Leaderboard

sRDI Shellcode implementation of Reflective DLL Injection. Supports sRDI allows for the conversion of DLL files to position independent shellcode. This is accomplished via two components: C project which compiles a PE loader implementation (RDI) to shellcode Conversion code which attaches the DLL, RDI, and user data together with a bootstrap This project is comprised of the following elements: ShellcodeRDI: Compiles shellcode for the DLL loader NativeLoader: Converts DLL to shellcode if neccesarry, then injects into memory DotNetLoader: C# implementation of NativeLoader Python\ConvertToShellcode.py: Convert DLL to shellcode in place PowerShell\ConvertTo-Shellcode.ps1: Convert DLL to shellcode in place TestDLL: Example DLL that includes two exported functions for call on Load and after Use Cases / Examples Before use, I recommend you become familiar with Reflective DLL Injection and it's purpose. Convert DLL to shellcode using python from ShellcodeRDI import * dll = open("TestDLL_x86.dll", 'rb').read() shellcode = ConvertToShellcode(dll) Load DLL into memory using C# loader DotNetLoader.exe TestDLL_x64.dll Convert DLL with python script and load with Native EXE python ConvertToShellcode.py TestDLL_x64.dll NativeLoader.exe TestDLL_x64.bin Convert DLL with powershell and load with Invoke-Shellcode Import-Module .\Invoke-Shellcode.ps1 Import-Module .\ConvertTo-Shellcode.ps1 Invoke-Shellcode -Shellcode (ConvertTo-Shellcode -File TestDLL_x64.dll) Building This project is built using Visual Studio 2015 (v140) and Windows SDK 8.1. The python script is written using Python 3. The Python and Powershell scripts are located at: Python\ConvertToShellcode.py PowerShell\ConvertTo-Shellcode.ps1 After building the project, the other binaries will be located at: bin\NativeLoader.exe bin\DotNetLoader.exe bin\TestDLL_.dll bin\ShellcodeRDI_.bin Credits The basis of this project is derived from "Improved Reflective DLL Injection" from Dan Staples which itself is derived from the original project by Stephen Fewer. The project framework for compiling C code as shellcode is taken from Mathew Graeber's reasearch "PIC_BindShell" The PEFile project is used in the python script for parsing. Sursa: https://github.com/monoxgas/sRDI

Author: Soroush Dalili Description: This presentation illustrates a number of techniques to smuggle and reshape HTTP requests using features such as HTTP Pipelining that are not normally used by testers. The strange behaviour of web servers with different technologies will be reviewed using HTTP versions 1.1, 1.0, and 0.9 before HTTP v2 becomes too popular! Some of these techniques might come in handy when dealing with a dumb WAF or load balancer that blocks your attacks. Slides: https://www.slideshare.net/SoroushDalili/a-forgotten-http-invisibility-cloak

Pai daca zice omu' ca nu mai are loc...poate filmeaza 4K, cine stie. I-am dat idee, nu zic din experienta. Eu am pana in 30GB de poze adunate de-a lungu'..si de-a latu'

Stai cu ochi pe olx si poate ai noroc sa il gasesti acolo. Totusi sunt putine sanse sa il mai recuperezi.

In cazul in care nu l-a resetat, si are google maps activ cu un cont de google(google a fact niste modificari la maps de curand), poate ai noroc si il vezi pe maps.google.ro. Dau exemplul meu(realizat din intamplare). Fratele meu are un galaxy alpha, l-am resoftat de curand, si i-am bagat si contul meu de gmail. Acum fiind logat pe contul respectiv de gmail, daca intru pe maps.google.com, imi arata locatia lui, daca are activ wifi/date. Incearca, poate ai noroc.

Instaleaza owncloud sau creazati propria platforma, o pui pe o placuta rasberry, o securizezi dupa tutoriale pe net, ii conectezi un HDD unde vrei sa stochezi ceea ce trebui si aia e. Iti pui si verificari la login sa fii sigur, testeaza daca se poate face bypass (la nrtel, email) in caz ca iti faci propria platforma. (Asa am facut eu, dar cu owncloud)

add IMEI here https://imei.org/results/?_h=93F2648CCE7FE812420E2C3C5FE5C2B18AAFE3873872AF489C85DF1D39EDB2A6

Cum anume ? De ce a doua oara nu a mers tot dupa IMEI, ca prima oara ? @alexu Vezi ca aia de la telefonie mobila vad pur si simplu IMEI-ul in programul acela al lor, baza de date. Poate poti vorbi cu unul dintre operatori, oficial sau neoficial, sa afle numarul actual pentru acel IMEI.

Are you using Foxit PDF Reader? If yes, then you need to watch your back. Security researchers have discovered two critical zero-day security vulnerabilities in Foxit Reader software that could allow attackers to execute arbitrary code on a targeted computer, if not configured to open files in the Safe Reading Mode. The first vulnerability (CVE-2017-10951) is a command injection bug discovered by researcher Ariele Caltabiano working with Trend Micro's Zero Day Initiative (ZDI), while the second bug (CVE-2017-10952) is a file write issue found by Offensive Security researcher Steven Seeley. An attacker can exploit these bugs by sending a specially crafted PDF file to a Foxit user and enticing them to open it. Foxit refused to patch both the vulnerabilities because they would not work with the "safe reading mode" feature that fortunately comes enabled by default in Foxit Reader. However, researchers believe building a mitigation doesn't patch the vulnerabilities completely, which if remained unpatched, could be exploited if attackers find a way to bypass safe reading mode in the near future. Both unpatched vulnerabilities can be triggered through the JavaScript API in Foxit Reader. CVE-2017-10951: The command injection bug resides in an app.launchURL function that executes strings provided by attackers on the targeted system due to lack of proper validation, as demonstrated in the video given below. CVE-2017-10952: This vulnerability exists within the "saveAs" JavaScript function that allows attackers to write an arbitrary file on a targeted system at any specific location, as demonstrated in the video given below. If you are one of those using Foxit Reader and PhantomPDF, ensure you have the "Safe Reading Mode" feature enabled. Additionally, you can also uncheck the "Enable JavaScript Actions" from Foxit's Preferences menu, although this may break some functionality. Users are also recommended always to be vigilant while opening any files they received via email. Just recently, we reported how opening a malicious PowerPoint file could compromise your computer with malware. So, always beware of phishing emails, spams, and clicking the malicious attachment. Source: https://thehackernews.com/2017/08/two-critical-zero-day-flaws-disclosed.html

da, au schimbat legendarea personajului, http://adevarul.ro/news/eveniment/povestea-hackerului-d3v1x-liceanul-aurel-spart-serverul-ministerului-educatiei-siteul-anaf-1_599476295ab6550cb80c37d8/index.html , " [....] Procurorii DIICOT spun că în spatele lui „Ninja300 HaCKer” este un tânăr care a împlinit 18 ani în iunie 2017, Alexandru Cosmin, din satul Sasca Montană (Caraş-Severin). [...]" in final, localizarea personajului e ca itinerarul turmei in transhumanta , initial suceava, apoi vilcea, acum cind scriu, sasca montana.... e pacat sa distrugi retorica propagandei incurcindu-te cu elemnte factuale...

Nu au vrut sa inregistreze sesizarea? Eu din cate stiam sunt obligati sa inregistreze orice sesizare ca de asta e sesizare, sa fie inregistrata si analizata de cineva. Ai putea incerca sa pronunti cuvantul "avocat" in prezenta lor, pariez ca s-ar razgandi. Mi-am adus aminte de o experienta. Mi-a fost taiat efectiv cortul si m-am trezit cu o mana pe sub perna la 2:30 AM de am dormit cu securea pentru lemne langa mine a doua noapte. Plajele sunt cel mai prielnic loc pentru gainari. Treaba este ca de l-a pierdut, telefonul ala a fost GASIT nu FURAT, asta il face mai greu de recuperat. Nu as lasa obiecte de valoare asupra unui copil, mai ales intr-o zona unde stiu ca e plin de handicapati mintal.

Summary: " SecGen creates vulnerable virtual machines so students can learn security penetration testing techniques. Boxes like Metasploitable2 are always the same, this project uses Vagrant, Puppet, and Ruby to quickly create randomly vulnerable virtual machines that can be used for learning or for hosting CTF events. " Source: https://github.com/cliffe/SecGen

Am adaugat suport pentru x64: https://github.com/NytroRST/NetRipper Cine ar putea sa teseze daca e totul OK?

http://www.gazetavalceana.ro/2017/08/17/cine-este-hackerul-din-valcea-care-a-spart-site-ul-edu-ro-isi-spune-d3v1x-si-invata-la-liceul-din-horezu/ sunt de la mine din zona...pacat de ei ca au fost naivi

Operating Systems: From 0 to 1 This book helps you gain the foundational knowledge required to write an operating system from scratch. Hence the title, 0 to 1. After completing this book, at the very least you will learn: How to write an operating system from scratch by reading hardware datasheets. In the real world, it works like that. You won’t be able to consult Google for a quick answer. A big picture of how each layer of a computer is related to the other, from hardware to software. Write code independently. It’s pointless to copy and paste code. Real learning happens when you solve problems on your own. Some examples are given to kick start, but most problems are yours to conquer. However, the solutions are available online for you to examine after giving it a good try. Linux as a development environment and how to use common tools for low-level programming. x86 assembly in-depth. How a program is structured so that an operating system can run. How to debug a program running directly on hardware with gdb and QEMU. Linking and loading on bare metal x86_64, with pure C. No standard library. No runtime overhead. Download the book The pedagogy of the book You give a poor man a fish and you feed him for a day. You teach him to fish and you give him an occupation that will feed him for a lifetime. This has been the guiding principle of the book when I was writing it. The book does not try to teach you everything, but enough to enable you to learn by yourself. The book itself, at this point, is quite “complete”: once you master part 1 and part 2 (which consist of 8 chapters), you can drop the book and learn by yourself. At this point, smart readers should be able to continue on their own. For example, they can continue their journeys on OSDev wiki; in fact, after you study everything in part 1 and part 2, you only meet the minimum requirement by OSDev Wiki (well, not quite, the book actually goes deeper for the suggested topics). Or, if you consider developing an OS for fun is impractical, you can continue with a Linux-specific book, such as this free book Linux Insides, or other popular Linux kernel books. The book tries hard to provide you a strong foundation, and that’s why part 1 and part 2 were released first. The book teaches you core concepts, such as x86 Assembly, ELF, linking and debugging on bare metal, etc., but more importantly, where such information come from. For example, instead of just teaching x86 Assembly, it also teaches how to use reference manuals from Intel. Learning to read the official manuals is important because only the hardware manufacturers themselves understand how their hardware work. If you only learn from the secondary resources because it is easier, you will never gain a complete understanding of the hardware you are programming for. Have you ever read a book on Assembly, and wondered where all the information came from? How does the author know everything he says is correct? And how one seems to magically know so much about hardware programming? This book gives pointers to such questions. As an example, you should skim through chapter 4, “x86 Assembly and C”, to see how it makes use of the Intel manual, Volume 2. And in the process, it guides you how to use the official manuals. Part 3 is planned as a series of specifications that a reader will implement to complete each operating system component. It does not contain code aside from a few examples. Part 3 is just there to shorten the reader’s time when reading the official manuals by giving hints where to read, explaining difficult concepts and how to use the manuals to debug. In short, the implementation is up to the reader to work on his or her own; the chapters are just like university assignments. Prerequisites Know some circuit concepts: Basic Concepts of Electricity: atoms, electrons, protons, neutrons, current flow. Ohm’s law However, if you know absolutely nothing about electricity, you can quickly learn it here:http://www.allaboutcircuits.com/textbook/, by reading chapter 1 and chapter 2. C programming. In particular: Variable and function declarations/definitions While and for loops Pointers and function pointers Fundamental algorithms and data structures in C Linux basics: Know how to navigate directory with the command line Know how to invoke a command with options Know how to pipe output to another program Touch typing. Since we are going to use Linux, touch typing helps. I know typing speed does not relate to problem-solving, but at least your typing speed should be fast enough not to let it get it the way and degrade the learning experience. In general, I assume that the reader has basic C programming knowledge, and can use an IDE to build and run a program. Status: Part 1 Chapter 1: Complete Chapter 2: Complete Chapter 3: Almost. Currently, the book relies on the Intel Manual for fully explaining x86 execution environment. Chapter 4: Complete Chapter 5: Complete Chapter 6: Complete Part 2 Chapter 7: Complete Chapter 8: Complete Part 3 Chapter 9: Incomplete Chapter 10: Incomplete Chapter 11: Incomplete Chapter 12: Incomplete Chapter 13: Incomplete … and future chapters not included yet … In the future, I hope to expand part 3 to cover more than the first 2 parts. But for the time being, I will try to finish the above chapters first. Sample OS This repository is the sample OS of the book that is intended as a reference material for part 3. It covers 10 chapters of the “System Programming Guide” (Intel Manual Volume 3), along with a simple keyboard and video driver for input and output. However, at the moment, only the following features are implemented: Protected mode. Creating and managing processes with TSS (Task State Structure). Interrupts LAPIC. Paging and I/O are not yet implemented. I will try to implement it as the book progresses. Contributing If you find any grammatical issues, please report it using Github Issues. Or, if some sentence or paragraph is difficult to understand, feel free to open an issue with the following title format: [page number][type] Descriptive Title. For example: [pg.9][grammar] Incorrect verb usage. type can be one of the following: Typo: indicates typing mistake. Grammar: indicates incorrect grammar usage. Style: indicates a style improvement. Content: indicates problems with the content. Even better, you can make a pull request with the provided book source. The main content of the book is in the file “Operating Systems: From 0 to 1.lyx”. You can edit the .txt file, then I will integrate the changes manually. It is a workaround for now since Lyx can cause a huge diff which makes it impossible to review changes. The book is in development, so please bear with me if the English irritates you. I really appreciate it. Finally, if you like the project and if it is possible, please donate to help this project and keep it going. Got questions? If you have any question related to the material or the development of the book, feel free to open a Github issue. Sursa: https://tuhdo.github.io/os01/

G-Scout: OSS tool to assess the security of Google Cloud Platform (GCP) environment configurations " G-Scout is a tool to help assess the security of Google Cloud Platform (GCP) environment configurations. By leveraging the Google Cloud API, G-Scout automatically gathers a variety of configuration data and analyzes this data to determine security risks. It produces HTML output, which allows for convenient browsing of results. The audited data relates to: IAM roles Compute engine instances Storage buckets Firewall rules SQL and noSQL databases Service account keys G-Scout also allows users to create and customize rulesets simply by creating Python functions. " Source: https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2017/august/introducing-g-scout/

PyStat - Advanced Netstat For Windows Features: Know remote address of process Know remote ports of process Know which user using process along with title & PID Changelogs: Auto Install python modules support added in install.py Installation Guide Download the .zip file Extract the pystat folder from .zip file to some drive i.e C:\tools\pystat Goto C:\tools\pystat Press SHIFT KEY + RIGHT CLICK and select open Command Window here Enter this command python install.py, Enjoy Warning! Don't move pystat folder after installation, will stop working Download PyStat-master.zip Source: https://github.com/roothaxor/PyStat

JWT cracker A multi-threaded JWT brute-force cracker written in C. If you are very lucky or have a huge computing power, this program should find the secret key of a JWT token, allowing you to forge valid tokens. This is for testing purposes only, do not put yourself in trouble I used the Apple Base64 implementation that I modified slightly. Compile Make sure you have openssl's headers installed. On Ubuntu you can install them with apt-get install libssl-dev make If you use a Mac, you can install OpenSSL with brew install openssl, but the headers will be stored in a different location: make OPENSSL=/usr/local/opt/openssl/include OPENSSL_LIB=-L/usr/local/opt/openssl/lib Run $ > ./jwtcrack eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.cAOIAifu3fykvhkHpbuhbvtH807-Z2rI1FS3vX1XMjE In the above example, the key is Sn1f. It takes approximately 2 seconds to crack on my Macbook. Contribute No progress status If you stop the program, you cannot start back where you were IMPORTANT: Known bugs The base64 implementation I use (from Apple) is sometimes buggy because not every Base64 implementation is the same. So sometimes, decrypting of your Base64 token will only work partially and thus you will be able to find a secret to your token that is not the correct one. If someone is willing to implement a more robust Base64 implementation, that would be great Download c-jwt-cracker-master.zip Source: https://github.com/brendan-rius/c-jwt-cracker

wordpress-exploit-framework A Ruby framework for developing and using modules which aid in the penetration testing of WordPress powered websites and systems. What do I need to run it? Ensure that you have Ruby >= 2.4.1 installed on your system and then install all required dependencies by opening a command prompt / terminal in the WPXF folder and running bundle install. If bundler is not present on your system, you can install it by running gem install bundler. Troubleshooting Installation Debian Systems If you have issues installing WPXF's dependencies (in particular, Nokogiri), first make sure you have all the tooling necessary to compile C extensions: sudo apt-get install build-essential patch It’s possible that you don’t have important development header files installed on your system. Here’s what you should do if you should find yourself in this situation: sudo apt-get install ruby-dev zlib1g-dev liblzma-dev Windows Systems If you are experiencing errors that indicate that libcurl.dll could not be loaded, you will need to ensure the latest libcurl binary is included in your Ruby bin folder, or any other folder that is in your environment's PATH variable. The latest version can be downloaded from http://curl.haxx.se/download.html As of 16/05/2016, the latest release is marked as Win32 2000/XP zip 7.40.0 libcurl SSL. After downloading the archive, extract the contents of the bin directory into your Ruby bin directory (if prompted, don't overwrite any existing DLLs). How do I use it? Open a command prompt / terminal in the directory that you have downloaded WordPress Exploit Framework to, and start it by running ruby wpxf.rb. Once loaded, you'll be presented with the wpxf prompt, from here you can search for modules using the search command or load a module using the use command. Loading a module into your environment will allow you to set options with the set command and view information about the module using info. Below is an example of how one would load the symposium_shell_upload exploit module, set the module and payload options and run the exploit against the target. wpxf > use exploit/symposium_shell_upload [+] Loaded module: #<Wpxf::Exploit::SymposiumShellUpload:0x3916f20> wpxf [exploit/symposium_shell_upload] > set host wp-sandbox [+] Set host => wp-sandbox wpxf [exploit/symposium_shell_upload] > set target_uri /wordpress/ [+] Set target_uri => /wordpress/ wpxf [exploit/symposium_shell_upload] > set payload exec [+] Loaded payload: #<Wpxf::Payloads::Exec:0x434d078> wpxf [exploit/symposium_shell_upload] > set cmd echo "Hello, world!" [+] Set cmd => echo "Hello, world!" wpxf [exploit/symposium_shell_upload] > run [-] Preparing payload... [-] Uploading the payload... [-] Executing the payload... [+] Result: Hello, world! [+] Execution finished successfully For a full list of supported commands, take a look at This Wiki Page. What is the difference between auxiliary and exploit modules? Auxiliary modules do not allow you to run payloads on the target machine, but instead allow you to extract information from the target, escalate privileges or provide denial of service functionality. Exploit modules require you to specify a payload which subsequently gets executed on the target machine, allowing you to run arbitrary code to extract information from the machine, establish a remote shell or anything else that you want to do within the context of the web server. What payloads are available? bind_php: uploads a script that will bind to a specific port and allow WPXF to establish a remote shell. custom: uploads and executes a custom PHP script. download_exec: downloads and runs a remote executable file. meterpreter_bind_tcp: a Meterpreter bind TCP payload generated using msfvenom. meterpreter_reverse_tcp: a Meterpreter reverse TCP payload generated using msfvenom. exec: runs a shell command on the remote server and returns the output to the WPXF session. reverse_tcp: uploads a script that will establish a reverse TCP shell. All these payloads, with the exception of custom and the Meterpreter payloads, will delete themselves after they have been executed, to avoid leaving them lying around on the target machine after use or in the event that they are being used to establish a shell which fails. How can I write my own modules and payloads? Guides on writing modules and payloads can be found on The Wiki and full documentation of the API can be found at http://www.getwpxf.com/. License Copyright (C) 2015 rastating Running WordPress Exploit Framework against websites without prior mutual consent may be illegal in your country. The author and parties involved in its development accept no liability and are not responsible for any misuse or damage caused by WordPress Exploit Framework. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/ Sursa: https://github.com/rastating/wordpress-exploit-framework

Description SAML Raider is a Burp Suite extension for testing SAML infrastructures. It contains two core functionalities: Manipulating SAML Messages and manage X.509 certificates. This software was created by Roland Bischofberger and Emanuel Duss during a bachelor thesis at the Hochschule für Technik Rapperswil (HSR). Our project partner and advisor was Compass Security Schweiz AG. We thank Compass for the nice collaboration and support during our bachelor thesis. Features The extension is divided in two parts. A SAML message editor and a certificate management tool. Message Editor Features of the SAML Raider message editor: Sign SAML Messages Sign SAML Assertions Remove Signatures Edit SAML Message (Supported Messages: SAMLRequest and SAMLResponse) Preview eight common XSW Attacks Execute eight common XSW Attacks Send certificate to SAMl Raider Certificate Management Undo all changes of a SAML Message Supported Profiles: SAML Webbrowser Single Sign-on Profile, Web Services Security SAML Token Profile Supported Bindings: POST Binding, Redirect Binding, SOAP Binding, URI Binding Certificate Management Features of the SAML Raider Certificate Management: Import X.509 certificates (PEM and DER format) Import X.509 certificate chains Export X.509 certificates (PEM format) Delete imported X.509 certificates Display informations of X.509 certificates Import private keys (PKCD#8 in DER format and traditional RSA in PEM Format) Export private keys (traditional RSA Key PEM Format) Cloning X.509 certificates Cloning X.509 certificate chains Create new X.509 certificates Editing and self-sign existing X.509 certificates Download: saml-raider-1.2.1.jar Installation: https://github.com/SAMLRaider/SAMLRaider#installation Source: https://github.com/SAMLRaider/SAMLRaider

Flare-on 2015 - Level 2: very_success.exe This post is mostly a showcase of possible approaches and excellent, free tools that you can use to reverse some binaries. To that end, we’ll leave the IDA alone, and learn a few new things. Our target is the second challenge of Flare-On 2015. It is actually quite an interesting little target. Let’s get right into it. We’re going to grab a copy of radare2 for windows (pre-built for minimum hassle), and ConEmu to make our cmd prompt experience a little nicer. After adding the folder containing radare to our path: $ set PATH=%PATH%;C:\tools\r2 …we load the binary using the -A flag which performs an analysis of flags and symbols and renames things. We also use the -w flag to open the file in write mode in case we want to edit/patch something. $ radare2 -A -w very_success.exe Step 1: Initial triage and recon We can perform our initial triage inside of r2: What is this file? Ok, let’s see the entry points, imports, resources, sections, and exports: It’s looking like a small, simple thing so far…what kind of interesting strings are there? and because we’ve already run some analysis (-A), we can examine xrefs to the clearly interesting string of “You are success” and “Enter the password>” XREF to Enter the password We might want to set a flag, or alias to the address of interest (the address where the Enter the password string is), but we don’t have to in this case because r2 has already done that for us. We examine the flag spaces, select the strings flag space, and see what’s in there (redundant here, but good to be aware of) tab-completing our way to victory: Let’s investigate the function that is using this string to learn a little more about this binary. We seek to the function of interest, and enter visual mode: [0x004010df]> s sub.kernel32.dll_GetStdHandle_0 [0x00401000]> VV We press p or P to cycle through the different display modes (pretty much everywhere in r2 you can press ? to see what commands are available, and commands that have subcommands/modes also accept a ?) It seems fairly clear…whatever we input will be validated inside of fcn.00401084, and the return value will determine whether we get the nice message or the bad one. (It might be worth your while to tab/TAB around, zoom (+, -), check out the other graph views p/P, the pseudo-assembly ($), and just practice moving around hjkl (left, down, up, right) to make your r2 experience a little more comfortable.) Before we dig into the flag validation routine, we take note of the arguments to the imported ReadFile call: BOOL WINAPI ReadFile( _In_ HANDLE hFile, _Out_ LPVOID lpBuffer, _In_ DWORD nNumberOfBytesToRead, _Out_opt_ LPDWORD lpNumberOfBytesRead, _Inout_opt_ LPOVERLAPPED lpOverlapped ); I like to imagine all the pushed args as a tower sitting above the function call. Then I knock that tower over and the arguments fall into their respective places. The following illustration should make this clear: push arg3 push arg2 push arg1 call a push arg3 push arg2 push arg1 call a(arg1, arg2, arg3) you’re welcome! So, we’ll be reading from stdin, into 0x402159, a maximum of 0x32 bytes With that in mind, we rename some variables, and create a flag at the buffer location of our input. Press : to access the command line > afvn local_ch hStdIn > f theGuess 0x32 @0x402159 and press enter or ctrl+c to quit the command prompt one mystery remains…the local_10h being passed into the flag validation routine…what is it? We access the command line again : and look at where the variables are being written: :> afvW local_10h 0x401007 hStdIn 0x401012 local_8h 0x40101d inputLen we scroll up a bit to that location (k), and we see the following disassembly: 0x00401000 58 pop eax 0x00401001 55 push ebp 0x00401002 89e5 mov ebp, esp 0x00401004 83ec10 sub esp, 0x10 0x00401007 8945f0 mov dword [local_10h], eax 0x0040100a 6af6 push 0xfffffffffffffff6 that’s an interesting function prologue…it starts with a pop eax. Whatever was at the top of the stack when we entered this function is what will be placed into eax, and shortly thereafter…local_10h. We’d usually expect a return address at the top of the stack. When the previous function called this one, the call instruction sets EIP to the beginning of this function and pushes the address of whatever was after the call instruction onto the stack. We press x to see where this function…wait, let’s rename it first, press d and let’s call it main. Now we can press x, or seek using the command prompt and s <address listed at the CALL XREF at the top of this function> I choose x: The instructions don’t really make a whole lot of sense following the call, so let’s examine a hexdump and see if there’s anything recognizable: Press <enter> to return to Visual mode. :> px 20 @0x4010e4 - offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 0x004010e4 afaa adeb aeaa eca4 baaf aeaa 8ac0 a7b0 ................ 0x004010f4 bc9a baa5 .... :> hmm…well, bytes are bytes. We rename local_10h to someBytes. With things renamed, and knowing what’s going into the flag validation routine, and what we want to return with (a non-zero eax), we step inside the flag validation routine using the [gd] shortcut that radare has provided. We literally just type gd. We rename this function to flagValidator. It seems that this function only takes 3 args. So we rename them according to what we knew was pushed onto the stack before this call. It looks like our input length should be at least 0x25 characters. Otherwise, we end up at (press t to follow the true branch) the basic block which xor eax, eax before moving to the block that returns to main. Press u to return to the basic block we were just at. If we pass the length check, we follow the false branch. The [gc] block will initialize the loop: esi receives our input guess edi receives the mystery bytes and ecx currently still holds the length of our input, which is now used to index into the mystery bytes…. mysteryBytes[inputLen - 1]. Essentially, edi points to the last byte of the mysteryBytes …then a bunch of ugly stuff happens inside of the next block, [gd]. If the condition at the end…jecxz, is true then we go to the fail block [ga] which will zero out eax and return. This instruction is exactly what it sounds like, jump if ecx is zero. Okay, maybe it didn’t sound like anything, but it makes sense after the fact, right? So…there’s only one good way out of this function and that’s through the loop instruction at 0x4010d3. So we will have to survive each iteration of the loop without ecx ever being zero. This depends on the sneaky scasb. 0x004010bc 86ca xchg dl, cl 0x004010be 31d2 xor edx, edx 0x004010c0 25ff000000 and eax, 0xff 0x004010c5 6601c3 add bx, ax 0x004010c8 ae scasb al, byte es:[edi] 0x004010c9 660f45ca cmovne cx, dx 0x004010cd 58 pop eax 0x004010ce e307 jecxz 0x4010d7;[ga] if the scan string comparison ever fails between al and edi, then the conditional move if not equal (cmovne) will make sure that freshly xor’d edx will put a zero in cx and we will fail. Ok…here is the interesting part, and what you all came to see. How do we solve this problem. I will present four…count ‘em 4 gorgeous methods (sort of): Symbolic execution + SMT solver (angr w/z3) Emulation bruteforce (Unicorn) Side-channel attack (Pintool wintool) Reverse the algorithm (brain + python) Method 1: Symbolic execution + SMT solver (angr w/z3) Some background reading and a de-scarying of symbolic execution, if you so desire: doar-e Quick introduction into SAT/SMT solvers and symbolic execution lots of great stuff on both of those sites, be sure to explore some rabbit holes and follow along with your hands on some python+binaries. We have just about everything we need to start writing our angr script. Let’s review: The function of interest takes three arguments: the mystery bytes that live at the address popped into eax at the start of main our input guess the length of our input guess We know the values for 2 of those things. Grab the mystery bytes: :> s 0x4010e4 :> wt? |Usage: wt[a] file [size] Write 'size' bytes in current blok to 'file' | wta [filename] append to 'filename' | wtf [filename] [size] write to file (see also 'wxf' and 'wf?') | wtf! [filename] write to file from current address to eof :> wtf magicBytes 0x25 dumped 0x25 bytes Dumped 37 bytes from 0x004010e4 into magicBytes (Note: Since this buffer is of a manageable size, we could have printed the bytes as an escaped hex string…or various other formats. See the print p command for more options. We’ll explore this in Method #2.) Let’s win: #!/usr/bin/env python import angr # load the binary b = angr.Project("very_success.exe", load_options={"auto_load_libs":False}) # create a blank_state (https://github.com/angr/angr-doc/blob/master/docs/toplevel.md#the-factory) at the top of the flag checking function s = b.factory.blank_state(addr=0x401084) # Since we started inside this function, we have to set up the args that were pushed on to the stack from the previous function # ...0 sounds like a good place to store memory, why not? So esp+4 (arg0) shall point to the address 0 s.mem[s.regs.esp+4:].dword = 0 # and why not...next arg was at 100 s.mem[s.regs.esp+8:].dword = 100 # next arg at 200? ok! s.mem[s.regs.esp+0xC:].dword = 200 # we know the length of the winning input magicLen = 0x25 # and we know what the magicBytes are magicBytes = open('magicBytes', 'rb').read() # let's load them into memory at address 0 as bit vector values s.memory.store(0, s.se.BVV(magicBytes)) # we'll load the second arg into memory at 100 # using a symbolic BitVector (https://github.com/angr/angr-doc/blob/master/docs/claripy.md#claripy-asts) s.memory.store(100, s.se.BVS("guess", magicLen*8)) # and we can store our magicLen using 32 bits at 200 s.memory.store(200, s.se.BVV(magicLen, 32)) # instantiate a path_group (https://github.com/angr/angr-doc/blob/master/docs/pathgroups.md) pg = b.factory.path_group(s) # ask them to explore until they find the winning basic block, and avoid the xor eax, eax block pg.explore(find=0x4010d5, avoid=0x4010d7) # for those paths which have found a way to the desired address...let's examine their state for found in pg.found: # specifically, let's see what string is in memory at 100 for successful paths print found.state.se.any_str(found.state.memory.load(100, 0x25)).strip('\0') and then: # ./very_angr.py WARNING | 2017-08-10 00:04:30,040 | cle.pe | The PE module is not well-supported. Good luck! a_Little_b1t_harder_plez@flare-on.com Knowing the flag format, (printable ascii, ending in @flare-on.com), we could have added some contraints to speed things up. See angr-doc for some examples. Method 2: Emulation bruteforce (Unicorn) This probably isn’t the most elegant approach, but it’s nice to have at least an introduction to another powerful tool. First, we need the bytes of the code we want to emulate. We seek to the flagValidator function and ask r2 for some information about this function…namely, we want to know the size: :> s flagValidator :> s 0x401084 :> afi ~size size: 91 ok, let’s grab those bytes then. Instead of a file, let’s just grab the string: :> pcs 91 "\x55\x89\xe5\x83\xec\x00\x57\x56\x31\xdb\xb9\x25\x00\x00\x00\x39\x4d\x10\x7c\x3f\x8b\x75\x0c\x8b\x7d\x08\x8d\x7c\x0f\xff\x66\x89\xda\x66\x83\xe2\x03\x66\xb8\xc7\x01\x50\x9e\xac\x9c\x32\x44\x24\x04\x86\xca\xd2\xc4\x9d\x10\xe0\x86\xca\x31\xd2\x25\xff\x00\x00\x00\x66\x01\xc3\xae\x66\x0f\x45\xca\x58\xe3\x07\x83\xef\x02\xe2\xcd\xeb\x02\x31\xc0\x5e\x5f\x89\xec\x5d\xc3" looks pretty good…starts with the prologue, ends with a c3 (ret). Since this is a little more convenient than the magicBytes file, let’s grab the magicBytes as a string as well: :> s 0x4010e4 :> pcs 0x25 "\xaf\xaa\xad\xeb\xae\xaa\xec\xa4\xba\xaf\xae\xaa\x8a\xc0\xa7\xb0\xbc\x9a\xba\xa5\xa5\xba\xaf\xb8\x9d\xb8\xf9\xae\x9d\xab\xb4\xbc\xb6\xb3\x90\x9a\xa8" We’re ready to start our script: #!/usr/bin/env python # lots of good help from these awesome scripts/examples/blogs #https://github.com/unicorn-engine/unicorn/blob/master/bindings/python/sample_x86.py#L24 #https://r3v3rs3r.wordpress.com/2015/12/12/unicorn-vs-malware/ #https://github.com/karttoon/shellbug #https://github.com/unicorn-engine/unicorn/issues/451 from unicorn import * from unicorn.x86_const import * # taking a lazy approach to automation and wrapping the entire thing in a loop rightChars = 0 # dummy string to guess with guessString = list("!" * 0x25) # and setting our win state foundIt = False while not foundIt: for c in xrange(0x20, 0x7F): guessString[rightChars] = chr(c) # creating a custom hook for every instruction that executes # a brutish approach, but it'll work def hook_code(uc, address, size, user_data): global rightChars global foundIt # if we have already executed the cmovne cx, dx, and cx is zero... # then this input is bad and we need to try a different one # :> ? 0x4010cd - 0x401084 # 73 0x49 0111 73 0000:0049 73 "I" 01001001 73.0 73.000000f 73.000000 if address == 0x49: ecx = uc.reg_read(UC_X86_REG_ECX) # we got hit with the cmovne, it was a bad guess if ecx == 0: mu.emu_stop() # we managed to loop all the way to the last character...we won elif ecx == 1: foundIt = True mu.emu_stop() # if loop count and number of characters we already found match, we move on elif ecx == 0x25 - rightChars: #print ("Found One!") #print (uc.mem_read(guessAddress+rightChars, 1)) rightChars += 1 # spawn a unicorn thing mu = Uc(UC_ARCH_X86, UC_MODE_32) # some generic addresses for our emulation baseAddress = 0 STACK_ADDRESS = 0xffff000 STACK_SIZE = 0x1000 # function code functionCode = "\x55\x89\xe5\x83\xec\x00\x57\x56\x31\xdb\xb9\x25\x00\x00\x00\x39\x4d\x10\x7c\x3f\x8b\x75\x0c\x8b\x7d\x08\x8d\x7c\x0f\xff\x66\x89\xda\x66\x83\xe2\x03\x66\xb8\xc7\x01\x50\x9e\xac\x9c\x32\x44\x24\x04\x86\xca\xd2\xc4\x9d\x10\xe0\x86\xca\x31\xd2\x25\xff\x00\x00\x00\x66\x01\xc3\xae\x66\x0f\x45\xca\x58\xe3\x07\x83\xef\x02\xe2\xcd\xeb\x02\x31\xc0\x5e\x5f\x89\xec\x5d\xc3" magicBytes = "\xaf\xaa\xad\xeb\xae\xaa\xec\xa4\xba\xaf\xae\xaa\x8a\xc0\xa7\xb0\xbc\x9a\xba\xa5\xa5\xba\xaf\xb8\x9d\xb8\xf9\xae\x9d\xab\xb4\xbc\xb6\xb3\x90\x9a\xa8" # map 0x1000 bytes at baseAddress mu.mem_map(baseAddress, 0x1000) mu.mem_map(STACK_ADDRESS, STACK_SIZE) # set our ESP with some room for the previous args to this function mu.reg_write(UC_X86_REG_ESP, STACK_ADDRESS + STACK_SIZE - 0x10) # address where we want to write the magicBytes magicBytesAddress = 0x200 # write them mu.mem_write(magicBytesAddress, magicBytes) # address where we want to write our input buffer guessAddress = 0x300 # write it mu.mem_write(guessAddress, ''.join(guessString)) # address where we want to write the magicLen (input length value we discovered) magicLenAddress = 0x400 # its value magicLen = 0x25 # write it mu.mem_write(magicLenAddress, str(magicLen)) # "push" our args onto the stack (the addresses of our buffers of interest) mu.mem_write(STACK_ADDRESS+STACK_SIZE-0xc, "\x00\x02\x00\x00") mu.mem_write(STACK_ADDRESS+STACK_SIZE-8, "\x00\x03\x00\x00") mu.mem_write(STACK_ADDRESS+STACK_SIZE-4, "\x00\x04\x00\x00") # write the function code at the base address mu.mem_write(baseAddress, functionCode) # hook every instruction, because it'll work mu.hook_add(UC_HOOK_CODE, hook_code) # start the brute try: mu.emu_start(baseAddress, baseAddress + len(functionCode)) if foundIt: print ''.join(guessString) break except UcError as e: print "Error: %s" % e and then: # ./very_emulated.py a_Little_b1t_harder_plez@flare-on.com Method 3: Timing attack (Pintool wintool) This one is very easy to write about because someone has already done the work. What is Pin? How can I win? How can I win on windows? That last script is just some mangling I did to aldeid’s pintool to make it happy with python and windows cmd prompt. C:\pin>python c:/tools/pintool2-win.py -l 37 -c 6 -a 32 -s ! c:/working-dir/very_success.exe !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! = 19488 difference 0 instructions 0!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! = 19488 difference 0 instructions 1!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! = 19488 difference 0 instructions 2!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! = 19488 difference 0 instructions 3!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! = 19488 difference 0 instructions 4!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! = 19488 difference 0 instructions 5!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! = 19488 difference 0 instructions 6!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! = 19488 difference 0 instructions 7!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! = 19488 difference 0 instructions 8!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! = 19488 difference 0 instructions 9!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! = 19488 difference 0 instructions a!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! = 19510 difference 22 instructions a!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! = 19510 difference 22 instructions a!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! = 19510 difference 0 instructions a0!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! = 19510 difference 0 instructions a1!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! = 19510 difference 0 instructions a2!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! = 19510 difference 0 instructions a3!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! = 19510 difference 0 instructions ... ... a_Little_b1t_harder_plez@flare-on.col = 20280 difference 0 instructions a_Little_b1t_harder_plez@flare-on.com = 20283 difference 3 instructions a_Little_b1t_harder_plez@flare-on.com = 20283 difference 3 instructions Password: a_Little_b1t_harder_plez@flare-on.com For all characters except the last, you can clearly see the extra loop in the 22 instruction difference. I have no idea how the last character gets a 3 instruction difference. Method 4: Reverse the algorithm (brain + python) I also get this one for free because you can easily find plenty of this kind of writeup with a google query for “very_success.exe” For example…see this excellent, detailed explanation References: radare2 ConEmu ReadFile Function prologue x86 jecxz x86 loop x86 scasb doar-e Quick introduction into SAT/SMT solvers and symbolic execution angr-doc Unicorn x86 example Unicorn vs Malware Shellbug - Shellcode debugger Unicorn Issue Pin Pintool2 Pintool2 - windows-friendl..ier very_success write-up theJunkyard Sursa: https://fevral.github.io/2017/08/13/flareon2015-2.html

Exploring Windows virtual memory management August 13, 2017 In a previous post, we discussed the IA-32e 64-bit paging structures, and how they can be used to turn virtual addresses into physical addresses. They're a simple but elegant way to manage virtual address mappings as well as page permissions with varying granularity of page sizes. All of which is provided by the architecture. But as one might expect, once you add an operating system like Windows into the mix, things get a little more interesting. The problem of per-process memory In Windows, a process is nothing more than a simple container of threads and metadata that represents a user-mode application. It has its own memory so that it can manage the different pieces of data and code that make the process do something useful. Let's consider, then, two processes that both try to read and write from the memory located at the virtual address 0x00000000`11223344. Based on what we know about paging, we expect that the virtual address is going to end up translating into the same physical address (let's say 0x00000001`ff003344 as an example) in both processes. There is, after all, only one CR3 register per processor, and the hardware dictates that the paging structure root is located in that register. Figure 1: If the two process' virtual addresses would translate to the same physical address, then we expect that they would both see the same memory, right? Of course, in reality we know that it can't work that way. If we use one process to write to a virtual memory address, and then use another process to read from that address, we shouldn't get the same value. That would be devastating from a security and stability standpoint. In fact, the same permissions may not even be applied to that virtual memory in both processes. But how does Windows accomplish this separation? It's actually pretty straightforward: when switching threads in kernel-mode or user-mode (called a context switch), Windows stores off or loads information about the current thread including the state of all of the registers. Because of this, Windows is able to swap out the root of the paging structures when the thread context is switched by changing the value of CR3, effectively allowing it to manage an entirely separate set of paging structures for each process on the system. This gives each process a unique mapping of virtual memory to physical memory, while still using the same virtual address ranges as another process. The PML4 table pointer for each user-mode process is stored in the DirectoryTableBase member of an internal kernel structure called the EPROCESS, which also manages a great deal of other state and metadata about the process. Figure 2: In reality, each process has its own set of paging structures, and Windows swaps out the value of the CR3 register when it executes within that process. This allows virtual addresses in each process to map to different physical addresses. We can see the paging structure swap between processes for ourselves if we do a little bit of exploration using WinDbg. If you haven't already set up kernel debugging, you should check out this article to get yourself started. Then follow along below. Let's first get a list of processes running on the target system. We can do that using the !process command. For more details on how to use this command, consider checking out the documentation using .hh !process. In our case, we pass parameters of zero to show all processes on the system. 0: kd> !process 0 0 **** NT ACTIVE PROCESS DUMP **** PROCESS fffffa801916b5d0 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 00187000 ObjectTable: fffff8a000001890 HandleCount: 560. Image: System PROCESS fffffa8028effb10 SessionId: none Cid: 0130 Peb: 7fffffd8000 ParentCid: 0004 DirBase: 7d9ed5000 ObjectTable: fffff8a000174d80 HandleCount: 36. Image: smss.exe PROCESS fffffa802949bb10 SessionId: 0 Cid: 01b8 Peb: 7fffffdf000 ParentCid: 0174 DirBase: 7cf890000 ObjectTable: fffff8a000b82010 HandleCount: 713. Image: csrss.exe ... PROCESS fffffa8019218b10 SessionId: 1 Cid: 02f0 Peb: 7fffffd5000 ParentCid: 0808 DirBase: 652e89000 ObjectTable: fffff8a00cacc270 HandleCount: 58. Image: notepad.exe view raw tf-article2-windbg-1.txt hosted with ❤ by GitHub We can use notepad.exe as our target process, but you should be able to follow along with virtually any process of your choice. The next thing we need to do is attach ourselves to this process - simply put, we need to be in this process' context. This lets us access the virtual memory of notepad.exe by remapping the paging structures. We can verify that the context switch is happening by watching what happens to the CR3 register. If the virtual memory we have access to is going to change, we expect that the value of CR3 will change to new paging structures that represent notepad.exe's virtual memory. Let's take a look at the value of CR3 before the context switch. 0: kd> r cr3 cr3=000000078b07a000 view raw tf-article2-windbg-2.txt hosted with ❤ by GitHub We know that this value should change to the DirectoryTableBase member of the EPROCESS structure that represents notepad.exe when we make the switch. As a matter of interest, we can take a look at that structure and see what it contains. The PROCESS fffffa8019218b10 line emitted by the debugger when we listed all processes is actually the virtual address of that process' EPROCESS structure. 0: kd> dt nt!_EPROCESS fffffa8019218b10 -b +0x000 Pcb : _KPROCESS +0x000 Header : _DISPATCHER_HEADER +0x000 Type : 0x3 '' +0x001 TimerControlFlags : 0 '' +0x001 Absolute : 0y0 +0x001 Coalescable : 0y0 +0x001 KeepShifting : 0y0 +0x001 EncodedTolerableDelay : 0y00000 (0) +0x001 Abandoned : 0 '' +0x001 Signalling : 0 '' +0x002 ThreadControlFlags : 0x58 'X' +0x002 CpuThrottled : 0y0 +0x002 CycleProfiling : 0y0 +0x002 CounterProfiling : 0y0 +0x002 Reserved : 0y01011 (0xb) +0x002 Hand : 0x58 'X' +0x002 Size : 0x58 'X' +0x003 TimerMiscFlags : 0 '' +0x003 Index : 0y000000 (0) +0x003 Inserted : 0y0 +0x003 Expired : 0y0 +0x003 DebugActive : 0 '' +0x003 ActiveDR7 : 0y0 +0x003 Instrumented : 0y0 +0x003 Reserved2 : 0y0000 +0x003 UmsScheduled : 0y0 +0x003 UmsPrimary : 0y0 +0x003 DpcActive : 0 '' +0x000 Lock : 0n5767171 +0x004 SignalState : 0n0 +0x008 WaitListHead : _LIST_ENTRY [ 0xfffffa80`19218b18 - 0xfffffa80`19218b18 ] +0x000 Flink : 0xfffffa80`19218b18 +0x008 Blink : 0xfffffa80`19218b18 +0x018 ProfileListHead : _LIST_ENTRY [ 0xfffffa80`19218b28 - 0xfffffa80`19218b28 ] +0x000 Flink : 0xfffffa80`19218b28 +0x008 Blink : 0xfffffa80`19218b28 +0x028 DirectoryTableBase : 0x00000006`52e89000 ... view raw tf-article2-windbg-3.txt hosted with ❤ by GitHub The fully expanded EPROCESS structure is massive, so everything after what we're interested in has been omitted from the results above. We can see, though, that the DirectoryTableBase is a member at +0x028 of the process control block (KPROCESS) structure that's embedded as part of the larger EPROCESS structure. According to this output, we should expect that CR3 will change to 0x00000006`52e89000 when we switch to this process' context in WinDbg. To perform the context swap, we use the .process command and indicate that we want an invasive swap (/i) which will remap the virtual address space and allow us to do things like set breakpoints in user-mode memory. Also, in order for the process context swap to complete, we need to allow the process to execute once using the g command. The debugger will then break again, and we're officially in the context of notepad.exe. 0: kd> .process /i /P fffffa8019218b10 You need to continue execution (press 'g' <enter>) for the context to be switched. When the debugger breaks in again, you will be in the new process context. 0: kd> g Break instruction exception - code 80000003 (first chance) nt!DbgBreakPointWithStatus: fffff800`02a73c70 cc int 3 view raw tf-article2-windbg-4.txt hosted with ❤ by GitHub Okay! Now that we're in the context we need to be in, let's check the CR3 register to verify that the paging structures have been changed to the DirectoryTableBase member we saw earlier. 6: kd> r cr3 cr3=0000000652e89000 view raw tf-article2-windbg-5.txt hosted with ❤ by GitHub Looks like it worked as we expected. We would find a unique set of paging structures at 0x00000006`52e89000 that represented the virtual to physical address mappings within notepad.exe. This is essentially the same kind of swap that occurs each time Windows switches to a thread in a different process. Virtual address ranges While each process gets its own view of virtual memory and can re-use the same virtual address range as another process, there are some consistent rules of thumb that Windows abides by when it comes to which virtual address ranges store certain kinds of information. To start, each user-mode process is allowed a user-mode virtual address space ranging from 0x000`00000000 to 0x7ff`ffffffff, giving each process a theoretical maximum of 8TB of virtual memory that it can access. Then, each process also has a range of kernel-mode virtual memory that is split up into a number of different subsections. This much larger range gives the kernel a theoretical maximum of 248TB of virtual memory, ranging from 0xffff0800`00000000 to 0xffffffff`ffffffff. The remaining address space is not actually used by Windows, though, as we can see below. Figure 3: All possible virtual memory, divided into the different ranges that Windows enforces. The virtual addresses for the kernel-mode regions may not be true on Windows 10, where these regions are subject to address space layout randomization (ASLR). Credits to Alex Ionescu for specific kernel space mappings. Currently, there is an extremely large “no man's land” of virtual memory space between the user-mode and kernel-mode ranges of virtual memory. This range of memory isn't wasted, though, it's just not addressable due to the current architecture constraint of 48-bit virtual addresses, which we discussed in our previous article. If there existed a system with 16EB of physical memory - enough memory to address all possible 64-bit virtual memory - the extra physical memory would simply be used to hold the pages of other processes, so that many processes' memory ranges could be resident in physical memory at once. As an aside, one other interesting property of the way Windows handles virtual address mapping is being able to quickly tell kernel pointers from user-mode pointers. Memory that is mapped as part of the kernel has the highest order bits of the address (the 16 bits we didn't use as part of the linear address translation) set to 1, while user-mode memory has them set to 0. This ensures that kernel-mode pointers begin with 0xFFFF and user-mode pointers begin with 0x0000. A tree of virtual memory: the VAD We can see that the kernel-mode virtual memory is nicely divided into different sections. But what about user-mode memory? How does the memory manager know which portions of virtual memory have been allocated, which haven't, and details about each of those ranges? How can it know if a virtual address within a process is valid or invalid? It could walk the process' paging structures to figure this out every time the information was needed, but there is another way: the virtual address descriptor (VAD) tree. Each process has a VAD tree that can be located in the VadRoot member of the aforementioned EPROCESS structure. The tree is a balanced binary search tree, with each node representing a region of virtual memory within the process. Figure 4: The VAD tree is balanced with lower virtual page numbers to the left, and each node providing some additional details about the memory range. Each node gives details about the range of addresses, the memory protection of that region, and some other metadata depending on the state of the memory it is representing. We can use our friend WinDbg to easily list all of the entries in the VAD tree of a particular process. Let's have a look at the VAD entries from notepad.exe using !vad. 6: kd> !vad VAD Level Start End Commit fffffa8019785170 5 10 1f 0 Mapped READWRITE Pagefile section, shared commit 0x10 fffffa8019229650 4 20 26 0 Mapped READONLY Pagefile section, shared commit 0x7 fffffa802aec35c0 5 30 33 0 Mapped READONLY Pagefile section, shared commit 0x4 fffffa80291085a0 3 40 41 0 Mapped READONLY Pagefile section, shared commit 0x2 fffffa802b25c180 5 50 50 1 Private READWRITE fffffa802b0b8940 4 60 c6 0 Mapped READONLY \Windows\System32\locale.nls fffffa8019544940 5 d0 d1 0 Mapped READWRITE Pagefile section, shared commit 0x2 fffffa80193c5570 2 e0 e2 3 Mapped WRITECOPY \Windows\System32\en-US\notepad.exe.mui fffffa802b499e00 5 f0 f0 1 Private READWRITE fffffa802b4a6160 4 100 100 1 Private READWRITE fffffa801954d3a0 5 110 110 0 Mapped READWRITE Pagefile section, shared commit 0x1 fffffa80197cf8c0 3 120 121 0 Mapped READONLY Pagefile section, shared commit 0x2 fffffa802b158240 4 160 16f 2 Private READWRITE fffffa802b24f180 1 1a0 21f 20 Private READWRITE fffffa802b1fc680 6 220 31f 104 Private READWRITE fffffa802b44d110 5 320 41f 146 Private READWRITE fffffa802910ece0 6 420 4fe 0 Mapped READONLY Pagefile section, shared commit 0xdf fffffa802b354c60 4 540 54f 7 Private READWRITE fffffa8029106660 6 550 6d7 0 Mapped READONLY Pagefile section, shared commit 0x6 fffffa802b4738b0 5 6e0 860 0 Mapped READONLY Pagefile section, shared commit 0x181 fffffa802942ea30 6 870 1c6f 0 Mapped READONLY Pagefile section, shared commit 0x23 fffffa802b242260 3 1cf0 1d6f 28 Private READWRITE fffffa802aa66d60 5 1e10 1e8f 113 Private READWRITE fffffa8019499560 4 3030 395f 0 Mapped READONLY \Windows\Fonts\StaticCache.dat fffffa8019246370 5 3960 3c2e 0 Mapped READONLY \Windows\Globalization\Sorting\SortDefault.nls fffffa802b184c50 6 3c30 3d2f 1 Private READWRITE fffffa802b45f180 2 77420 77519 3 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\user32.dll fffffa80192afa20 4 77520 7763e 4 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\kernel32.dll fffffa802a8ba9c0 3 77640 777e9 14 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\ntdll.dll fffffa802910a440 5 7efe0 7f0df 0 Mapped READONLY Pagefile section, shared commit 0x5 fffffa802b26d180 4 7f0e0 7ffdf 0 Private READONLY fffffa802b4cb160 0 7ffe0 7ffef -1 Private READONLY fffffa802b4e60d0 5 ffd50 ffd84 4 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\notepad.exe fffffa801978d170 4 7fefa530 7fefa5a0 3 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\winspool.drv fffffa80197e0970 5 7fefaab0 7fefab05 4 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\uxtheme.dll fffffa802a6d9720 6 7fefafd0 7fefafe7 5 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\dwmapi.dll fffffa80197ecc50 3 7fefb390 7fefb583 6 Mapped Exe EXECUTE_WRITECOPY \Windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll fffffa802a91e010 5 7fefc3c0 7fefc3cb 2 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\version.dll fffffa80197cb010 6 7fefd1d0 7fefd1de 2 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\cryptbase.dll fffffa80290fe9c0 4 7fefd440 7fefd4a9 3 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\KernelBase.dll fffffa8029109e30 5 7fefd6f0 7fefd6fd 2 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\lpk.dll fffffa8029522520 6 7fefd720 7fefd74d 3 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\imm32.dll fffffa802910bce0 2 7fefd800 7fefd8da 7 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\advapi32.dll fffffa80290d9500 5 7fefd8e0 7fefdadb 9 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\ole32.dll fffffa802af4a0c0 4 7fefdae0 7fefe86a 13 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\shell32.dll fffffa8019787170 5 7fefea50 7fefea6e 4 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\sechost.dll fffffa802a6e8010 3 7fefeda0 7fefee36 6 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\comdlg32.dll fffffa802a6ae010 5 7fefee50 7fefef58 4 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\msctf.dll fffffa802910dac0 4 7feff0f0 7feff21c 3 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\rpcrt4.dll fffffa801948e940 1 7feff2a0 7feff33e 7 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\msvcrt.dll fffffa802aac1010 5 7feff340 7feff3b0 3 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\shlwapi.dll fffffa8029156010 4 7feff3c0 7feff48a 4 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\usp10.dll fffffa801956e170 5 7feff800 7feff8d9 4 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\oleaut32.dll fffffa8019789170 3 7feff8e0 7feff946 3 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\gdi32.dll fffffa801958e170 4 7feff960 7feff960 0 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\apisetschema.dll fffffa80290f3c10 2 7fffffb0 7fffffd2 0 Mapped READONLY Pagefile section, shared commit 0x23 fffffa802af28110 3 7fffffd5 7fffffd5 1 Private READWRITE fffffa802a714a30 4 7fffffde 7fffffdf 2 Private READWRITE Total VADs: 58, average level: 5, maximum depth: 6 Total private commit: 0x228 pages (2208 KB) Total shared commit: 0x2d3 pages (2892 KB) view raw tf-article2-windbg-6.txt hosted with ❤ by GitHub The range of addresses supported by a given VAD entry are stored as virtual page numbers - similar to a PFN, but simply in virtual memory. This means that an entry representing a starting VPN of 0x7f and an ending VPN of 0x8f would actually be representing virtual memory from address 0x00000000`0007f000 to 0x00000000`0008ffff. There are a number of complexities of the VAD tree that are outside the scope of this article. For example, each node in the tree can be one of three different types depending on the state of the memory being represented. In addition, a VAD entry may contain information about the backing PTEs for that region of memory if that memory is shared. We will touch more on that concept in a later section. Let's get physical So we now know that Windows maintains separate paging structures for each individual process, and some details about the different virtual memory ranges that are defined. But the operating system also needs a central mechanism to keep track of each individual page of physical memory. After all, it needs to know what's stored in each physical page, whether it can write that data out to a paging file on disk to free up memory, how many processes are using that page for the purposes of shared memory, and plenty of other details for proper memory management That's where the page frame number (PFN) database comes in. A pointer to the base of this very large structure can be located at the symbol nt!MmPfnDatabase, but we know based on the kernel-mode memory ranges that it starts at the virtual address 0xfffffa80`00000000, except on Windows 10 where this is subject to ASLR. (As an aside, WinDbg has a neat extension for dealing with the kernel ASLR in Windows 10 - !vm 0x21 will get you the post-KASLR regions). For each physical page available on the system, there is an nt!_MMPFN structure allocated in the database to provide details about the page. Figure 5: Each physical page in the system is represented by a PFN entry structure in this very large, contiguous data structure. Though some of the bits of the nt!_MMPFN structure can vary depending on the state of the page, that structure generally looks something like this: 0: kd> dt nt!_MMPFN +0x000 u1 : <unnamed-tag> +0x008 u2 : <unnamed-tag> +0x010 PteAddress : Ptr64 _MMPTE +0x010 VolatilePteAddress : Ptr64 Void +0x010 Lock : Int4B +0x010 PteLong : Uint8B +0x018 u3 : <unnamed-tag> +0x01c UsedPageTableEntries : Uint2B +0x01e VaType : UChar +0x01f ViewCount : UChar +0x020 OriginalPte : _MMPTE +0x020 AweReferenceCount : Int4B +0x028 u4 : <unnamed-tag> view raw tf-article2-windbg-7.txt hosted with ❤ by GitHub A page represented in the PFN database can be in a number of different states. The state of the page will determine what the memory manager does with the contents of that page. We won't be focusing on the different states too much in this article, but there are a few of them: active, transition, modified, free, and bad, to name several. It is definitely worth mentioning that for efficiency reasons, Windows manages linked lists that are comprised of all of the nt!_MMPFN entries that are in a specific state. This makes it much easier to traverse all pages that are in a specific state, rather than having to walk the entire PFN database. For example, it can allow the memory manager to quickly locate all of the free pages when memory needs to be paged in from disk. Figure 6: Different linked lists make it easier to walk the PFN database according to the state of the pages, e.g. walk all of the free pages contiguously. Another purpose of the PFN database is to help facilitate the translation of physical addresses back to their corresponding virtual addresses. Windows uses the PFN database to accomplish this during calls such as nt!MmGetVirtualForPhysical. While it is technically possible to search all of the paging structures for every process on the system in order to work backwards up the paging structures to get the original virtual address, the fact that the nt!_MMPFN structure contains a reference to the backing PTE coupled with some clever allocation rules by Microsoft allow them to easily convert back to a virtual address using the PTE and some bit shifting. For a little bit of practical experience exploring the PFN database, let's find a region of memory in notepad.exe that we can take a look at. One area of memory that could be of interest is the entry point of our application. We can use the !dh command to display the PE header information associated with a given module in order to track down the address of the entry point. Because we've switched into a user-mode context in one of our previous examples, WinDbg will require us to reload our symbols so that it can make sense of everything again. We can do that using the .reload /f command. Then we can look at notepad.exe's headers: 6: kd> !dh notepad.exe File Type: EXECUTABLE IMAGE FILE HEADER VALUES 8664 machine (X64) 6 number of sections 559EA8BE time date stamp Thu Jul 9 10:00:46 2015 0 file pointer to symbol table 0 number of symbols F0 size of optional header 22 characteristics Executable App can handle >2gb addresses OPTIONAL HEADER VALUES 20B magic # 9.00 linker version A800 size of code 25800 size of initialized data 0 size of uninitialized data 3ACC address of entry point 1000 base of code ----- new ----- 00000000ffd50000 image base 1000 section alignment 200 file alignment 2 subsystem (Windows GUI) 6.01 operating system version 6.01 image version 6.01 subsystem version 35000 size of image 600 size of headers 36DA2 checksum 0000000000080000 size of stack reserve 0000000000011000 size of stack commit 0000000000100000 size of heap reserve 0000000000001000 size of heap commit 8140 DLL characteristics Dynamic base NX compatible Terminal server aware 0 [ 0] address of Export Directory CFF8 [ 12C] address of Import Directory 14000 [ 1F168] address of Resource Directory 13000 [ 6B4] address of Exception Directory 0 [ 0] address of Security Directory 34000 [ B8] address of Base Relocation Directory B740 [ 38] address of Debug Directory 0 [ 0] address of Description Directory 0 [ 0] address of Special Directory 0 [ 0] address of Thread Storage Directory 0 [ 0] address of Load Configuration Directory 2E0 [ 138] address of Bound Import Directory C000 [ 7F0] address of Import Address Table Directory 0 [ 0] address of Delay Import Directory 0 [ 0] address of COR20 Header Directory 0 [ 0] address of Reserved Directory … view raw tf-article2-windbg-8.txt hosted with ❤ by GitHub Again, the output is quite verbose, so the section information at the bottom is omitted from the above snippet. We're interested in the address of entry point member of the optional header, which is listed as 0x3acc. That value is called a relative virtual address (RVA), and it's the number of bytes from the base address of the notepad.exe image. If we add that relative address to the base of notepad.exe, we should see the code located at our entry point. 6: kd> u notepad.exe + 0x3acc L10 notepad!WinMainCRTStartup: 00000000`ffd53acc 4883ec28 sub rsp,28h 00000000`ffd53ad0 e80bf3ffff call notepad!_security_init_cookie (00000000`ffd52de0) 00000000`ffd53ad5 4883c428 add rsp,28h 00000000`ffd53ad9 eb09 jmp notepad!DisplayNonGenuineDlgWorker+0x14c (00000000`ffd53ae4) 00000000`ffd53adb 90 nop 00000000`ffd53adc 90 nop 00000000`ffd53add 90 nop 00000000`ffd53ade 90 nop 00000000`ffd53adf 90 nop 00000000`ffd53ae0 90 nop 00000000`ffd53ae1 90 nop 00000000`ffd53ae2 90 nop 00000000`ffd53ae3 90 nop 00000000`ffd53ae4 4889742408 mov qword ptr [rsp+8],rsi 00000000`ffd53ae9 48897c2410 mov qword ptr [rsp+10h],rdi 00000000`ffd53aee 4154 push r12 view raw tf-article2-windbg-9.txt hosted with ❤ by GitHub And we do see that the address resolves to notepad!WinMainCRTStartup, like we expected. Now we have the address of our target process' entry point: 00000000`ffd53acc. While the above steps were a handy exercise in digging through parts of a loaded image, they weren't actually necessary since we had symbols loaded. We could have simply used the ? qualifier in combination with the symbol notepad!WinMainCRTStartup, as demonstrated below, or gotten the value of a handy pseudo-register that represents the entry point with r $exentry. 6: kd> ? notepad!WinMainCRTStartup Evaluate expression: 4292164300 = 00000000`ffd53acc view raw tf-article2-windbg-10.txt hosted with ❤ by GitHub In any case, we now have the address of our entry point, which from here on we'll refer to as our “target” or the “target page”. We can now start taking a look at the different paging structures that support our target, as well as the PFN database entry for it. Let's first take a look at the PFN database. We know the virtual address where this structure is supposed to start, but let's look for it the long way, anyway. We can easily find the beginning of this structure by using the ? qualifier and poi on the symbol name. The poi command treats its parameter as a pointer and retrieves the value located at that pointer. 6: kd> ? poi(nt!MmPfnDatabase) Evaluate expression: -6047313952768 = fffffa80`00000000 view raw tf-article2-windbg-11.txt hosted with ❤ by GitHub Knowing that the PFN database begins at 0xfffffa80`00000000, we should be able to index easily to the entry that represents our target page. First we need to figure out the page frame number in physical memory that the target's PTE refers to, and then we can index into the PFN database by that number. Looking back on what we learned from the previous article, we can grab the PTE information about the target page very easily using the handy !pte command. 6: kd> !pte 00000000`ffd53acc VA 00000000ffd53acc PXE at FFFFF6FB7DBED000 PPE at FFFFF6FB7DA00018 PDE at FFFFF6FB40003FF0 PTE at FFFFF680007FEA98 contains 02D0000654195867 contains 4D00000654D16867 contains 02F0000654D97867 contains 32C000065207B025 pfn 654195 ---DA--UWEV pfn 654d16 ---DA--UWEV pfn 654d97 ---DA--UWEV pfn 65207b ----A--UREV view raw tf-article2-windbg-12.txt hosted with ❤ by GitHub The above result would indicate that the backing page frame number for the target is 0x65207b. That should be the index into the PFN database that we'll need to use. Remember that we'll need to multiply that index by the size of an nt!_MMPFN structure, since we're essentially trying to skip that many PFN entries. 6: kd> ?? sizeof(nt!_MMPFN) unsigned int64 0x30 6: kd> dt !_MMPFN (0xfffffa80`00000000 + (0x65207b * 0x30)) nt!_MMPFN +0x000 u1 : <unnamed-tag> +0x008 u2 : <unnamed-tag> +0x010 PteAddress : 0xfffff8a0`09e25a00 _MMPTE +0x010 VolatilePteAddress : 0xfffff8a0`09e25a00 Void +0x010 Lock : 0n165829120 +0x010 PteLong : 0xfffff8a0`09e25a00 +0x018 u3 : <unnamed-tag> +0x01c UsedPageTableEntries : 0 +0x01e VaType : 0 '' +0x01f ViewCount : 0 '' +0x020 OriginalPte : _MMPTE +0x020 AweReferenceCount : 0n-333970336 +0x028 u4 : <unnamed-tag> view raw tf-article2-windbg-13.txt hosted with ❤ by GitHub This looks like a valid PFN entry. We can verify that we've done everything correctly by first doing the manual calculation to figure out what the address of the PFN entry should be, and then comparing it to where WinDbg thinks it should be. 6: kd> ? (0xfffffa80`00000000 + (0x65207b * 0x30)) Evaluate expression: -6046995835120 = fffffa80`12f61710 view raw tf-article2-windbg-14.txt hosted with ❤ by GitHub So based on the above, we know that the nt!_MMPFN entry for the page we're interested in it should be located at 0xfffffa80`12f61710, and we can use a nice shortcut to verify if we're correct. As always in WinDbg, there is an easier way to obtain information from the PFN database. This can be done by using the !pfn command with the page frame number. 6: kd> !pfn 0x65207b PFN 0065207B at address FFFFFA8012F61710 flink 0000032C blink / share count 00000001 pteaddress FFFFF8A009E25A00 reference count 0001 used entry count 0000 Cached color 0 Priority 1 restore pte FA80194CEC180460 containing page 693603 Active P Shared view raw tf-article2-windbg-15.txt hosted with ❤ by GitHub Here we can see that WinDbg also indicates that the PFN entry is at 0xfffffa8012f61710, just like our calculation, so it looks like we did that correctly. An interlude about working sets Phew - we've done some digging around in the PFN database now, and we've seen how each entry in that database stores some information about the physical page itself. Let's take a step back for a moment, back into the world of virtual memory, and talk about working sets. Each process has what's called a working set, which represents all of the process' virtual memory that is subject to paging and is accessible without incurring a page fault. Some parts of the process' memory may be paged to disk in order to free up RAM, or in a transition state, and therefore accessing those regions of memory will generate a page fault within that process. In layman's terms, a page fault is essentially the architecture indicating that it can't access the specified virtual memory, because the PTEs needed for translation weren't found inside the paging structures, or because the permissions on the PTEs restrict what the application is attempting to do. When a page fault occurs, the page fault handler must resolve it by adding the page back into the process' working set (meaning it also gets added back into the process' paging structures), mapping the page back into memory from disk and then adding it back to the working set, or indicating that the page being accessed is invalid. Figure 7: An example working set of a process, where some rarely accessed pages were paged out to disk to free up physical memory. It should be noted that other regions of virtual memory may be accessible to the process which do not appear in the working set, such as Address Windowing Extensions (AWE) mappings or large pages; however, for the purposes of this article we will be focusing on memory that is part of the working set. Occasionally, Windows will trim the working set of a process in response to (or to avoid) memory pressure on the system, ensuring there is memory available for other processes. If the working set of a process is trimmed, the pages being trimmed have their backing PTEs marked as “not valid” and are put into a transition state while they await being paged to disk or given away to another process. In the case of a “soft” page fault, the page described by the PTE is actually still resident in physical memory, and the page fault handler can simply mark the PTE as valid again and resolve the fault efficiently. Otherwise, in the case of a “hard” page fault, the page fault handler needs to fetch the contents of the page from the paging file on disk before marking the PTE as valid again. If this kind of fault occurs, the page fault handler will likely also have to alter the page frame number that the PTE refers to, since the page isn't likely to be loaded back into the same location in physical memory that it previously resided in. Sharing is caring It's important to remember that while two processes do have different paging structures that map their virtual memory to different parts of physical memory, there can be portions of their virtual memory which map to the same physical memory. This concept is called shared memory, and it's actually quite common within Windows. In fact, even in our previous example with notepad.exe's entry point, the page of memory we looked at was shared. Examples of regions in memory that are shared are system modules, shared libraries, and files that are mapped into memory with CreateFileMapping() and MapViewOfFile(). In addition, the kernel-mode portion of a process' memory will also point to the same shared physical memory as other processes, because a shared view of the kernel is typically mapped into every process. Despite the fact that a view of the kernel is mapped into their memory, user-mode applications will not be able to access pages of kernel-mode memory as Windows sets the UserSupervisor bit in the kernel-mode PTEs. The hardware uses this bit to enforce ring0-only access to those pages. Figure 8: Two processes may have different views of their user space virtual memory, but they get a shared view of the kernel space virtual memory. In the case of memory that is not shared between processes, the PFN database entry for that page of memory will point to the appropriate PTE in the process that owns that memory. Figure 9: When not sharing memory, each process will have PTE for a given page, and that PTE will point to a unique member of the PFN database. When dealing with memory that is shareable, Windows creates a kind of global PTE - known as a prototype PTE - for each page of the shared memory. This prototype always represents the real state of the physical memory for the shared page. If marked as Valid, this prototype PTE can act as a hardware PTE just as in any other case. If marked as Not Valid, the prototype will indicate to the page fault handler that the memory needs to be paged back in from disk. When a prototype PTE exists for a given page of memory, the PFN database entry for that page will always point to the prototype PTE. Figure 10: Even though both processes still have a valid PTE pointing to their shared memory, Windows has created a prototype PTE which points to the PFN entry, and the PFN entry now points to the prototype PTE instead of a specific process. Why would Windows create this special PTE for shared memory? Well, imagine for a moment that in one of the processes, the PTE that describes a shared memory location is stripped out of the process' working set. If the process then tries to access that memory, the page fault handler sees that the PTE has been marked as Not Valid, but it has no idea whether that shared page is still resident in physical memory or not. For this, it uses the prototype PTE. When the PTE for the shared page within the process is marked as Not Valid, the Prototype bit is also set and the page frame number is set to the location of the prototype PTE for that page. Figure 11: One of the processes no longer has a valid PTE for the shared memory, so Windows instead uses the prototype PTE to ascertain the true state of the physical page. This way, the page fault handler is able to examine the prototype PTE to see if the physical page is still valid and resident or not. If it is still resident, then the page fault handler can simply mark the process' version of the PTE as valid again, resolving the soft fault. If the prototype PTE indicates it is Not Valid, then the page fault handler must fetch the page from disk. We can continue our adventures in WinDbg to explore this further, as it can be a tricky concept. Based on what we know about shared memory, that should mean that the PTE referenced by the PFN entry for the entry point of notepad.exe is a prototype PTE. We can already see that it's a different address (0xfffff8a0`09e25a00) than the PTE that we were expecting from the !pte command (0xfffff680007fea98). Let's look at the fully expanded nt!_MMPTE structure that's being referenced in the PFN entry. 6: kd> dt !_MMPTE 0xfffff8a0`09e25a00 -b nt!_MMPTE +0x000 u : <unnamed-tag> +0x000 Long : 0x00000006`5207b121 +0x000 VolatileLong : 0x00000006`5207b121 +0x000 Hard : _MMPTE_HARDWARE +0x000 Valid : 0y1 +0x000 Dirty1 : 0y0 +0x000 Owner : 0y0 +0x000 WriteThrough : 0y0 +0x000 CacheDisable : 0y0 +0x000 Accessed : 0y1 +0x000 Dirty : 0y0 +0x000 LargePage : 0y0 +0x000 Global : 0y1 +0x000 CopyOnWrite : 0y0 +0x000 Unused : 0y0 +0x000 Write : 0y0 +0x000 PageFrameNumber : 0y000000000000011001010010000001111011 (0x65207b) +0x000 reserved1 : 0y0000 +0x000 SoftwareWsIndex : 0y00000000000 (0) +0x000 NoExecute : 0y0 ... +0x000 Proto : _MMPTE_PROTOTYPE +0x000 Valid : 0y1 +0x000 Unused0 : 0y0010000 (0x10) +0x000 ReadOnly : 0y1 +0x000 Unused1 : 0y0 +0x000 Prototype : 0y0 +0x000 Protection : 0y10110 (0x16) +0x000 ProtoAddress : 0y000000000000000000000000000001100101001000000111 (0x65207) ... view raw tf-article2-windbg-16.txt hosted with ❤ by GitHub We can compare that with the nt!_MMPTE entry that was referenced when we did the !pte command on notepad.exe's entry point. 6: kd> dt nt!_MMPTE 0xfffff680007fea98 -b +0x000 u : <unnamed-tag> +0x000 Long : 0x32c00006`5207b025 +0x000 VolatileLong : 0x32c00006`5207b025 +0x000 Hard : _MMPTE_HARDWARE +0x000 Valid : 0y1 +0x000 Dirty1 : 0y0 +0x000 Owner : 0y1 +0x000 WriteThrough : 0y0 +0x000 CacheDisable : 0y0 +0x000 Accessed : 0y1 +0x000 Dirty : 0y0 +0x000 LargePage : 0y0 +0x000 Global : 0y0 +0x000 CopyOnWrite : 0y0 +0x000 Unused : 0y0 +0x000 Write : 0y0 +0x000 PageFrameNumber : 0y000000000000011001010010000001111011 (0x65207b) +0x000 reserved1 : 0y0000 +0x000 SoftwareWsIndex : 0y01100101100 (0x32c) +0x000 NoExecute : 0y0 ... +0x000 Proto : _MMPTE_PROTOTYPE +0x000 Valid : 0y1 +0x000 Unused0 : 0y0010010 (0x12) +0x000 ReadOnly : 0y0 +0x000 Unused1 : 0y0 +0x000 Prototype : 0y0 +0x000 Protection : 0y10110 (0x16) +0x000 ProtoAddress : 0y001100101100000000000000000001100101001000000111 (0x32c000065207) ... view raw tf-article2-windbg-17.txt hosted with ❤ by GitHub It looks like the Prototype bit is not set on either of them, and they're both valid. This makes perfect sense. The shared page still belongs to notepad.exe's working set, so the PTE in the process' paging structures is still valid; however, the operating system has proactively allocated a prototype PTE for it because the memory may be shared at some point and the state of the page will need to be tracked with the prototype PTE. The notepad.exe paging structures also point to a valid hardware PTE, just not the same one as the PFN database entry. The same isn't true for a region of memory that can't be shared. For example, if we choose another memory location that was allocated as MEM_PRIVATE, we will not see the same results. We can use the !vad command to give us all of the virtual address regions (listed by virtual page frame) that are mapped by the current process. 6: kd> !vad VAD Level Start End Commit fffffa8019785170 5 10 1f 0 Mapped READWRITE Pagefile section, shared commit 0x10 fffffa8019229650 4 20 26 0 Mapped READONLY Pagefile section, shared commit 0x7 fffffa802aec35c0 5 30 33 0 Mapped READONLY Pagefile section, shared commit 0x4 fffffa80291085a0 3 40 41 0 Mapped READONLY Pagefile section, shared commit 0x2 fffffa802b25c180 5 50 50 1 Private READWRITE fffffa802b0b8940 4 60 c6 0 Mapped READONLY \Windows\System32\locale.nls fffffa8019544940 5 d0 d1 0 Mapped READWRITE Pagefile section, shared commit 0x2 fffffa80193c5570 2 e0 e2 3 Mapped WRITECOPY \Windows\System32\en-US\notepad.exe.mui fffffa802b499e00 5 f0 f0 1 Private READWRITE fffffa802b4a6160 4 100 100 1 Private READWRITE fffffa801954d3a0 5 110 110 0 Mapped READWRITE Pagefile section, shared commit 0x1 fffffa80197cf8c0 3 120 121 0 Mapped READONLY Pagefile section, shared commit 0x2 fffffa802b158240 4 160 16f 2 Private READWRITE fffffa802b24f180 1 1a0 21f 20 Private READWRITE fffffa802b1fc680 6 220 31f 104 Private READWRITE fffffa802b44d110 5 320 41f 146 Private READWRITE fffffa802910ece0 6 420 4fe 0 Mapped READONLY Pagefile section, shared commit 0xdf fffffa802b354c60 4 540 54f 7 Private READWRITE fffffa8029106660 6 550 6d7 0 Mapped READONLY Pagefile section, shared commit 0x6 fffffa802b4738b0 5 6e0 860 0 Mapped READONLY Pagefile section, shared commit 0x181 fffffa802942ea30 6 870 1c6f 0 Mapped READONLY Pagefile section, shared commit 0x23 fffffa802b242260 3 1cf0 1d6f 28 Private READWRITE fffffa802aa66d60 5 1e10 1e8f 113 Private READWRITE fffffa8019499560 4 3030 395f 0 Mapped READONLY \Windows\Fonts\StaticCache.dat fffffa8019246370 5 3960 3c2e 0 Mapped READONLY \Windows\Globalization\Sorting\SortDefault.nls fffffa802b184c50 6 3c30 3d2f 1 Private READWRITE fffffa802b45f180 2 77420 77519 3 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\user32.dll fffffa80192afa20 4 77520 7763e 4 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\kernel32.dll fffffa802a8ba9c0 3 77640 777e9 14 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\ntdll.dll fffffa802910a440 5 7efe0 7f0df 0 Mapped READONLY Pagefile section, shared commit 0x5 fffffa802b26d180 4 7f0e0 7ffdf 0 Private READONLY fffffa802b4cb160 0 7ffe0 7ffef -1 Private READONLY fffffa802b4e60d0 5 ffd50 ffd84 4 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\notepad.exe fffffa801978d170 4 7fefa530 7fefa5a0 3 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\winspool.drv fffffa80197e0970 5 7fefaab0 7fefab05 4 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\uxtheme.dll fffffa802a6d9720 6 7fefafd0 7fefafe7 5 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\dwmapi.dll fffffa80197ecc50 3 7fefb390 7fefb583 6 Mapped Exe EXECUTE_WRITECOPY \Windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll fffffa802a91e010 5 7fefc3c0 7fefc3cb 2 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\version.dll fffffa80197cb010 6 7fefd1d0 7fefd1de 2 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\cryptbase.dll fffffa80290fe9c0 4 7fefd440 7fefd4a9 3 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\KernelBase.dll fffffa8029109e30 5 7fefd6f0 7fefd6fd 2 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\lpk.dll fffffa8029522520 6 7fefd720 7fefd74d 3 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\imm32.dll fffffa802910bce0 2 7fefd800 7fefd8da 7 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\advapi32.dll fffffa80290d9500 5 7fefd8e0 7fefdadb 9 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\ole32.dll fffffa802af4a0c0 4 7fefdae0 7fefe86a 13 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\shell32.dll fffffa8019787170 5 7fefea50 7fefea6e 4 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\sechost.dll fffffa802a6e8010 3 7fefeda0 7fefee36 6 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\comdlg32.dll fffffa802a6ae010 5 7fefee50 7fefef58 4 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\msctf.dll fffffa802910dac0 4 7feff0f0 7feff21c 3 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\rpcrt4.dll fffffa801948e940 1 7feff2a0 7feff33e 7 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\msvcrt.dll fffffa802aac1010 5 7feff340 7feff3b0 3 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\shlwapi.dll fffffa8029156010 4 7feff3c0 7feff48a 4 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\usp10.dll fffffa801956e170 5 7feff800 7feff8d9 4 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\oleaut32.dll fffffa8019789170 3 7feff8e0 7feff946 3 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\gdi32.dll fffffa801958e170 4 7feff960 7feff960 0 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\apisetschema.dll fffffa80290f3c10 2 7fffffb0 7fffffd2 0 Mapped READONLY Pagefile section, shared commit 0x23 fffffa802af28110 3 7fffffd5 7fffffd5 1 Private READWRITE fffffa802a714a30 4 7fffffde 7fffffdf 2 Private READWRITE Total VADs: 58, average level: 5, maximum depth: 6 Total private commit: 0x228 pages (2208 KB) Total shared commit: 0x2d3 pages (2892 KB) view raw tf-article2-windbg-18.txt hosted with ❤ by GitHub We can take a look at a MEM_PRIVATE page, such as 0x1cf0, and see if the PTE from the process' paging structures matches the PTE from the PFN database. 6: kd> ? 1cf0 * 0x1000 Evaluate expression: 30343168 = 00000000`01cf0000 6: kd> !pte 00000000`01cf0000 VA 0000000001cf0000 PXE at FFFFF6FB7DBED000 PPE at FFFFF6FB7DA00000 PDE at FFFFF6FB40000070 PTE at FFFFF6800000E780 contains 02D0000654195867 contains 0320000656E18867 contains 4F20000653448867 contains CF30000651EC9867 pfn 654195 ---DA--UWEV pfn 656e18 ---DA--UWEV pfn 653448 ---DA--UWEV pfn 651ec9 ---DA--UW-V 6: kd> !pfn 651ec9 PFN 00651EC9 at address FFFFFA8012F5C5B0 flink 000004F3 blink / share count 00000001 pteaddress FFFFF6800000E780 reference count 0001 used entry count 0000 Cached color 0 Priority 5 restore pte 00000080 containing page 653448 Active M Modified view raw tf-article2-windbg-19.txt hosted with ❤ by GitHub As we can see, it does match, with both addresses referring to 0xfffff680`0000e780. Because this memory is not shareable, the process' paging structures are able to manage the hardware PTE directly. In the case of shareable pages allocated with MEM_MAPPED, though, the PFN database maintains its own copy of the PTE. It's worth exploring different regions of memory this way, just to see how the paging structures and PFN entries are set up in different cases. As mentioned above, the VAD tree is another important consideration when dealing with user-mode memory as in many cases, it will actually be a VAD node which indicates where the prototype PTE for a given shared memory region resides. In these cases, the page fault handler will need to refer to the process' VAD tree and walk the tree until it finds the node responsible for the shared memory region. Figure 12: If the invalid PTE points to the process' VAD tree, a VAD walk must be performed to locate the appropriate _MMVAD node that represents the given virtual memory. The FirstPrototypePte member of the VAD node will indicate the starting virtual address of a region of memory that contains prototype PTEs for each shared page in the region. The list of prototype PTEs is terminated with the LastContiguousPte member of the VAD node. The page fault handler must then walk this list of prototype PTEs to find the PTE that backs the specific page that has faulted. Figure 13: The FirstPrototypePte member of the VAD node points to a region of memory that has a contiguous block of prototype PTEs that represent shared memory within that virtual address range. One more example to bring it all together It would be helpful to walk through each of these scenarios with a program that we control, and that we can change, if needed. That's precisely what we're going to do with the memdemo project. You can follow along by compiling the application yourself, or you can simply take a look at the code snippets that will be posted throughout this example. To start off, we'll load our memdemo.exe and then attach the kernel debugger. We then need to get a list of processes that are currently running on the system. kd> !process 0 0 **** NT ACTIVE PROCESS DUMP **** PROCESS ffffa50dcea99040 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 001aa000 ObjectTable: ffffd385360012c0 HandleCount: 2376. Image: System PROCESS ffffa50dcee27140 SessionId: none Cid: 01f4 Peb: dbfb731000 ParentCid: 0004 DirBase: 138ab8000 ObjectTable: ffffd38536339d40 HandleCount: 52. Image: smss.exe PROCESS ffffa50dcfb467c0 SessionId: 0 Cid: 0248 Peb: 5faaf3c000 ParentCid: 0240 DirBase: 138f83000 ObjectTable: ffffd385363d0f00 HandleCount: 531. Image: csrss.exe ... PROCESS ffffa50dd1070380 SessionId: 1 Cid: 097c Peb: 6f29798000 ParentCid: 02b4 DirBase: 1500d000 ObjectTable: ffffd3853d7ed380 HandleCount: 37. Image: memdemo.exe view raw tf-article2-windbg-19.txt hosted with ❤ by GitHub Let's quickly switch back to the application so that we can let it create our initial buffer. To do this, we're simply allocating some memory and then accessing it to make sure it's resident. // Allocate a buffer within our process. PVOID Private = VirtualAlloc(NULL, 4096, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); // Use the memory to make sure it's resident. reinterpret_cast<PBYTE>(Private)[0] = 0xFF; view raw tf-article2-code1.txt hosted with ❤ by GitHub Upon running the code, we see that the application has created a buffer for us (in the current example) at 0x000001fe`151c0000. Your buffer may differ. We should hop back into our debugger now and check out that memory address. As mentioned before, it's important to remember to switch back into the process context of memdemo.exe when we break back in with the debugger. We have no idea what context we could have been in when we interrupted execution, so it's important to always do this step. kd> .process /i /P ffffa50dd1070380 You need to continue execution (press 'g' <enter>) for the context to be switched. When the debugger breaks in again, you will be in the new process context. kd> g Break instruction exception - code 80000003 (first chance) nt!DbgBreakPointWithStatus: fffff801`d9df7a40 cc int 3 view raw tf-article2-windbg-20.txt hosted with ❤ by GitHub When we wrote memdemo.exe, we could have used the __debugbreak() compiler intrinsic to avoid having to constantly switch back to our process' context. It would ensure that when the breakpoint was hit, we were already in the correct context. For the purposes of this article, though, it's best to practice swapping back into the correct process context, as during most live analysis we would not have the liberty of throwing int3 exceptions during the program's execution. We can now check out the memory at 0x000001fe`151c0000 using the db command. kd> db 0x000001fe`151c0000 000001fe`151c0000 ff 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 000001fe`151c0010 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 000001fe`151c0020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 000001fe`151c0030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 000001fe`151c0040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 000001fe`151c0050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 000001fe`151c0060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 000001fe`151c0070 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ view raw tf-article2-windbg-21.txt hosted with ❤ by GitHub Looks like that was a success - we can even see the 0xff byte that we wrote to it. Let's have a look at the backing PTE for this page using the !pte command. 6: kd> !pte 0x000001fe`151c0000 VA 000001fe151c0000 PXE at FFFFED76BB5DA018 PPE at FFFFED76BB403FC0 PDE at FFFFED76807F8540 PTE at FFFFED00FF0A8E00 contains 0A0000001A907867 contains 0A0000001B008867 contains 0A00000016609867 contains 80000000A1DD0867 pfn 1a907 ---DA--UWEV pfn 1b008 ---DA--UWEV pfn 16609 ---DA--UWEV pfn a1dd0 ---DA--UW-V view raw tf-article2-windbg-22.txt hosted with ❤ by GitHub That's good news. It seems like the Valid (V) bit is set, which is what we expect. The memory is Writeable (W), as well, which makes sense based on our PAGE_READWRITE permissions. Let's look at the PFN database entry using !pfn for page 0xa1dd0. kd> !pfn 0xa1dd0 PFN 000A1DD0 at address FFFFE70001E59700 flink 00000002 blink / share count 00000001 pteaddress FFFFED00FF0A8E00 reference count 0001 used entry count 0000 Cached color 0 Priority 5 restore pte 00000080 containing page 016609 Active M Modified view raw tf-article2-windbg-23.txt hosted with ❤ by GitHub We can see that the PFN entry points to the same PTE structure we were just looking at. We can go to the address of the PTE at 0xffffed00ff0a8e00 and cast it as an nt!_MMPTE. kd> dt nt!_MMPTE 0xffffed00ff0a8e00 -b +0x000 u : <unnamed-tag> +0x000 Long : 0x80000000`a1dd0867 +0x000 VolatileLong : 0x80000000`a1dd0867 +0x000 Hard : _MMPTE_HARDWARE +0x000 Valid : 0y1 +0x000 Dirty1 : 0y1 +0x000 Owner : 0y1 +0x000 WriteThrough : 0y0 +0x000 CacheDisable : 0y0 +0x000 Accessed : 0y1 +0x000 Dirty : 0y1 +0x000 LargePage : 0y0 +0x000 Global : 0y0 +0x000 CopyOnWrite : 0y0 +0x000 Unused : 0y0 +0x000 Write : 0y1 +0x000 PageFrameNumber : 0y000000000000000010100001110111010000 (0xa1dd0) +0x000 ReservedForHardware : 0y0000 +0x000 ReservedForSoftware : 0y0000 +0x000 WsleAge : 0y0000 +0x000 WsleProtection : 0y000 +0x000 NoExecute : 0y1 … view raw tf-article2-windbg-24.txt hosted with ❤ by GitHub We see that it's Valid, Dirty, Accessed, and Writeable, which are all things that we expect. The Accessed bit is set by the hardware when the page table entry is used for translation. If that bit is set, it means that at some point the memory has been accessed because the PTE was used as part of an address translation. Software can reset this value in order to track accesses to certain memory. Similarly, the Dirty bit shows that the memory has been written to, and is also set by the hardware. We see that it's set for us because we wrote our 0xff byte to the page. Now let's let the application execute using the g command. We're going to let the program page out the memory that we were just looking at, using the following code: // Unlock the virtual memory (just in case). VirtualUnlock(Private, 4096); // Flush the process' working set. SetProcessWorkingSetSize(GetCurrentProcess(), (SIZE_T)-1, (SIZE_T)-1); view raw tf-article2-code2.txt hosted with ❤ by GitHub Once that's complete, don't forget to switch back to the process context again. We need to do that every time we go back into the debugger! Now let's check out the PTE with the !pte command after the page has been supposedly trimmed from our working set. kd> !pte 0x000001fe`151c0000 VA 000001fe151c0000 PXE at FFFFED76BB5DA018 PPE at FFFFED76BB403FC0 PDE at FFFFED76807F8540 PTE at FFFFED00FF0A8E00 contains 0A0000001A907867 contains 0A0000001B008867 contains 0A00000016609867 contains 00000000A1DD0880 pfn 1a907 ---DA--UWEV pfn 1b008 ---DA--UWEV pfn 16609 ---DA--UWEV not valid Transition: a1dd0 Protect: 4 - ReadWrite view raw tf-article2-windbg-25.txt hosted with ❤ by GitHub We see now that the PTE is no longer valid, because the page has been trimmed from our working set; however, it has not been paged out of RAM yet. This means it is in a transition state, as shown by WinDbg. We can verify this for ourselves by looking at the actual PTE structure again. kd> dt nt!_MMPTE 0xffffed00ff0a8e00 -b +0x000 u : <unnamed-tag> +0x000 Long : 0xa1dd0880 +0x000 VolatileLong : 0xa1dd0880 +0x000 Hard : _MMPTE_HARDWARE +0x000 Valid : 0y0 +0x000 Dirty1 : 0y0 +0x000 Owner : 0y0 +0x000 WriteThrough : 0y0 +0x000 CacheDisable : 0y0 +0x000 Accessed : 0y0 +0x000 Dirty : 0y0 +0x000 LargePage : 0y1 +0x000 Global : 0y0 +0x000 CopyOnWrite : 0y0 +0x000 Unused : 0y0 +0x000 Write : 0y1 +0x000 PageFrameNumber : 0y000000000000000010100001110111010000 (0xa1dd0) +0x000 ReservedForHardware : 0y0000 +0x000 ReservedForSoftware : 0y0000 +0x000 WsleAge : 0y0000 +0x000 WsleProtection : 0y000 +0x000 NoExecute : 0y0 ... +0x000 Trans : _MMPTE_TRANSITION +0x000 Valid : 0y0 +0x000 Write : 0y0 +0x000 Spare : 0y00 +0x000 IoTracker : 0y0 +0x000 Protection : 0y00100 (0x4) +0x000 Prototype : 0y0 +0x000 Transition : 0y1 +0x000 PageFrameNumber : 0y000000000000000010100001110111010000 (0xa1dd0) +0x000 Unused : 0y0000000000000000 (0) ... view raw tf-article2-windbg-26.txt hosted with ❤ by GitHub In the _MMPTE_TRANSITION version of the structure, the Transition bit is set. So because the memory hasn't yet been paged out, if our program were to access that memory, it would cause a soft page fault that would then simply mark the PTE as valid again. If we examine the PFN entry with !pfn, we can see that the page is still resident in physical memory for now, and still points to our original PTE. kd> !pfn 0xa1dd0 PFN 000A1DD0 at address FFFFE70001E59700 flink 0001614A blink / share count 0013230A pteaddress FFFFED00FF0A8E00 reference count 0000 used entry count 0000 Cached color 0 Priority 5 restore pte 00000080 containing page 016609 Modified M Modified view raw tf-article2-windbg-27.txt hosted with ❤ by GitHub Now let's press g again and let the app continue. It'll create a shared section of memory for us. In order to do so, we need to create a file mapping and then map a view of that file into our process. // Create a section object to demonstrate shared memory. HANDLE Mapping = CreateFileMapping(INVALID_HANDLE_VALUE, NULL, PAGE_READWRITE, 0, 4096, L"memdemosec"); // Map the section into our process. PVOID Shared = MapViewOfFile(Mapping, FILE_MAP_ALL_ACCESS, 0, 0, 4096); // Use the memory to make sure it's resident. reinterpret_cast<PBYTE>(Shared)[0] = 0xFF; view raw tf-article2-code3.txt hosted with ❤ by GitHub Let's take a look at the shared memory (at 0x000001fe`151d0000 in this example) using db. Don't forget to change back to our process context when you switch back into the debugger. kd> db 0x000001fe`151d0000 000001fe`151d0000 ff 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 000001fe`151d0010 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 000001fe`151d0020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 000001fe`151d0030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 000001fe`151d0040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 000001fe`151d0050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 000001fe`151d0060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 000001fe`151d0070 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ view raw tf-article2-windbg-28.txt hosted with ❤ by GitHub And look! There's the 0xff that we wrote to this memory region as well. We're going to follow the same steps that we did with the previous allocation, but first let's take a quick look at our process' VAD tree with the !vad command. kd> !vad VAD Level Start End Commit ffffa50dcf7a1660 4 7ffe0 7ffe0 1 Private READONLY ffffa50dcf78c450 3 7ffe1 7ffef -1 Private READONLY ffffa50dcf8a3240 4 6f29440 6f2953f 7 Private READWRITE ffffa50dcf78b280 2 6f29600 6f297ff 3 Private READWRITE ffffa50dd1bd9180 3 1fe15080 1fe1508f 0 Mapped READWRITE Pagefile section, shared commit 0 ffffa50dcf74b890 4 1fe15090 1fe15096 1 Private READWRITE ffffa50dcfb58620 1 1fe150a0 1fe150b7 0 Mapped READONLY Pagefile section, shared commit 0 ffffa50dcf7595f0 3 1fe150c0 1fe150c3 0 Mapped READONLY Pagefile section, shared commit 0 ffffa50dcf669330 2 1fe150d0 1fe150d0 0 Mapped READONLY Pagefile section, shared commit 0 ffffa50dd027cdc0 0 1fe150e0 1fe150e0 1 Private READWRITE ffffa50dd16580b0 4 1fe150f0 1fe151b4 0 Mapped READONLY \Windows\System32\locale.nls ffffa50dd15f0470 3 1fe151c0 1fe151c0 1 Private READWRITE ffffa50dd2313a20 4 1fe151d0 1fe151d0 0 Mapped READWRITE Pagefile section, shared commit 0 ffffa50dcfd121a0 2 1fe15280 1fe1537f 21 Private READWRITE ffffa50dcf791350 3 7ff7f5c60 7ff7f5d5f 0 Mapped READONLY Pagefile section, shared commit 0 ffffa50dcf74fd50 1 7ff7f5d60 7ff7f5d82 0 Mapped READONLY Pagefile section, shared commit 0 ffffa50dcf721450 4 7ff7f62e0 7ff7f643d 95 Mapped Exe EXECUTE_WRITECOPY \Users\Michael\Desktop\memdemo.exe ffffa50dcf7a5780 3 7ffc3d340 7ffc3d3bd 5 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\apphelp.dll ffffa50dcf7515c0 4 7ffc3f6d0 7ffc3f918 9 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\KernelBase.dll ffffa50dd1708390 2 7ffc40120 7ffc401cd 6 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\kernel32.dll ffffa50dcf74fdf0 3 7ffc42750 7ffc4292a 12 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\ntdll.dll Total VADs: 21, average level: 3, maximum depth: 4 Total private commit: 0xa2 pages (648 KB) Total shared commit: 0 pages (0 KB) view raw tf-article2-windbg-29.txt hosted with ❤ by GitHub You can see the first allocation we did, starting at virtual page number 0x1fe151c0. It's a Private region that has the PAGE_READWRITE permissions applied to it. You can also see the shared section allocated at VPN 0x1fe151d0. It has the same permissions as the non-shared region; however, you can see that it's Mapped rather than Private. Let's take a look at the PTE information that's backing our shared memory. kd> !pte 0x000001fe`151d0000 VA 000001fe151d0000 PXE at FFFFED76BB5DA018 PPE at FFFFED76BB403FC0 PDE at FFFFED76807F8540 PTE at FFFFED00FF0A8E80 contains 0A0000001A907867 contains 0A0000001B008867 contains 0A00000016609867 contains C1000000A76CC867 pfn 1a907 ---DA--UWEV pfn 1b008 ---DA--UWEV pfn 16609 ---DA--UWEV pfn a76cc ---DA--UW-V view raw tf-article2-windbg-30.txt hosted with ❤ by GitHub This region, too, is Valid and Writeable, just like we'd expect. Now let's take a look at the !pfn. kd> !pfn a76cc PFN 000A76CC at address FFFFE70001F64640 flink 00000002 blink / share count 00000001 pteaddress FFFFD3853DA57B60 reference count 0001 used entry count 0000 Cached color 0 Priority 5 restore pte 00000080 containing page 002DCB Active MP Modified Shared view raw tf-article2-windbg-31.txt hosted with ❤ by GitHub We see that the Share Count now actually shows us how many times the page has been shared, and the page also has the Shared property. In addition, we see that the PTE address referenced by the PFN entry is not the same as the PTE that we got from the !pte command. That's because the PFN database entry is referencing a prototype PTE, while the PTE within our process is acting as a hardware PTE because the memory is still valid and mapped in. Let's take a look at the PTE structure that's in our process' paging structures, that was originally found with the !pte command. kd> dt nt!_MMPTE FFFFED00FF0A8E80 -b +0x000 u : <unnamed-tag> +0x000 Long : 0xc1000000`a76cc867 +0x000 VolatileLong : 0xc1000000`a76cc867 +0x000 Hard : _MMPTE_HARDWARE +0x000 Valid : 0y1 +0x000 Dirty1 : 0y1 +0x000 Owner : 0y1 +0x000 WriteThrough : 0y0 +0x000 CacheDisable : 0y0 +0x000 Accessed : 0y1 +0x000 Dirty : 0y1 +0x000 LargePage : 0y0 +0x000 Global : 0y0 +0x000 CopyOnWrite : 0y0 +0x000 Unused : 0y0 +0x000 Write : 0y1 +0x000 PageFrameNumber : 0y000000000000000010100111011011001100 (0xa76cc) +0x000 ReservedForHardware : 0y0000 +0x000 ReservedForSoftware : 0y0000 +0x000 WsleAge : 0y0001 +0x000 WsleProtection : 0y100 +0x000 NoExecute : 0y1 ... view raw tf-article2-windbg-32.txt hosted with ❤ by GitHub We can see that it's Valid, so it will be used by the hardware for address translation. Let's see what we find when we take a look at the prototype PTE being referenced by the PFN entry. kd> dt nt!_MMPTE FFFFD3853DA57B60 -b +0x000 u : <unnamed-tag> +0x000 Long : 0x8a000000`a76cc921 +0x000 VolatileLong : 0x8a000000`a76cc921 +0x000 Hard : _MMPTE_HARDWARE +0x000 Valid : 0y1 +0x000 Dirty1 : 0y0 +0x000 Owner : 0y0 +0x000 WriteThrough : 0y0 +0x000 CacheDisable : 0y0 +0x000 Accessed : 0y1 +0x000 Dirty : 0y0 +0x000 LargePage : 0y0 +0x000 Global : 0y1 +0x000 CopyOnWrite : 0y0 +0x000 Unused : 0y0 +0x000 Write : 0y1 +0x000 PageFrameNumber : 0y000000000000000010100111011011001100 (0xa76cc) +0x000 ReservedForHardware : 0y0000 +0x000 ReservedForSoftware : 0y0000 +0x000 WsleAge : 0y1010 +0x000 WsleProtection : 0y000 +0x000 NoExecute : 0y1 ... view raw tf-article2-windbg-33.txt hosted with ❤ by GitHub This PTE is also valid, because it's representing the true state of the physical page. Something interesting to note, though, is that you can see that the Dirty bit is not set. Because this bit is only set by the hardware in the context of whatever process is doing the writing, you can theoretically use this bit to actually detect which process on a system wrote to a shared memory region. Now let's run the app more and let it page out the shared memory using the same technique we used with the private memory. Here's what the code looks like: // Unlock the virtual memory (just in case). VirtualUnlock(Shared, 4096); // Flush the process' working set. SetProcessWorkingSetSize(GetCurrentProcess(), (SIZE_T)-1, (SIZE_T)-1); view raw tf-article2-code4.txt hosted with ❤ by GitHub Let's take a look at the memory with db now. kd> db 0x000001fe`151d0000 000001fe`151d0000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 000001fe`151d0010 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 000001fe`151d0020 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 000001fe`151d0030 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 000001fe`151d0040 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 000001fe`151d0050 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 000001fe`151d0060 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 000001fe`151d0070 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? view raw tf-article2-windbg-34.txt hosted with ❤ by GitHub We see now that it's no longer visible in our process. If we do !pte on it, let's see what we get. kd> !pte 0x000001fe`151d0000 VA 000001fe151d0000 PXE at FFFFED76BB5DA018 PPE at FFFFED76BB403FC0 PDE at FFFFED76807F8540 PTE at FFFFED00FF0A8E80 contains 0A0000001A907867 contains 0A0000001B008867 contains 0A00000016609867 contains FFFFFFFF00000480 pfn 17f59 ---DA--UWEV pfn 7b5a ---DA--UWEV pfn 9a476 ---DA--UWEV not valid Proto: VAD Protect: 4 - ReadWrite view raw tf-article2-windbg-35.txt hosted with ❤ by GitHub The PTE that's backing our page is no longer valid. We still get an indication of what the page permissions were, but the PTE now tells us to refer to the process' VAD tree in order to get access to the prototype PTE that contains the real state. If you recall from when we used the !vad command earlier in our example, the address of the VAD node for our shared memory is 0xffffa50d`d2313a20. Let's take a look at that memory location as an nt!_MMVAD structure. kd> dt nt!_MMVAD ffffa50dd2313a20 +0x000 Core : _MMVAD_SHORT +0x040 u2 : <unnamed-tag> +0x048 Subsection : 0xffffa50d`d1db63e0 _SUBSECTION +0x050 FirstPrototypePte : 0xffffd385`3da57b60 _MMPTE +0x058 LastContiguousPte : 0xffffd385`3da57b60 _MMPTE +0x060 ViewLinks : _LIST_ENTRY [ 0xffffa50d`d1db6368 - 0xffffa50d`d1db6368 ] +0x070 VadsProcess : 0xffffa50d`d1070380 _EPROCESS +0x078 u4 : <unnamed-tag> +0x080 FileObject : (null) view raw tf-article2-windbg-36.txt hosted with ❤ by GitHub The FirstPrototypePte member contains a pointer to a location in virtual memory that stores contiguous prototype PTEs for the region of memory represented by this VAD node. Since we only allocated (and subsequently paged out) one page, there's only one prototype PTE in this list. The LastContiguousPte member shows that our prototype PTE is both the first and last element in the list. Let's take a look at this prototype PTE as an nt!_MMPTE structure. kd> dt nt!_MMPTE 0xffffd385`3da57b60 -b +0x000 u : <unnamed-tag> +0x000 Long : 0xa7fad880 +0x000 VolatileLong : 0xa7fad880 +0x000 Hard : _MMPTE_HARDWARE +0x000 Valid : 0y0 +0x000 Dirty1 : 0y0 +0x000 Owner : 0y0 +0x000 WriteThrough : 0y0 +0x000 CacheDisable : 0y0 +0x000 Accessed : 0y0 +0x000 Dirty : 0y0 +0x000 LargePage : 0y1 +0x000 Global : 0y0 +0x000 CopyOnWrite : 0y0 +0x000 Unused : 0y0 +0x000 Write : 0y1 +0x000 PageFrameNumber : 0y000000000000000010100111111110101101 (0xa7fad) +0x000 ReservedForHardware : 0y0000 +0x000 ReservedForSoftware : 0y0000 +0x000 WsleAge : 0y0000 +0x000 WsleProtection : 0y000 +0x000 NoExecute : 0y0 … view raw tf-article2-windbg-37.txt hosted with ❤ by GitHub We can see that the prototype indicates that the memory is no longer valid. So what can we do to force this page back into memory? We access it, of course. Let's let the app run one more step so that it can try to access this memory again. // Use the memory one more time. reinterpret_cast<PBYTE>(Shared)[0] = 0xFF; view raw tf-article2-code5.txt hosted with ❤ by GitHub Remember to switch back into the context of the process after the application has executed the next step, and then take a look at the PTE from the PFN entry again. kd> dt nt!_MMPTE 0xffffd385`3da57b60 -b +0x000 u : <unnamed-tag> +0x000 Long : 0x8a000000`a7fad963 +0x000 VolatileLong : 0x8a000000`a7fad963 +0x000 Hard : _MMPTE_HARDWARE +0x000 Valid : 0y1 +0x000 Dirty1 : 0y1 +0x000 Owner : 0y0 +0x000 WriteThrough : 0y0 +0x000 CacheDisable : 0y0 +0x000 Accessed : 0y1 +0x000 Dirty : 0y1 +0x000 LargePage : 0y0 +0x000 Global : 0y1 +0x000 CopyOnWrite : 0y0 +0x000 Unused : 0y0 +0x000 Write : 0y1 +0x000 PageFrameNumber : 0y000000000000000010100111111110101101 (0xa7fad) +0x000 ReservedForHardware : 0y0000 +0x000 ReservedForSoftware : 0y0000 +0x000 WsleAge : 0y1010 +0x000 WsleProtection : 0y000 +0x000 NoExecute : 0y1 view raw tf-article2-windbg-38.txt hosted with ❤ by GitHub Looks like it's back, just like we expected! Exhausted yet? Compared to the 64-bit paging scheme we talked about in our last article, Windows memory management is significantly more complex and involves a lot of moving parts. But at it's core, it's not too daunting. Hopefully, now with a much stronger grasp of how things work under the hood, we can put our memory management knowledge to use in something practical in a future article. If you're interested in getting your hands on the code used in this article, you can check it out on GitHub and experiment on your own with it. Further reading and attributions Consider picking up a copy of "Windows Internals, 7th Edition" or "What Makes It Page?" to get an even deeper dive on the Windows virtual memory manager. Thank you to Alex Ionescu for additional tips and clarification. Thanks to irqlnotdispatchlevel for pointing out an address miscalculation. Sursa: http://www.triplefault.io/2017/08/exploring-windows-virtual-memory.html

Will this presentation make me an optical engineer? Maybe, but just remember, I omitted almost all the math. The purpose of this tutorial is to touch on a little bit of every topic, from the mundane to the advanced and unusual. But it helps to have a basic understanding of how and why things work, even if you aren’t designing fiber networks. https://www.nanog.org/sites/default/files/2_Steenbergen_Tutorial_New_And_v2.pdf

la mama in podul casei, prin hambar ....

@gigiRoman Nice collection! can you please upload pentester-academy-android-security-and-exploitation-for-pentesters.zip on mediafire or somewhere it supports resumable download!! BR

Din câte știu, dacă este PIERDUT, poți face o sesizare după 2 săptămâni, dacă e furat, poți face oricând, de preferat cât mai repede. Acum ceva timp, mi-a fost furat și mie un telefon, și a fost găsit după imei. Mai recent, acum 1 an / 2,cuiva i-a fost FURAT telefonul, am fost cu pers respectiva sa facă cerere, și degeaba. Ei au spus ca acum este ILEGAL sa caute telefonul după imei. Depinde foarte mult de ce polițisti, dacă eu chef de treaba sau nu. Sper sa ți-l recuperezi.

gresit, in discutie e un handler ( https://www.merriam-webster.com/dictionary/handler ), 1-2 patsy ( http://www.urbandictionary.com/define.php?term=patsy ) , o vulnerabilitate SQL cunoscuta si lasata in "groapa uitarii", SQL injection ... si aici e necesar un background sonor care sa puncteze momentul in registrul dramatic,

Penibil...

Unul dintre putinii oameni ok de pe forum, respectul meu! Pacat ca nu ai tangenta cu pasiunea noastra si cu forumul. Sunt dispus sa te ajut, dar iti trebuie acces direct la telefon pentru cel putin jumatate de ora sa putem instala ce trebuie si sa facem un test, doua. N-am nevoie de bani sau alte foloase materiale. Te salut!

Parca aveai nevoie sa repeti pe telefon, daca ai nevoie pe pc, da-mi pm si te ajut eu contra cost.

thanks for share <3

>Când te angajezi la Telekom 😢