JIURL play Win2k memory articles shared memory (two) CopyOnWrite Author: JIURL Home: http://jiurl.yeah.net Date: 2003-7-30
CopyonWrite runs two processes running the same executable, or by a dynamic link library shared by multiple processes, the physical page of the read-only shared code section is no problem. For writing to the code page (the debugger may write to the code page), this will affect the correct execution of the process of other shared this code page. Or pages of data pages such as initialized global variables, each process may write different data, which will also affect the normal operation of the process of other shared this page. In order to make the program run normally, you should make the page of each process to be written to your own physical page so that you will not affect other processes. If each process can be assigned a new physical page, it is possible to cause unnecessary waste, if this process is from beginning to end, then write data to a page, then assign The execution time spent on this page is not used. In order to avoid this waste, Win2k is used to improve this situation using a mechanism called Copy ON Write. This is part of Lazy Evaluation Technology. Copy On Write is shared for a page, multiple usage process, until a process is to write data to the data, the system will give the process a new physical page, and copy the data of the original page, update The page table item of the process allows the process to map new physical pages, and the data is written to the new procedure in your own physical page. This will not affect the original data page. Other shared issues can continue to share until they also try to write data. The main application of the Copy ON Write mechanism in Win2k is that it is convenient to write things to a process page, without affecting the process of sharing this code page. Some data pages. Copy ON Write Mechanism. Win2k sets the read and write bit in the flag bit (PTE) of the page of the page of the copy on Write to read-only, and sets the CopyonWrite flag. This is when a process is written to the data to the page, because the page table item is set to read-only, so it will cause the page-fault anomalous. This makes the CPU to perform an exception handler, the exception handler check page table item discovers set the CopyonWrite flag to complete the page table item of the allocated new physical page, update the process, set the read and write flag of the new page item. Read and write and other work. Finally, the CPU re-executed an abnormal instruction. At this time, the virtual address written by the instruction is already a new physical page, and the logo of the page entry of the virtual address is also set to write, so it can be performed smoothly. Let's do more detailed descriptions for the X86 CPU. X86 CPU page table entry is defined as follows struct _HARDWARE_PTE_X86 (sizeof = 4) bits0-0 Validbits1-1 Writebits2-2 Ownerbits3-3 WriteThroughbits4-4 CacheDisablebits5-5 Accessedbits6-6 Dirtybits7-7 LargePagebits8-8 Globalbits9-11 reservedbits12-31 PageFrameNumber first To explain, this format is defined by the CPU, the CPU will explain each bit according to this definition, and then determine how to handle it. It should be noted that BITS1-1 WRITE will determine if this page is read, it is read-only to 1 means readable. Bits9-11 Reserved These 3 digits, the CPU is not defined, leaving to the operating system.
Win2K uses BITS9-9 COPYonWrite to represent whether to use CopyonWrite, this bit is 0 means not being used, and 1 is used. When the flag bit is read-only, after a page of the page table item is set, the CPU will automatically pass the command when the CopyonWrite is written to the page. Directory and page table convert virtual address AddressInCopyonWritePage into a physical address, during the address conversion process, the CPU will check when the physical page address from the page table item is, such as whether the page entry is valid, is it only Read, etc. Here, the page table item of the address in our instructions sets the read-only flag, which will cause an exception. Exception is also achieved by the CPU. What caused here is a Page Fault anomaly, its interrupt number is 0xe (decimal 14), you need to pay attention to the interrupt number of Page Fault is 0xe is defined by the CPU (x86 CPU from 0 - 31 this 32 interrupts are The CPU will work according to this definition by the CPU). When an exception occurs, the CPU automatically presses some registers into the stack, then according to the interrupt number, (find the interrupt descriptor table by idtr), find the corresponding interrupt descriptor in the interrupt descriptor, according to the address in the interrupt descriptor, transfer To the exception handler. The interrupt descriptor is set by Win2K, and the exception handler is also determined by Win2k. For Win2K Build 2195, the interrupt 0xe's handler is NTOSKRNL! Kitrap0E address at 804648A4. When transferred to Kitrap0E, the CPU has embraced the following content in the stack | ------------- | | EFLAGS || ------------- | | CS || ------------- || Eip || ------------- || Error Code || --------- ---- | <---- [ESP] Page-fault unusual (#PF) Error Code definition is as follows (CPU definition) | 3 | 2 | 1 | 0 | ---------- ----------------------------------------- | RESERVED | RSVD | U / S | R / W | P | ------------------------------------------ --------- P 0 Error By invalid page 1 error 1 error By violating page protection caused W / R 0 caused error memory access is reading 1 caused error memory is written when writing U / S 0 access error The processor is in the management mode 1 Access error When the processor is in the user mode, it is necessary to explain that the embedded EIP in the stack is an instruction address that causes an exception, and will re-execute the instruction according to this address in the future. The register CR2 is an address that is accessed when an exception is thrown.
#PF exception handler Kitrap0e (provided by Win2K) will call Ntoskrnl! MmaccessFault, MMAccessFault calculates the corresponding PDE, PTE address according to the abnormality caused by the write operation, and the access address in the CR2, checks the PTE discovery sets the CopyonWrite flag. (This flag is defined by Win2K, which is handled by it), eventually call Ntoskrnl! Micopy Write to complete the relevant work of Copy ON Write. For example, allocate a new physical page, change the physical address in the page entry, change the logo of the page entry, and change the read only to readable. After performing an exception handler, the CPU re-executes an instruction that causes an exception, and the instruction can be executed normally. This Copy ON Write has been implemented. Below we observe the actual situation of Copy on Write through an example / / ------------------------------------------------------- ----------------------------------- # include
The name of the program is called CopyOnWrite-Er1 run a CopyOnWrite-Er, then run a CopyOnWrite-Er first list the processes that are currently running with the SoftICE addr command:. AddrCR3 LDT Base: Limit KPEB Addr PID Name00030000 8141E020 0008 System04E2B000 810F75C0 008C smss06562000 810E8C40 00A8 csrss07547000 810CC0C0 00BC winlogon078E9000 810C14E0 00D8 services078FA000 810BFD60 00E4 lsass00ABD000 8109F200 0170 svchost00324000 810924C0 0190 svchost00564000 81054880 0204 Explorer024CF000 8108B960 0250 internat07FEC000 82F873C0 01F4 conime036C1000 8331C180 034C NOTEPAD0328F000 84130860 01F8 NOTEPAD018EF000 8323F180 0100 CopyOnWrite-Er06AB8000 83091020 02BC CopyOnWrite-Er * 00030000 8046BB60 0000 Idle saw 2 a CopyOnWrite-Er, process ID were 0100 and 02BC these two CopyOnWrite-Er outputs are _________________________________________JiurlSegData Address: 0x0040a000JiurlSegData Pte Address: 0xc0001028JiurlSegData: aaaaaaaaaaaaaaaaaaaaaaaaInput New String to JiurlSegData _________________________________________ CopyOnWrite-Er 100 using addr command to convert to CopyOnWrite-Er 100 of Address Space: AddR 100 Take a look at CopyonWrite-ER 10 The case of 0 segments, saw the ".jium" segment,
0040A000 address range in size and output JiurlSegData Address 00000020 program: 0x0040a000 match: map32 -uOwner Obj Name Obj # Address Size TypeCopyOnWrit.text 0001 001B: 00401000 00004D73 CODE ROCopyOnWrit.rdata 0002 0023: 00406000 00000890 IDATA ROCopyOnWrit.data 0003 0023: 00407000 000021C8 IDATA RWCopyOnWrit.jiurl 0004 0023: 0040A000 00000020 IDATA RWkernel32 .text 0001 001B: 77E61000 0005D1AE CODE ROkernel32 .data 0002 0023: 77EBF000 00001A30 IDATA RWkernel32 .rsrc 0003 0023: 77EC1000 00070000 IDATA ROkernel32 .reloc 0004 0023: 77F31000 0000359C IDATA ROntdll. text 0001 001B: 77F81000 00042492 CODE ROntdll ECODE 0002 001B: 77FC4000 00004371 CODE ROntdll PAGE 0003 001B: 77FC9000 00003983 CODE ROntdll .data 0004 0023: 77FCD000 00002350 IDATA RWntdll .rsrc 0005 0023: 77FD0000 00026D08 IDATA ROntdll .reloc 0006 0023: 77FF7000 00001DA8 IDATA RO According to the JIURLSEGDATA PTE Address: 0xc0001028, the page is displayed: DD C0001028 L 100010: C0001028 06AC7225 00000000 00000000 0000000% r ............ You can see CopyonWrite-ER 100 JIURLSEGDATA address range page table name value is 0 6ac7225 pay attention to the physical page 06ac7, the logo is 225 (HEX) = 0010 0010 0101 (bin) BITS1-1 WRITE logo is 0, indicating read only. The Bits9-9 CopyonWrite flag is 1, indicating using the copy on write. CopyonWrite-ER 2BC Converts to CopyonWrite-ER 2BC: AddR 2BC Displays the page table item according to the JIURLSEGData Pte Address: 0xc0001028 we calculated: DD C0001028 L 1000: C0001028 06AC7225 00000000 0000000 0000000% r ..... ......... You can see the page table item value of the JIURLSEGDATA address range of CopyonWrite-Er 2BC is also 06ac7225, first that it is, it and the copyonwrite-er 100 mapped the same physical page 06ac7, the content in the page is of course the same. They shared this data page. The logo also illustrates the use of Copy On Write.
2. Write to CopyOnWrite-Er 2bc global variable output follows _________________________________________Input New String to JiurlSegData program to write bbbbbbbbb CopyOnWrite-Er 2bc global variables: bbbbbbbbbJiurlSegData: bbbbbbbbb_________________________________________ can see the correct read out is switched to the input bbbbbbbbb CopyOnWrite -Er 2bc address space: AddR 2bc Displays page table items at 0xC0001028 at CopyonWrite-Er 2BC: DD C0001028 L 1000: C0001028 04427067 0000000000000000 00000000 GPB ....................... Value is 04427067, you can see the mappled physical page becomes 04427, which means allocation and uses new physical pages. The logo is 067 (HEX) = 0000 0110 0111 (bin) You can see the BITS1-1 WRITE flag is 1, indicating that it can be written. Bits9-9 CopyonWrite logo is 0. For the CopyonWrite-Er 2BC, the Copy ON WRITE mechanism has been verified to the address space for CopyonWrite-ER 100: AddR 100 Displays the page table item at the 0xC0001028 of CopyonWrite-Er 100: DD C0001028 L 100010: C0001028 06AC7225 00000000 00000000 0000000% r ............ You can see the value of this page item is still 06ac7225, indicating that CopyonWrite-Er 100 continues to use the original physical page. This is also in line with the previous description. 3. Copy On write mechanism of writing to CopyOnWrite-Er global variables 100 outputs the following _________________________________________Input New String to JiurlSegData write cccccccccc program to CopyOnWrite-Er 2bc global variables: ccccccccccJiurlSegData: cccccccccc_________________________________________ can see correctly read the input CCCCCCCCC to the address space of CopyonWrite-ER 100: AddR 100 Displays page table items at 0xC0001028 at CopyonWrite-Er 100: DD C0001028 L 1000: C0001028 00d07067 00000000 00000000000000 gp ............ .. It can be seen that the write has caused the use of new physical pages and changed the logo to the address space of CopyonWrite-Er 2BC: AddR 2BC Displays the page table item at the 0xC0001028 of CopyonWrite-Er 2BC: DD C0001028 L 100010: DD C0001028 L 100010: DD C0001028 L 100010: C0001028 04427067 000000 00 00000000000000 GPB .................................................................................................................................................................................................................................. Physical page The situation in PfndatabaseEntry.
