Ring3 bypass Windows Write-time replication mechanism to implement global eat hooks

When injected into a process to ntdll under the Eat hook when the scope is only the current process, but obviously all the process of the Ntdll module is all the same AH. Originally, Windows supported a mechanism that allowed two or more two processes to share the same block of storage. However, the operating system assigns a write-time copy property to the shared storage page, and when a process wants to modify a shared page, the operating system will find an idle page from memory and copy the modified page content to this idle page, and then map the virtual address space to the new page. so just before the next hook to find a way to eliminate the page copy of the property, and then hook Ntdll can be implemented under RING3 similar to the effect of RING0 hooks.

This paper first analyzes the implementation under the X86.

First of all we understand the next X86 virtual address to the physical address of the conversion, about this online has a lot of analysis data and code implementation.

Sacrifice a classic old picture.

, X86 memory Management is a two-level page table structure, the page table is continuous, can be seen as a one-dimensional array, the size of each item of the array is a few bytes? The answer is not necessarily that the 32 bits are 4 bytes, 64 bits are 8 bytes, and 32 bits also have 8 bytes, which is called PAE (Physical Address extension). In fact, the PAE is very similar. Let's discuss the normal 4 bytes first. For a 32-bit virtual address, where the high 20 bits correspond to a physical page address, and the lower 12 bits is the offset within the page, then the page size is 12 bits, then one page is 2^12=4096=1000h (the page size is also changeable, the change is not there), and the 20-bit physical page address (abbreviated as PFN, Page frame number), plus 12-bit page size, just 32-bit, then the total memory can be accessed is 2^32=4g, note that this is the limit of 32 bits, and the page table will map the corresponding 4G space, display the page table needs 4M (2^20). However, 4M of continuous storage space is too extravagant, so take a two-level page table, the highest 10 bits represents the page directory index, the next 10 bits represents the page table index, low 12 bits are used as the in-page offset. There are 2^10=1024 items in the page directory, and the corresponding page table in each page directory has 2^10=1024 items. An item of 4 bytes, then the total space occupied by the page Table page directory: 1024*4+1024*1024*4=4KB+4MB.

Address Resolution three go:

0x01:pde = Pdbr[directory];

0x02:pte = PDE + Table * 4;

0x03:physicaladdress = PTE + Offset;

In the Page Directory and page table, only the high 20 bits of the page table or the physical address of the page are saved. The reason is simple, the page table or the physical address of the page must be 4KB aligned, so that it can be placed in a page, so its low 12 bits are all 0. In this case, you can only care about its high 20-bit, low 12-bit arrangement for other purposes.

The page table address structure Low 12 bits is some flag information, then what do these flag bits represent?

p--bit 0 is the presence (Present) flag that indicates whether the table entry is valid for address translation. P=1 is valid; p=0 means invalid. During page conversion, if the table entry for the page directory or page table involved is invalid, an exception is caused. If P=0, the rest of the bits are free for the program, as shown in 4-18b, except that the table entry is invalid. For example, the operating system can use these bits to hold the ordinal of a page that has been stored on disk.

r/w--bit 1 is a read/write (read/write) flag. If it equals 1, the page can be read, written, or executed. If 0, indicates that the page is read-only or executable. The r/w bit does not work when the processor is running at the Super User privilege level (level 0, 1, or 2). The R/W bit in the page catalog item works for all pages that it maps.

u/s--bit 2 is the user/Super User (User/supervisor) flag. If it is 1, programs running at any privileged level can access the page. If 0, the page can only be accessed by programs running on the Super User privilege level (0, 1, or 2). The U/S bit in the page catalog item works for all pages that it maps.

a--bit 5 is the visited (accessed) flag. This Flag for page table entries is set to 1 when the processor accesses pages for page table entry mappings. When the processor accesses any page of the page Catalog table entry mapping, this flag of the page catalog table entry is set to 1. The processor is only responsible for setting the flag, and the operating system can count the usage of the page by periodically resetting the flag.

d--bit 6 is the page has been modified (DIRTY) flag. When the processor performs a write operation on a page, the D flag for the corresponding page table entry is set. The processor does not modify the D flag in the page catalog entry.

avl--the field is reserved for use by the program. The processor will not modify these, nor will the subsequent upgrade processors.

