A forum for reverse engineering, OS internals and malware analysis 

does windows map kernel to 0x00000000 in physics addr ?

Forum for discussion about kernel-mode development.

does windows map kernel to 0x00000000 in physics addr ?

 #10162  by xpoy
 Mon Dec 05, 2011 8:51 pm
This is a newbie, or a stupid question.

when it's newbie, then I'm complete no knowledge in what the physics memory, when it's stupid, then I'm confused by this things:
Code: Select all
  pRealPsSetLoadImageNotifyRoutine = (BYTE *)((BYTE *)pPsSetLoadImageNotifyRoutine - (BYTE *)hNtOs_Module);
  pRealPsSetLoadImageNotifyRoutine = (BYTE *)((BYTE *)(PSYSTEM_MODULE_INFORMATION)pSysModuleInfo->Base + (DWORD)pRealPsSetLoadImageNotifyRoutine);
...
  __asm
  {
    and pRealPsSetLoadImageNotifyRoutine, 7FFFFFFFh
  }
...
  dwRet = pZwSystemDebugControl(DebugCopyPhyMemory_0, &structMemory, sizeof(MemoryChunk), 0, 0, &dwReturnLength);
that DebugCopyPhyMemory_0 equ 10 in the orginal code, very sure

this is the code that someone public in old time, what he want do is clean hook in PsSetLoadImageNotifyRoutine, operate mem by ZwSystemDebugControl
the point is about pRealPsSetLoadImageNotifyRoutine, why, how he del the addr by 0x80000000?!and then how he be this sure to be treat as the corresponding physics addr?
I'm not a kernel devloper : |, in seriouse the only my idea about ZwSystemDebugControl is it able to access physics mem, and kernel memory
My feel is total what up, after 5 hours google+ windbg(start from 11:00 pm), I do't get the point, why it work, by delete 0x80000000 to be a physics addr. Doesn't the addr that paged, will be the addr that where it locale in real memory? or after paged, it still was in the addr that os can control? does windows map its kernel in 0x00000000, in this case?
Sry for my bad english, as well

Re: does windows map kernel to 0x00000000 in physics addr ?

 #10174  by Alex
 Tue Dec 06, 2011 10:55 am
PHYSICAL_ADDRESS is a quad-word (64 bits). At the beginning i wanted to
join with the article the analysis of the assembly code but it's too long.
And as address translation is sort of generic (cpu relative) i only go fast
on this subject.

The low part of the quad-word is passed in eax and the high part in edx.
For virtual to physical address translation we have 2 cases:

* case 0x80000000 <= BaseAddress < 0xA0000000:
the only thing we need to do is to apply a 0x1FFFF000 mask to the virtual
address.

* case BaseAddress < 0x80000000 && BaseAddress >= 0xA0000000
This case is a problem for us as we have no way to translate addresses in
this range because we need to read cr3 register or to run non ring3
callable assembly instruction. For more information about Paging on Intel
arch take a look at Intel Software Developer's Manual Volume 3 (see [5]).
EliCZ told me that by his experience we can guess a physical address for
this range by masking the byte offset and keeping a part of the page
directory index. mask: 0xFFFF000.

We can know produce a light version of MmGetPhysicalAddress()

PHYSICAL_MEMORY MyGetPhysicalAddress(void *BaseAddress) {
if (BaseAddress < 0x80000000 || BaseAddress >= 0xA0000000) {
return(BaseAddress & 0xFFFF000);
}
return(BaseAddress & 0x1FFFF000);
}

The problem with the addresses outside the [0x80000000, 0xA0000000] is that
they can't be guessed with a very good sucess rate.
That's why if you want good results you would rather call the real
MmGetPhysicalAddress(). We will see how to do that in few chapter.
Playing with Windows /dev/(k)mem

So in this case this operation
Code: Select all
and pRealPsSetLoadImageNotifyRoutine, 7FFFFFFFh
should give same result as:
Code: Select all
and pRealPsSetLoadImageNotifyRoutine, 1FFFF000h

Re: does windows map kernel to 0x00000000 in physics addr ?

 #10178  by xpoy
 Tue Dec 06, 2011 1:39 pm
at first, great ths for your fast reply, and sry for I delay replay, because I read the article.

so now I explain this to myself like, this is just a risk, it just a lucky job at all.
This really annoy my up, by how it can worked!

And I' have more question in this case.

Just my guess, as I know system will map ntkrnl.exe and hal.dll in os-loader, and the load is done in real mode, load in start of physics addr. So, would system simple map those memory, which used in loader, map them to 0x8000000+ themself?
And then, just if the start of physics addr isn't assign to memory, maybe some graphics memory? It surly will simple crash in this way, can this error physics memory addr possable actual occur?
great ths for you reply me, cheer up, you really relex me down by the answer :P
 Return to “Kernel-Mode Development”