Run a CopyonWrite-ER We observe the page frame number of its physical page: AddR CopyonWrite-ER: DD C0001028 L 100010: C0001028 06AC7225 00000000 0000000 0000000% r .............. page frame number Calculate 06ac7's page frame number database item, the first address of the page frame number database in the global variable MMPFNDATABASE, in my machine, its value is 81456000, each size 0x18 bytes we can see the physical page 6ac7 / * 08 * / uint32 blink / share count = 00000001 / * 0D * / byte page state = 06: DD 81456000 18 * 6ac7 L 180010: 814f62a8 0000000001 00010608 ........... ... 0010: 814f62b8 907b64b8 00004727 0000000 C03B37D8 .D {. 'G ....... 7; Description This physical page is in the Active state, and shared number 1 we run two CopyonWrite-er us Can see physical page 6ac7 / * 08 * / uint32 blink / share count = 00000003 / * 0D * / byte page state = 06: DD 81456000 18 * 6ac7 L 180010: 814f62a8 00000003 00010608 ....... ....... 0010: 814F62B8 907B64B8 00004727 00000000 C03B37D8 .D {. 'G ....... 7; Description This physical page is in the Active status, and the number of shared numbers is 3 pairs of copyonwrite -Er write data We can see physical page 6ac7 / * 08 * / uint32 blink / share count = 00000002 / * 0D * / byte page stat = 06: DD 81456000 18 * 6ac7 L 180010: 814F62A8 0000009B E301F2A8 00000002 00010608. ............. 0010: 814F62B8 907B64B8 00004727 00000000 C03B37D8 .D {. 'G ....... 7 ;. And share reduced to 2, write data processes due to Copy ON Write without using this physical page to all CopyonWrite-ER Write data We can see physical page 6ac7 / * 08 * / uint32 blink / share count = 000068b9 / * 0d * / byte page state = 02: DD 81456000 18 * 6ac7 L 180010: 814F62A8 ffffffff E301F2A8 000068B9 00000208 ... ... h ... 0010: 814f62b8 907b64b8 00004727 000,00000 c03b37d8 .d {. 'g ....... 7; no process is used to use this physical page, so the status change for Standby, Moreover, / * 08 * / Due to the changes in the state, it has become a page table where Blink is widely available, and you will find that additional CopyonWrite flags are found in addition to our designs. The page entry (still can still be found, I found a few items in Notepad, with a logo bit 205), is Copy On Write only such a small amount of application?
In fact, a lot of Win2k uses Copy On Write We can observe it using Softice. When writing to the COPY ON WRITE page, the CPU will perform an exception handler NTOSKRNL! Kitrap0e NtoskRnL! Kitrap0e will call Ntoskrnl! MmaccessFault, analyze NTOSKRNL! MMACcessFault assembly code, you can know that CopyonWrite caused by Ntoskrnl MiCopyonWrite Processing. Analyze assembly code We can also see that the MicopyonWrite function has two incoming parameters. The first parameter is a virtual address that triggered an exception command, and we are called Badaddress. The second parameter is the page item address of the virtual address, and we are called Pteaddress. MicopyonWrite uses the FastCall call protocol, the first parameter Baddress is incorporated by the ECX register, and the second parameter PteadDress is incorporated by the EDX register. Just write data to your CopyonWrite page, we should be broken to Micopy Write, and see the virtual addresses accessed from ECX and EDX and the PTE address of the address. We under Softice, Breakpoint BPX 8044BE22 DO "DB ((FFDFF124-> 0) 44) -> 0 1FC L 10; DD ECX L 4; DD EDX L 4" where 8044BE22 is the entrance address of MicopyonWrite (Win2k Build 2195), by using KD, U MicopyonWrite. After disconnection, let Softice perform DB (FFDFF124-> 0) 44) -> 0 1FC L 10, which will display the current running process name. Then exhibit content in ECX and EDX. When we run a program, here I have run a trip, the Softice window is ejected immediately, indicating that there is a Copy ON WRITE. // This is the breakpoint.
: BL00) * BPX # 0008: 8044BE22 DO "DB (FFDFF124-> 0) 44) -> 0 1FC L 10; DD ECX L 4; D: BE 0 // Exit SoftICE window // Open a text file run the Notepad program, SoftICE window immediately pops up NTICE: Load32 START = 1000000 SIZE = 10000 KPEB = 80D5AD40 MOD = NOTEPADNTICE: Load32 START = 77F80000 SIZE = 79000 KPEB = 80D5AD40 MOD = ntdllBreak due to BPX # 0008: 8044BE22 DO "db ((FFDFF124-> 0) 44) -> 0 1FC L 10; DD ECXL 4; DD EDX L 4 "(et = 4.09 seconds) // can see the current process is notepad.exe0023: 80D5AF3C 4E 4F 54 45 50 41 45 2E-45 58 45 00 00 00 00 Notepad.exe ..... // ECX is the Badaddress for 77FCD34C 0023: 77FCD34C fffffff 00000000 00000000 000,000 .............. ..// EDX is also pteaddress as c01dff34, you can see the CopyonWrite bit of the flag in the page table item is set, the Write Bit is not // is set 0023: C01DFF34 006AA225 00000000000000000000% .j ... .......// only NTEPAD and NTDLL, Badaddress = 77fcd34c in NTDLL .DATA range ./// only NotePad and NTDLL indicate that other DLLs have not been loaded, that is, in NTDLL being loaded, When performing DllMain // When the NTDLL is initialized, write data to the data page used to use CopyonWrite, which will cause the physical page in the page entry of the data page / / to the newly allocated physical page, and the flag will be from Readonly CopyonWrite turns into readwrite.
