Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Invalidating Page Table Caches In the Virtual Pagedir Plugin

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Source
View previous topic :: View next topic  
Author Message
lylcheat
Cheater
Reputation: 0

Joined: 14 Feb 2009
Posts: 27
Location: Planet 3 Solar System Orion Arm Spiral Galaxy Milky Way

PostPosted: Thu Nov 05, 2015 5:36 am    Post subject: Invalidating Page Table Caches In the Virtual Pagedir Plugin Reply with quote

I am experimenting with direct Page Table manipulation in order to do a stealth read process memory or perhaps a write process memory (I am not sure if under 64bit KPP, kernel code are immune to detection or not). One of the steps required after changing the Page Table Entry to my target physical memory is to flush the page table caches (in particular, to invalidate the TLB). In Dark Byte's Virtual Pagedir Plugin (http://forum.cheatengine.org/viewtopic.php?t=363947), in the ReadPhysicalMemory() function, there is such a comment

Code:
{
      newPageTableEntry=(Address & 0xfffff000)+0x7; //present, readwrite, usermode
      kernelmodeWriteProcessMemory(ownProcessHandle, (PVOID)(0xc0000000+pageEntrySize), &newPageTableEntry, pageEntrySize, &aw);
      
      //I just need something that flushes the pagetable (alternatively add an invlpg in kernelmode, but since this is a plugin example, I'd rather not)
      kernelmodeReadProcessMemory(tempProcessHandle, (PVOID)0x10000,&temp, 1, &ar);


it seems that the code is doing exactly what I want - something that can flush the page table cache/invalidate the TLB. But I have no idea how it actually achieve this since it should be rather complicated according the Intel's Software Developer Manual when a multiprocessor system is involved. I quote the algorithm recommended by the Intel's manual (V3 System Programming Guide, section 4.10.5 Propagation of Paging-Structure Changes to Multiple Processors)
i) Stop all but one logical processor; that is, cause all but one to execute the HLT instruction or to enter a spin loop
ii) Allow the active logical processor to change the necessary paging-structure entries
iii) Allow all logical processors to perform invalidations appropriate to the modifications to the paging-structure
entries
iv) Allow all logical processors to resume normal operation

First, in Virtual Pagedir Plugin, there is no INVLPG instruction used (Dark Byte's comment said the alternative was to use the INVLPG,), how does the user mode code flush the page table cache/invalidate any TLB?
Also, how does it guarantee the TLB in other processors are invalidated, too, as recommended by the above algorithm. Wink Wink
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Thu Nov 05, 2015 8:40 am    Post subject: Reply with quote

(That code won't work on 64-bit. For that you need to write the pagetable entry at address 0xfffff68000000000 )

As for flushing, changing CR3 will invalidate the pagetable cache. The readProcessMemory call will do that

And if you have no need for other threads in the program to instantly access that memory. (e.g just the current thread like in this case) then there is no need to even think about dealing with other CPU's
(If you use it for memory scanning, set ce's cpu affinity to 1, or adjust this plugin to use a different address for each thread. )

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Source All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites