[QQemka]

Hello. I started learning windows drivers few days ago and i must say i have great fun with it. Managed to hide processes and do some other basic stuff, now i decided to create a memory cloaking driver.

I am following tutorials i found on the internet but i cannot make it work

http://web.engr.illinois.edu/~kingst/sp ... ection.txt
http://resources.infosecinstitute.com/t ... addresses/

First I have to translate virtual memory from chosen process into physical right? So I'm getting EPROCESS structure with PsLookupProcessByProcessId. Then i read DirectoryTableBase = 0x07D61000 from the structure (cr3=0x0018500) Moving on, i am trying to read contents of this address which causes a crash. I read somewhere that its because there is nothing under this virtual address, cr3 is physical, well im confused. By the way, do in kernel driver using *(ULONG*)Address to i read physical memory directly or virtual? Patchin the LIST_ENTRY structure to hide process worked globally so i thought it writes directly the physical memory, but after some tries im really confused what really happens, i cant find good tutorials on internet. How do deal with this problem? How to read or write physical memory then?

Thanks in advance

[QQemka]

I am updating my post hoping someone can help.
Opened notepad.exe as test app. In WinDbg found its KPROCESS, found also Page Directory Base ( +0x018 DirectoryTableBase : 0xce811860 ). Then i use !dd 0xce811860 with result:

#ce811860 26473801 00000000 26304801 00000000
#ce811870 2957d801 00000000 25fae801 00000000
#ce811880 2a8e1801 00000000 8c592801 00000000
#ce811890 7547b801 00000000 ad8cc801 00000000

which indeed looks like Page Directory, yes? So, i found some random address in the notepad.exe, under address 0x3FC000 there is value "25". Now i split my address to get Page Direcory Index, Page Table Index, and Byte Offset. They are 0 (12 bits), 0x3F0 (next 12 bits), 0 (10 bits), respectively. Now i am stuck because i do not know what to do.

By the way, using "!dd address" i can see physical memory dump. When i use *(ULONG*)Address in kernel driver i am getting bluescreen PAGE_FAULT_IN_NONPAGED_AREA. Can someone explain in detail how those tables work, or supply me with simple code translating selected processes virtual address into physical one?

[r2nwcnydc]

How are you trying to read the memory? Virtual memory is per process. So if you are in a process context that is different than notepad.exe, you'd first need to switch to that process' context. Once you've done that you cannot guarantee that memory will always be paged in, so you have to force the memory to be mapped.

Can you post your code? That would help us figure out what you are doing wrong.

Take a look at KeStackAttachProcess and MmProbeAndLockPages.

[QQemka]

Thanks for tips. I am going to sleep right now, so im unable to share code, what im trying to finally achieve is something described in Greg Hoglund's pdf "Hacking World of Warcraft", where he cloaks memory from being read by user but executing normally, manipulating pages to inejct code, doing tricks with breakpoints, it is sooo cool, thats why i want to learn and understand it. I have to start from somehwere, on those darned page tables. I know some theory, i wrote many programs in winapi dealing with memory, but im totally new to kernel programming.

[Vrtule]

Hello,

you cannot read physical address directly. AFAIK all processor instructions work only with virtual addresses (if protected mode and paging are enabled). Yes, CR3 contains a physical address of the root page table for the current process.

I seem not to understand the way you extract indices to individual page table from a given virtual address. The number of page table levels and number of their entries depends on several variables. Just to show some examples:

Code: Select all

// 32bit, no PAE, no PSE
Page directory index: 10 bits
Page table index: 10 bits (part of the Offset for large pages)
Offset: 12 bits

// 32bit, PAE
Page directory pointer table index : 2 bits
Page directory index: 9 bits
Page table index: 9 bits (part of the Offset for large pages)
Offset: 12 bits

// 64bit
No meaning: 16 bits
Page map level 4 index: 9 bits
Page directory pointer table index: 9 bits
Page directory index: 9 bits: 9 bits
Page table index: 9 bits
Offset: 12 bits

Look to Intel's manuals for more details about paging, page tables and various options related to this stuff.

[QQemka]

Yes i read about the PAE, x32 and x64 differences. Those pages are residing inside every process? I dont understand what information gives me DirectoryTableBase from KPROCESS structure. I read it from selected process and what then? In last example notepad.exe had it on address 0xce811860, how can i dig inside it? Is it virtual address inside the process so i must somehow attach to him? I already tried to read it in my kernel driver using simple *(ULONG*)0xce811860 but it doesnt work. Clearly, i miss something

[QQemka]

So i looked at the KeStackAttachProcess. I created this code inside my driver (i cut this part, it compiles and works). So it seems like i am attached to thread context right? How can i read memory from the process now? I tried "classic way" which is *(UINT*)Address but it does not work.

if (PsLookupProcessByProcessId((PVOID)procId, &pEProc) == STATUS_SUCCESS){
DbgPrint("EPROCESS found. Address: %08lX.\n", pEProc);
dwEProcAddr = (ULONG)pEProc;
DbgPrint("DirectoryTableBase found: %08lX.\n", *(ULONG*)(dwEProcAddr + sizeof(DISPATCHER_HEADER) + sizeof(LIST_ENTRY)));

NtStatus = ZwOpenProcess(&ProcessHandle, PROCESS_ALL_ACCESS, &ObjectAttributes, &ClientId);
if (NtStatus == STATUS_SUCCESS){
DbgPrint("Success opening process");
KeStackAttachProcess(pEProc, &ApcState);
DbgPrint("Seems like attached");
//here i would like to read memory from my process
KeUnstackDetachProcess(&ApcState);
DbgPrint("Over");
}




//temp=*(ULONG*)(dwEProcAddr + sizeof(DISPATCHER_HEADER) + sizeof(LIST_ENTRY));
//DbgPrint("ULONG DirectoryTableBase %08lX\n", temp);
}