: Map32 -uOwner Obj Name Obj # Address Size TypeNOTEPAD .text 0001 001B: 01001000 000065CA CODE RONOTEPAD .data 0002 0023: 01008000 00001944 IDATA RWNOTEPAD .rsrc 0003 0023: 0100A000 00005238 IDATA ROntdll .text 0001 001B: 77F81000 00042492 CODE ROntdll ECODE 0002 001B : 77FC4000 00004371 CODE ROntdll PAGE 0003 001B: 77FC9000 00003983 CODE ROntdll .data 0004 0023: 77FCD000 00002350 IDATA RWntdll .rsrc 0005 0023: 77FD0000 00026D08 IDATA ROntdll .reloc 0006 0023: 77FF7000 00001DA8 IDATA RO // Ctrl D, SoftICE immediately (322ms After it is interrupted, et = 322.23 microsecondsbreak due to bpx # 0008: 8044BE22 DO "DB ((FFDFF124-> 0) 44) -> 0 1FC L 10; DD ECXL 4; DD EDX L 4" (ET = 322.23 microseconds 0023: 80D5AF3C 4E 4F 54 45 50 41 44 2e-45 58 45 00 00 00 00 00 00000000000000000000000000000000000000000000000000000000000000000000000000 ......... .... 0023: C01DFF38 0200B225 00000000% ............... Ntice: loading32 start = 76af0000 size = 3e000 kpeb = 80D5AD40 mod = comdlg32ntice: loading32 start = 77c50000 size = 4a000 KPEB = 80D5AD40 mod = shlwapint ICE: Load32 START = 77F40000 SIZE = 3C000 KPEB = 80D5AD40 MOD = gdi32NTICE: Load32 START = 77E60000 SIZE = D5000 KPEB = 80D5AD40 MOD = kernel32NTICE: Load32 START = 77DF0000 SIZE = 64000 KPEB = 80D5AD40 MOD = user32NTICE: Load32 START = 77D90000 SIZE = 5A000 KPEB = 80D5AD40 MOD = advapi32NTICE: Load32 START = 77D20000 SIZE = 6F000 KPEB = 80D5AD40 MOD = rpcrt4NTICE: Load32 START = 77B30000 SIZE = 8A000 KPEB = 80D5AD40 MOD = COMCTL32NTICE: Load32 START = 77560000 SIZE = 240000 KPEB = 80D5AD40 MOD = shell32NTICE: Load32 start = 78000000 size = 46000 kpeb = 80D5AD40 mod = msvcrt // etc =
4.43 MilliseCondsbreak Due To BPX # 0008: 8044BE22 DO "DB ((FFDFF124-> 0) 44) -> 0 1FC L 10; DD ECXL 4; DD EDX L 4" (et = 4.43 milliseconds) 0023: 80D5AF3C 4E 4F 54 45 50 41 44 2E-45 58 45 00 00 00 00 Notepad.exe ..... 0023: 78033000 00039BD2 00039BE2 .................. 0023: C01E00CC 00714225 00000000 000000000000% BQ ............. Ntice: Load32 start = 777c0000 size = 1d000 kpeb = 80d5ad40 mod = Winspool // ET = 2.41 MilliseCondsbreak Due to bpx # 0008: 8044BE22 DO "DB ( (ffdff124-> 0) 44) -> 0 1FC L 10; DD ECXL 4; DD EDX L 4 "(et = 2.41 milliseconds) 0023: 80D5AF3C 4E 4F 54 45 50 41 44 2E-45 58 45 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0023 00 00 00 0000000000000000 00010 00000000000000000000000000000000000000000000000000000000000000 ................ 0023: C01DFAFC 04B56225 00000000 0000000 0000000% B ........ ... // et = 250.33 Microsecondsbreak Due to BPX # 0008: 8044BE22 DO "DB ((FFDFF124-> 0) 44) -> 0 1FC L 10; DD ECXL 4; DD EDX L 4" ET = 250.33 microseconds 0023: 80D5AF3C 4E 4F 54 45 50 41 44 2e-45 58 45 00 00 00 00 Notepad.exe ..... 0023: 77ec0800 0 0000 000 000 000,000 000000 000,000 00 ................ 