View previous topic :: View next topic |
Author |
Message |
nb81 Cheater Reputation: 0
Joined: 08 Jun 2013 Posts: 35
|
Posted: Wed Jan 22, 2020 2:27 am Post subject: setting cr3 to switch context |
|
|
hi,
is it safe to just do a __writecr3(directorytable) to mimic what KeStackAttachProcess is doing (and some for detaching)? OS is Win10 1909
Thanks in advance!
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 457
Joined: 09 May 2003 Posts: 25262 Location: The netherlands
|
Posted: Wed Jan 22, 2020 7:06 am Post subject: |
|
|
yes , but you need to disable external interrupts first (either raising irql or cli)
and if you're not sure the target memory is accessible then also replace the current cpu's IDT to point to a version with a patched pagefault handler)
and don't forget to restore the IDT (if you changed it) and re-enable interrupts when done
and don't run longer than 4 seconds else other cpu's may think the cpu has frozen and send nmi's followed by bsoding with clock timeout
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
nb81 Cheater Reputation: 0
Joined: 08 Jun 2013 Posts: 35
|
Posted: Thu Jan 23, 2020 5:20 am Post subject: |
|
|
Dark Byte wrote: | yes , but you need to disable external interrupts first (either raising irql or cli)
and if you're not sure the target memory is accessible then also replace the current cpu's IDT to point to a version with a patched pagefault handler)
and don't forget to restore the IDT (if you changed it) and re-enable interrupts when done
and don't run longer than 4 seconds else other cpu's may think the cpu has frozen and send nmi's followed by bsoding with clock timeout |
Thank you. I'm making sure that the target memory is accessible. I only have to raise irql for writing CR3 right (so I can lower irql right after it's been set)? So something like this would suffice?
Code: |
UINT64 originalCr3 = __readcr3();
KeRaiseIrql(DISPATCH_LEVEL, &oldIrql); // or just KeRaiseIrqlToDpcLevel ?
__writecr3(stuff);
KeLowerIrql(oldIrql);
// do stuff while in the context of a process
KeRaiseIrql(DISPATCH_LEVEL, &oldIrql);
__writecr3(originalCr3);
KeLowerIrql(oldIrql);
|
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 457
Joined: 09 May 2003 Posts: 25262 Location: The netherlands
|
Posted: Thu Jan 23, 2020 10:10 am Post subject: |
|
|
No, do not lower irql until you're done with what you need to do
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
nb81 Cheater Reputation: 0
Joined: 08 Jun 2013 Posts: 35
|
Posted: Fri Jan 24, 2020 3:09 am Post subject: |
|
|
Dark Byte wrote: | No, do not lower irql until you're done with what you need to do |
i see. may I ask why I shouldn't do that? msdn recommends optimizing everything that's done between KeRaiseIrql and KeLowerIrql, I simply want to read the target process' memory, I can't see why I would have to stay at a higher irql level for that. thanks
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 457
Joined: 09 May 2003 Posts: 25262 Location: The netherlands
|
Posted: Sat Jan 25, 2020 1:40 am Post subject: |
|
|
Because you're in a completely fucked up state and if windows where to see that it would piss itself and bsod you.
In passive level you have taskswitch interrupts in kernelmode so if a taskswitch happens while you are copying memory and the cr3 is not the one that is currently configured in the segment storage who knows what will happen when you get taskswitched back
that is why i recommend disabling interrupts for the duration of your copying
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
nb81 Cheater Reputation: 0
Joined: 08 Jun 2013 Posts: 35
|
Posted: Sat Jan 25, 2020 3:29 am Post subject: |
|
|
Dark Byte wrote: | Because you're in a completely fucked up state and if windows where to see that it would piss itself and bsod you.
In passive level you have taskswitch interrupts in kernelmode so if a taskswitch happens while you are copying memory and the cr3 is not the one that is currently configured in the segment storage who knows what will happen when you get taskswitched back
that is why i recommend disabling interrupts for the duration of your copying |
Isee, thank you for the explanation, I'll read up on these
|
|
Back to top |
|
|
|