Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


setting cr3 to switch context

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Source -> DBVM
View previous topic :: View next topic  
Author Message
nb81
Cheater
Reputation: 0

Joined: 08 Jun 2013
Posts: 35

PostPosted: Wed Jan 22, 2020 2:27 am    Post subject: setting cr3 to switch context Reply with quote

hi,

is it safe to just do a __writecr3(directorytable) to mimic what KeStackAttachProcess is doing (and some for detaching)? OS is Win10 1909

Thanks in advance!
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 379

Joined: 09 May 2003
Posts: 22667
Location: The netherlands

PostPosted: Wed Jan 22, 2020 7:06 am    Post subject: Reply with quote

yes , but you need to disable external interrupts first (either raising irql or cli)
and if you're not sure the target memory is accessible then also replace the current cpu's IDT to point to a version with a patched pagefault handler)

and don't forget to restore the IDT (if you changed it) and re-enable interrupts when done

and don't run longer than 4 seconds else other cpu's may think the cpu has frozen and send nmi's followed by bsoding with clock timeout

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
nb81
Cheater
Reputation: 0

Joined: 08 Jun 2013
Posts: 35

PostPosted: Thu Jan 23, 2020 5:20 am    Post subject: Reply with quote

Dark Byte wrote:
yes , but you need to disable external interrupts first (either raising irql or cli)
and if you're not sure the target memory is accessible then also replace the current cpu's IDT to point to a version with a patched pagefault handler)

and don't forget to restore the IDT (if you changed it) and re-enable interrupts when done

and don't run longer than 4 seconds else other cpu's may think the cpu has frozen and send nmi's followed by bsoding with clock timeout


Thank you. I'm making sure that the target memory is accessible. I only have to raise irql for writing CR3 right (so I can lower irql right after it's been set)? So something like this would suffice?
Code:

UINT64 originalCr3 = __readcr3();

KeRaiseIrql(DISPATCH_LEVEL, &oldIrql); // or just KeRaiseIrqlToDpcLevel ?
__writecr3(stuff);
KeLowerIrql(oldIrql);

// do stuff while in the context of a process

KeRaiseIrql(DISPATCH_LEVEL, &oldIrql);
__writecr3(originalCr3);
KeLowerIrql(oldIrql);
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 379

Joined: 09 May 2003
Posts: 22667
Location: The netherlands

PostPosted: Thu Jan 23, 2020 10:10 am    Post subject: Reply with quote

No, do not lower irql until you're done with what you need to do
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
nb81
Cheater
Reputation: 0

Joined: 08 Jun 2013
Posts: 35

PostPosted: Fri Jan 24, 2020 3:09 am    Post subject: Reply with quote

Dark Byte wrote:
No, do not lower irql until you're done with what you need to do


i see. may I ask why I shouldn't do that? msdn recommends optimizing everything that's done between KeRaiseIrql and KeLowerIrql, I simply want to read the target process' memory, I can't see why I would have to stay at a higher irql level for that. thanks
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 379

Joined: 09 May 2003
Posts: 22667
Location: The netherlands

PostPosted: Sat Jan 25, 2020 1:40 am    Post subject: Reply with quote

Because you're in a completely fucked up state and if windows where to see that it would piss itself and bsod you.

In passive level you have taskswitch interrupts in kernelmode so if a taskswitch happens while you are copying memory and the cr3 is not the one that is currently configured in the segment storage who knows what will happen when you get taskswitched back

that is why i recommend disabling interrupts for the duration of your copying

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
nb81
Cheater
Reputation: 0

Joined: 08 Jun 2013
Posts: 35

PostPosted: Sat Jan 25, 2020 3:29 am    Post subject: Reply with quote

Dark Byte wrote:
Because you're in a completely fucked up state and if windows where to see that it would piss itself and bsod you.

In passive level you have taskswitch interrupts in kernelmode so if a taskswitch happens while you are copying memory and the cr3 is not the one that is currently configured in the segment storage who knows what will happen when you get taskswitched back

that is why i recommend disabling interrupts for the duration of your copying


Isee, thank you for the explanation, I'll read up on these
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Cheat Engine Source -> DBVM All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites