1st step is create address in wich i can drop paging, it physical = virtual.
I run windbg !pte 0, and found out address of pte. PDE is used, but pte i chose isnt (nonpresent). I understand that mwthod im doing is illegal and lead to corruption, but chances are low since this memory contain ivt or other bios code. I do it only for test purposes, so it shouldnt be a problem.
i chose last address handled by 1st pde, wich is 0x3FF000.
mov dword [0xC0000FFC],0x3
invlpg [0x3FF000]
xchg eax,[0x3FF000]
works fine, and OS is NOT crashing. I can do it many times, and it wont crash, meaning memory is fine.
However when i try to execute a code in this memory - immieditly i get freeze, not even a bsod/reboot.
thats a code i used, it use entry point instead of ioctl because i recompile it all the time and its simplier this way. Also i return error so i dont need unload, test is simple. driver load with error - fine, bsod/reset/freeze - not fine.
Code: Select all
entry $
pushad
mov dword [0xC0000FFC],0x3
invlpg [0x3FF000]
mov edi,0x3FF000
mov esi,_data
mov ecx,_data_size/4
cld
rep movsd
mov eax, [0x3FF000]
push eax
push f
call [DbgPrint]
add esp,8
call 0x3FF000
popad
mov eax,-1
retn 8
align 4
_data:
retn
align 4
_data_size = $ - _data
f db '%.8X',0Note that PAE is disabled, its just basic 32bit paging with 1024 4byte PTEs. I have tried diffrent pages - exactly same effect. Whats going on? Did i missed something from manuals? Something so basic its not even coming to me now?
Im using virtualbox/vmware for testing, vtx enabled.
