lylcheat Cheater Reputation: 0
Joined: 14 Feb 2009 Posts: 27 Location: Planet 3 Solar System Orion Arm Spiral Galaxy Milky Way
|
Posted: Thu Nov 05, 2015 5:36 am Post subject: Invalidating Page Table Caches In the Virtual Pagedir Plugin |
|
|
I am experimenting with direct Page Table manipulation in order to do a stealth read process memory or perhaps a write process memory (I am not sure if under 64bit KPP, kernel code are immune to detection or not). One of the steps required after changing the Page Table Entry to my target physical memory is to flush the page table caches (in particular, to invalidate the TLB). In Dark Byte's Virtual Pagedir Plugin (http://forum.cheatengine.org/viewtopic.php?t=363947), in the ReadPhysicalMemory() function, there is such a comment
Code: | {
newPageTableEntry=(Address & 0xfffff000)+0x7; //present, readwrite, usermode
kernelmodeWriteProcessMemory(ownProcessHandle, (PVOID)(0xc0000000+pageEntrySize), &newPageTableEntry, pageEntrySize, &aw);
//I just need something that flushes the pagetable (alternatively add an invlpg in kernelmode, but since this is a plugin example, I'd rather not)
kernelmodeReadProcessMemory(tempProcessHandle, (PVOID)0x10000,&temp, 1, &ar);
|
it seems that the code is doing exactly what I want - something that can flush the page table cache/invalidate the TLB. But I have no idea how it actually achieve this since it should be rather complicated according the Intel's Software Developer Manual when a multiprocessor system is involved. I quote the algorithm recommended by the Intel's manual (V3 System Programming Guide, section 4.10.5 Propagation of Paging-Structure Changes to Multiple Processors)
i) Stop all but one logical processor; that is, cause all but one to execute the HLT instruction or to enter a spin loop
ii) Allow the active logical processor to change the necessary paging-structure entries
iii) Allow all logical processors to perform invalidations appropriate to the modifications to the paging-structure
entries
iv) Allow all logical processors to resume normal operation
First, in Virtual Pagedir Plugin, there is no INVLPG instruction used (Dark Byte's comment said the alternative was to use the INVLPG,), how does the user mode code flush the page table cache/invalidate any TLB?
Also, how does it guarantee the TLB in other processors are invalidated, too, as recommended by the above algorithm.
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25288 Location: The netherlands
|
Posted: Thu Nov 05, 2015 8:40 am Post subject: |
|
|
(That code won't work on 64-bit. For that you need to write the pagetable entry at address 0xfffff68000000000 )
As for flushing, changing CR3 will invalidate the pagetable cache. The readProcessMemory call will do that
And if you have no need for other threads in the program to instantly access that memory. (e.g just the current thread like in this case) then there is no need to even think about dealing with other CPU's
(If you use it for memory scanning, set ce's cpu affinity to 1, or adjust this plugin to use a different address for each thread. )
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|