0023: C01DFB00 04737225 00000000 0000000 0000000% RS ........... After several interruptions, you can Seeing the list of page items in each interrupt Pteaddress, Readonly CopyonWrite is set by Break Due to BPX # 0008: 8044Be22 Do "DB ((FFDFF124-> 0) 44) -> 0 1FC L 10; DD ECXL 4; dd edx l 4 "(ET = 2.07 milliseconds) 0023: 80D5AF3C 4E 4F 54 45 50 41 44 2E-45 58 45 00 00 00 00 00 NOTEPAD.EXE ..... 0023: 77E484D0 00000000 00000000 00000000 00000000 .. .............. 0023: C01DF920 03B1A225 00000000 聽 0000000000000% ............... / We look at the DLL loaded, already contained It has been added to many DLLs that have just been more, this shows that the judgment just is right, when the program is loaded with DLL //,
dll initialization triggered a Copy On Write: map32 -uOwner Obj Name Obj # Address Size TypeNOTEPAD .text 0001 001B: 01001000 000065CA CODE RONOTEPAD .data 0002 0023: 01008000 00001944 IDATA RWNOTEPAD .rsrc 0003 0023: 0100A000 00005238 IDATA ROcomdlg32 .text 0001 001B: 76AF1000 00029D3A CODE ROcomdlg32 .data 0002 0023: 76B1B000 00003668 IDATA RWcomdlg32 .rsrc 0003 0023: 76B1F000 0000B2A8 IDATA ROcomdlg32 .reloc 0004 0023: 76B2B000 000022B0 IDATA ROshell32 .text 0001 001B: 77561000 0011A686 CODE ROshell32 .data 0002 0023: 7767C000 00003AE8 IDATA RWshell32 .rsrc 0003 0023: 77680000 00110ED8 IDATA ROshell32 .reloc 0004 0023: 77791000 0000EA90 IDATA ROWINSPOOL .text 0001 001B: 777C1000 00016B56 CODE ROWINSPOOL .data 0002 0023: 777D8000 00002AF0 IDATA RWWINSPOOL .rsrc 0003 0023: 777DB000 000009A8 IDATA ROWINSPOOL .reloc 0004 0023 : 777DC000 00000FC8 IDATA ROCOMCTL32 .text 0001 001B: 77B31000 000643C2 CODE ROCOMCTL32 .data 0002 0023: 77B96000 000004A0 IDATA RWCOMCTL32 .rsrc 0003 0023: 77B97000 0001E948 IDATA ROCOMCTL32 .reloc 000 4 0023: 77BB6000 00003784 IDATA ROSHLWAPI .text 0001 001B: 77C51000 0004243C CODE ROSHLWAPI .data 0002 0023: 77C94000 00000C28 IDATA RWSHLWAPI .rsrc 0003 0023: 77C95000 000010E8 IDATA ROSHLWAPI .reloc 0004 0023: 77C97000 0000256C IDATA ROrpcrt4 .text 0001 001B: 77D21000 0005FABA CODE ROrpcrt4 .orpc 0002 001B: 77D81000 00007CFC CODE ROrpcrt4 .data 0003 0023: 77D89000 00000F5C IDATA RWrpcrt4 .rsrc 0004 0023: 77D8A000 000003D0 IDATA ROrpcrt4 .reloc 0005 0023: 77D8B000 00003800 IDATA ROadvapi32 .text 0001 001B: 77D91000 0004F330 CODE ROadvapi32 .data 0002 0023: 77DE1000 00002E4C IDATA RWADVAPI32.RSRC 0003 0023: 77DE4000 00001250 Idata Roadvapi32.Reloc 0004 0023: 77DE6000 0000381C Idata Rouser32 .Text 0001 001B:
