Prohibit data write by fragmentation mechanism and paging mechanism

Today debugging the program, the windows on the R3 protection mechanism is interested in, why the rdata segment is only readable, why the data can read and write, why the text segment is not writable, only can be executed, just today nothing dry, here to do a test, first to see the program broken into the entry point, The case of its physical page

kd>!dd 1db69000#1db69000 120a5025 80000000 1e642025 00000000#1db69010 03481025 80000000 1e85e225 80000000#1db69020 1d b96025 80000000 00000000 00000000 Physical Address 1db69000-1db69020, respectively, corresponding to virtual address 400000-404000

By the above values, here's a summary:

The PTEs corresponding to virtual address 400000 are 80000000~120a5025: Disable, non-writable user page, bit9 0 PE file header

The PTEs for virtual address 401000 are 00000000~1e642025: can execute, non-writable user page, Bit9 0 text segment

The PTEs corresponding to virtual address 402000 are 80000000~03481025: disabled, non-writable user page, Bit9 0 rdata segment

The PTEs corresponding to virtual address 403000 are 80000000~1e85e225: Disable, non-writable user page, Bit9 1 data segment

The PTEs corresponding to virtual address 404000 are 80000000~1db96025: disabled, non-writable user page, Bit9 0 rsrc segment

First look at the data section, and it is the only difference with other paragraphs (except the text paragraph) is bit9 1, then test the data to see how it is under the interaction of pagination and segmentation, the result is what

PAGE. Write  SEGMENT. W result-No, no,        No, no,        Yes        
You can see that the physical page is forbidden to write, the data segment can be written, and you can still write

Then test the next Rdata segment, the only difference between it and the data segment is that BIT9 is 0, so test it here and see what the result is.

PAGE. Write  SEGMENT. W result-No, no, No.        
You can see that the physical page is forbidden to write and the data segment can be written without writing the data.

Why this result, after all, 402000 and 403000 corresponding to the PTEs only Bit9 different, then is not windows with Pte Bit9 to distinguish the data segment in the program, if the BIT9 is 1, then in the case of data segments can be written, Even if the physical page does not let the data write, then the data can still be written to the physical page, then we modify the next 402000 for the bit9 of the corresponding PTEs is 1, and then the physical page is forbidden to write, the data section is allowed to write, there are two Tests

Test one: kd>!ed 1db69010 03481225 Modified, 402000 can be written to the data

Calculation two: kd>!ed 1db69010 03481025 Modified, 402000 can no longer be written to the data

According to this situation, is not all the program segment corresponding to the PTEs bit9 is 1, you can write data, here to test the text section

Can see, inaccessible, and an exception occurred, why this situation, look at the text corresponding to the PTEs, in addition to bit9 different, its bit63 is also different, bit63 is the execution of the forbidden bit, the other is 1, prohibit execution, the description is not a code snippet, The text corresponding to the PTEs bit63 is 0, indicating that this is a code snippet, then the text corresponding to the PTEs Bit9 1 and bit63 1, can write it, in order to save things, here to modify all the physical page

kd>!dd 1db69000#1db69000 120a5225 80000000 1e642225 80000000#1db69010 03481225 80000000 1e85e225 80000000#1db69020 1d b96225 80000000 00000000 00000000

OD run to see how the results

By testing, 400000-404000 of all addresses can be written to the

Summary: Windows distinguishes the data segment by BIT9, distinguishes the text segment from bit63, and if the Bit9 is 1,bit63 1, then Windows can only think of it as the data segment.

Prohibit data write by fragmentation mechanism and paging mechanism