You can see that the 2nd bit of the page table identifies the current physical page readable writable, so only need to re-hook before the function address to the driver to resolve the address, the function of the page table the second bit of the flag is changed to 1 on the line.

Pae=exisprocessorfeaturepresent (pf_pae_enabled); if(pae==TRUE) {Dbgprint ("PAE page mode.\n"); //try to calculate PDE and Pte According to PAE Page mode and see if the virtual address is on the same page//the address to be modified begins atUlpdeb = (((ULONG) pmem) >> -) &0x3ff8) +0xc0600000; Ulpteb= (((ULONG) pmem) >>9) &0x7ffff8) +0xC0000000; Bpdeb=Mmisaddressvalid ((PVOID) ulpdeb); Bpteb=Mmisaddressvalid ((PVOID) ulpteb); //the post-border of the address to modifyUlpde = ((((ULONG) pmem+5) >> -) &0x3ff8) +0xc0600000; Ulpte= (((((ULONG) pmem+5) >>9) &0x7ffff8) +0xC0000000; BPDE=Mmisaddressvalid ((PVOID) ulpde); Bpte=Mmisaddressvalid ((PVOID) ulpte); if((Bpdeb && bpteb &&bpte)) {Dbgprint ("PDE (%d): 0X%08X-0x%08x\n", Bpdeb, Ulpdeb, *(Pulong) ulpdeb); Dbgprint ("PTE (%d): 0X%08X-0x%08x\n", Bpteb, ulpteb,ulpte); }        Else             returnstatus_unsuccessful; }    Else{dbgprint ("Non PAE page mode.\n"); //Calculate PDE and Pte by non PAE page modeUlpdeb = (((ULONG) pmem) >> -) &0xFFC) +0xc0300000;//CR3 Register start addressUlpteb = (((ULONG) pmem) >>Ten) &0X3FFFFC) +0xC0000000; Bpdeb=Mmisaddressvalid ((PVOID) ulpdeb); Bpteb=Mmisaddressvalid ((PVOID) ulpteb); Ulpde= (((ULONG) pmem+5) >> -) &0xFFC) +0xc0300000; Ulpte= (((ULONG) pmem+5) >>Ten) &0X3FFFFC) +0xC0000000; BPDE=Mmisaddressvalid ((PVOID) ulpde); Bpte=Mmisaddressvalid ((PVOID) ulpte); if((Bpdeb && bpteb &&bpte)) {Dbgprint ("PDE (%d): 0X%08X-0x%08x\n", Bpdeb, Ulpdeb, *(Pulong) ulpdeb); Dbgprint ("PTE (%d): 0X%08X-0x%08x\n", Bpteb, Ulpteb, *(Pulong) ulpteb); }        Else            returnstatus_unsuccessful; }

Determine if PAE is turned on and translate addresses

    　　　　　 if(BPTE==BPTEB)//whether the physical page exists in effect            {                * (Pulong) Ulpteb |=0x00000002;//Modifying a PTE Invalidates the specified page copy on write mechanismDbgprint ("The copy-on-write attrib in address 0X%08X have been forbidden!\n", Pmem); Status=status_success; }            Else            {                * (Pulong) Ulpteb |=0x00000002; * (Pulong) Ulpte |=0x00000002; Dbgprint ("The copy-on-write attrib has been forbidden!\n"); Status=status_success; }             Break;

Then put the PTE flag position 1 on the line. After modifying the Ring3 under the Ntdll hook can function the whole world, do not forget to remember to restore the page properties after the hook.

Ring3 bypass Windows Write-time replication mechanism to implement global eat hooks