1:58 a.m.
Dear all,
I was hoping that someone might be able to clear up a query I have wrt Windows memory
and how it handles memory pages (specifically information regarding the pages executable
permissions). I'm assuming that PAE is in use here.
The idea is that we have some page (holding virtual address addr) within a processes
address space and wish to know if that page is executable.
Within user space, we can use the VADs and obtain executable information via
vad.u.VadFlags.Protection - vadinfo.PROTECT_FLAGS allows the returned value (as an int) to
be converted into a string representation.
Within kernel space, we can use the PTE to determine information regarding the pages exec
status - for example:
def get_page_nx_bit(addrspace, addr):
pdpte = addrspace.get_pdpte(addr)
pde = addrspace.get_pde(addr, pdpte)
pte = addrspace.get_pte(addr, pde)
return pte >> 63
gets the NX bit for the PTE associated with a given page address.
Now, in comparing bit 63 of the PTE entries against the VAD protection permissions in user
space, I'm noticing the occasional difference. Naively, I'd expected the PTEs to
agree with the protection information on the VADs (within user space).
Any help or pointers to information resolving the above is very much appreciated.
Many thanks,
Carl.
1:56 p.m.
Hey Carl,
The vad.u.VadFlags.Protection is just the *original* protection applied to
all pages in the range allocated with VirtualAlloc. For example, you can
VirtualAlloc(addr, size, MEM_RESERVE, PAGE_NOACCESS) and the
corresponding vad.u.VadFlags.Protection
will show PAGE_NOACCESS. But later you can use VirtualAlloc again with
MEM_COMMIT to commit one or more pages in the range, specifying different
protections for each page, or you can just use VirtualProtect() to change a
protection (which does not update vad.u.VadFlags.Protection). So
vad.u.VadFlags.Protection
is just the original protection for all pages in the range when initially
reserved or committed, not the current protection. For the current
protection of each page, check the PTE like you're already doing.
MHL
On Tue, Apr 16, 2013 at 1:58 AM, Carl Pulley <c.pulley(a)acme-labs.org.uk>wrote:
Dear all,
I was hoping that someone might be able to clear up a query I have wrt
Windows memory and how it handles memory pages (specifically information
regarding the pages executable permissions). I'm assuming that PAE is in
use here.
The idea is that we have some page (holding virtual address addr) within a
processes address space and wish to know if that page is executable.
Within user space, we can use the VADs and obtain executable information
via vad.u.VadFlags.Protection - vadinfo.PROTECT_FLAGS allows the returned
value (as an int) to be converted into a string representation.
Within kernel space, we can use the PTE to determine information regarding
the pages exec status - for example:
def get_page_nx_bit(addrspace, addr):
pdpte = addrspace.get_pdpte(addr)
pde = addrspace.get_pde(addr, pdpte)
pte = addrspace.get_pte(addr, pde)
return pte >> 63
gets the NX bit for the PTE associated with a given page address.
Now, in comparing bit 63 of the PTE entries against the VAD protection
permissions in user space, I'm noticing the occasional difference. Naively,
I'd expected the PTEs to agree with the protection information on the VADs
(within user space).
Any help or pointers to information resolving the above is very much
appreciated.
Many thanks,
Carl._______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
4230
days inactive
4230
days old
vol-users@lists.volatilityfoundation.org
1 comments
2 participants
participants (2)
-
Carl Pulley -
Michael Hale Ligh