PDA

View Full Version : problem hooking page fault handler on x64


wavec
May 26th, 2013, 11:06
Hi all, i'm writing an Olly plugin that use a driver to hook functions and other stuff, i've successfully hooked some ISR and the plugin work fine but when i try to hook int0e (page fault handler) it give me some problem.
There is something different in that routine?
thanks.

Kayaker
May 26th, 2013, 13:09
Hi

You can take a look at the source code of Ollybone (Joe Stewart) as well as the ShadowWalker POC (Sherri Sparks/Jamie Butler) that olly plugin is somewhat based on. Both use page fault hooks.

What kind of problems are you having?

Sorry, I just noticed you mentioned this is on x64, that might be a whole new issue and one I'm not familiar with.

wavec
May 27th, 2013, 07:13
Hi,yes, indeed I have seen that there are several differences from x86 to x64, the problem is that some times i get a bugcheck (access violation) from user land that crash the system, for me seems that it doesn't swap context from kernel mode to user mode.
I use a code similar this:
Code:

push registers
test [rsp+..],1 //CS value
je dns
swapgs
dns:
sti
call myfunction
cli
test [rsp+..],1 //CS value
je dns2
swapgs
dns2:
pop registers
jmp oldhandler

seen that the error appears occasionally, can depend on the values ​​of eflags or some segment register?

wavec
June 7th, 2013, 10:40
I have solved that, the problem was that i didn't save the cr2 register at the beginning of the routine.

Indy
June 7th, 2013, 16:32
This informative" register.

Problem in the T-frame.

wavec
June 8th, 2013, 07:05
Hi Indy,now that the handler works, I wish I could change the protection flags of a user memory address(from kernel), you know how could I do?

Indy
June 8th, 2013, 13:21
Yes, but I will not say. Mod Cr3 is a dirty hack. More complex is not available to you, how I understand )

wavec
June 8th, 2013, 14:10
I think I misunderstood your previous message (I do not understand English very well).
why my handler should not work?
I save the cr2 register at beginning of routine and then I put it back in the register at the end of routine to handle the page fault whit the original handler.

disavowed
June 11th, 2013, 08:22
Quote:
[Originally Posted by wavec;94844]I wish I could change the protection flags of a user memory address(from kernel), you know how could I do?

MmProtectMdlSystemAddress()

wavec
June 11th, 2013, 11:18
Thank you for your answer but i prefer modify pte because MmProtectMdlSystemAddress doesn't work with user_shared_data