing to read-only memory (was Re: Regmon?)

>
>Real Programmers use COPY CON PROGRAM.EXE
>
Real Programmers clear WP bit in CR0 :wink:

Best regards,

Michal Vodicka

:stuck_out_tongue:

Where did I leave my copy of the IA-32 spec…

The last time I did programming this low-level, memory addresses were 20
bits
(seg*16+offset) and ExitProcess() was ‘MOV AH, 4Ch / INT 21h’.

  • Stevie-O

Real Programmers use COPY CON PROGRAM.EXE


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.