I am trying to peek at the user mode memory of another process silently through 100% page table manipulation. Absolutely no API call. Wondering if anyone else has done something similar. The method is outlined in this paper:
http://dfrws.org/2013/proceedings/DFRWS2013-13.pdf
In short, it is about manipulating the page table entry (PTE) of a virtual memory address allocated by us so that the PTE points to whichever physical page we like to peek. The idea is simple but there are some difficulties:
As described in the paper, a private non-paged memory allocated by us is required so that Windows won't complain when we tamper with its PTE. But, a normal non-paged pool allocation is not suitable as it is using large page size. The author suggested using a static char array within the driver's binary for this purpose. But for me, I don't want to keep a driver resident in memory. My driver starts a system thread running my code and is then unloaded. So there is no way to get the required small page size non paged memory by using embedded nonpaged memory in my driver.
Without a source of small page size non-paged memory, I did try using memory allocated from the paged pool instead which is always small page size. My method to prevent paging issue is to reference the paged memory once first, then quickly change its PTE to point to the target memory I want to peek, then restore the PTE back to the original value, hoping that due to LRU algorithm the paged memory won't be paged out when the its virtual address's PTE is having value tampered by me (pointing to the target physical page I want to peek) . But, my attempt still introduce some instability when Windows is removing aged paged memory from the system.
My question, 1) is there any way to allocate memory from the non-paged pool that is using small page size? 2) are there any other reference materials available describing similar attempt?
http://dfrws.org/2013/proceedings/DFRWS2013-13.pdf
In short, it is about manipulating the page table entry (PTE) of a virtual memory address allocated by us so that the PTE points to whichever physical page we like to peek. The idea is simple but there are some difficulties:
As described in the paper, a private non-paged memory allocated by us is required so that Windows won't complain when we tamper with its PTE. But, a normal non-paged pool allocation is not suitable as it is using large page size. The author suggested using a static char array within the driver's binary for this purpose. But for me, I don't want to keep a driver resident in memory. My driver starts a system thread running my code and is then unloaded. So there is no way to get the required small page size non paged memory by using embedded nonpaged memory in my driver.
Without a source of small page size non-paged memory, I did try using memory allocated from the paged pool instead which is always small page size. My method to prevent paging issue is to reference the paged memory once first, then quickly change its PTE to point to the target memory I want to peek, then restore the PTE back to the original value, hoping that due to LRU algorithm the paged memory won't be paged out when the its virtual address's PTE is having value tampered by me (pointing to the target physical page I want to peek) . But, my attempt still introduce some instability when Windows is removing aged paged memory from the system.
My question, 1) is there any way to allocate memory from the non-paged pool that is using small page size? 2) are there any other reference materials available describing similar attempt?