77DF1000 0005692A CODE ROuser32 .data 0002 0023: 77E48000 00000E60 IDATA RWuser32 .rsrc 0003 0023: 77E49000 0000742C IDATA ROuser32 .reloc 0004 0023: 77E51000 00002ACC IDATA ROkernel32 .text 0001 001B: 77E61000 0005D1AE CODE ROkernel32 .data 0002 0023: 77EBF000 00001A30 IDATA RWkernel32. rsrc 0003 0023: 77EC1000 00070000 IDATA ROkernel32 .reloc 0004 0023: 77F31000 0000359C IDATA ROgdi32 .text 0001 001B: 77F41000 0003649E CODE ROgdi32 .data 0002 0023: 77F78000 00000CFC IDATA RWgdi32 .rsrc 0003 0023: 77F79000 00000398 IDATA ROgdi32 .reloc 0004 0023: 77F7A000 0000151C IDATA ROntdll .text 0001 001B: 77F81000 00042492 CODE ROntdll ECODE 0002 001B: 77FC4000 00004371 CODE ROntdll PAGE 0003 001B: 77FC9000 00003983 CODE ROntdll .data 0004 0023: 77FCD000 00002350 IDATA RWntdll .rsrc 0005 0023: 77FD0000 00026D08 IDATA ROntdll .reloc 0006 0023 : 77FF7000 00001DA8 Idata Romsvcrt .text 0001 0001B: 78001000 0003174D Code Romsvcrt.rdata 0002 0023: 7803000 000075B4 Idata Romsvcrt .data 0003 0023: 7803B000 00006D84 Idata R WMSVCRT.RSRC 0004 0023: 78042000 000003A8 Idata Romsvcrt.Reloc 0005 0023: 78043000 00002600 Idata RO: BD * // There is more interruption, but these are enough, so relevant interrupts. We have seen these DLL data pages initially set uponwrite flags, just write data to the data page when DLLMAIN is initialized when loading DLL, so that the flag of the page entry is changed from 255. This explains why we can't see the page for setting uponwrite flags in a page table of a process.
Below we use Softice to change the change of the page entry, and find an abnormal instruction: BL00) BPX # 0008: 8044BE22 DO "DB ((FFDFF124-> 0) 44) -> 0 1FC L 10; DD ECX L 4; D // Still in the entrance address of MicopyonWrite to run a notepad program, disconnect Ntice: load32 start = 1000000 size = 10000 kpeb = 8409E700 mod = notepadntice: loading32 start = 77f80000 size = 79000 kpeb = 8409E700 MOD = NTDLLBREAK DUE TO BPX # 0008: 8044BE22 DO "DB ((FFDFF124-> 0) 44) -> 0 1FC L 10; DD ECXL 4; DD EDX L 4" (et = 2.08 seconds) 0023: 8409E8FC 4E 4F 54 45 50 41 44 2e-45 58 45 00 00 00 00 Notepad.exe ..... 0023: 77FCD34C fffffff 00000000 00000000 000,000000000000000000000 .................. 0023: C01DFF34 006AA225 00000000 million.j ........... // can see Badaddress = 77FCD34C, Pteaddress = C01DFF34, PTE = 006AA225 // We have the next break in 4 bytes of Pteaddress In this way, if the PTE will be disconnected: bpmd c01dff34 w // is broken to Break Due to BPMD # 0023: C01DFF34 W DR3 (Et = 280.80 microseconds) MSR LastbranchFromip = 80001ec69: BD 1 // Close the breakpoint 1 // Show PTE: DD C01DFF34 L 100023: C01DFF34 00FEA067 0000000000000000 00000000 G .............. // can see the change of PTE, physical page from 006AA The new physical page 00fea // flag becomes 067 // reverse ignition to PTE to write new content // Use KD, u 8044bf6f can see MicopyonWrite 15c, that is, MicopyonWrite changes PTE. contents: u 8044bf6f l 100008: 8044BF6F MOV [EAX], ESI0008: 8044BF71 MOV EAX, [EBP-24] 0008: 8044BF74 INVLPG [EAX] 0008: 8044BF77 MOV ECX, EBX0008: 8044BF79 CALL 80449BCE0008: 8044BF7E MOV EAX, FS : [00000124] // F12 (F12 = ^ p ret;) // f12 // Continuously modified part // Use KD, u 80447672 can see NtoskRnl! MMAccessFault
