关于ZwMapViewOfSection在驱动中映射物理页的问题

ACZR · 发表于 2024-5-10 00:37:58

我想在驱动里写一个线性地址转物理地址的例子，但是为了不同系统的兼容性，没有使用MmMapIoSpace(Ex)这种函数
最终还是打算用ZwMapViewOfSection来实现，但是遇到了一个很奇怪的问题

根据进程id取得CR3，再算出线性地址的 pml4 pdpte pde pte 的索引，然后开始映射

奇怪的地方来了，pml4和pdpte映射后的，和我手动解析后一样，但是从PDE这开始就不对了

Windbg调试后，发现 phy.QuadPart = (*pde & 0x000FFFFFFFFFF000) + pteIndex; 这个phy的物理地址和手动算的一样，但是映射的结果仍然为空，就很奇怪

麻烦各位大佬帮我看看是哪里的问题

代码：https://wwm.lanzoum.com/imPlZ1y8pz1a

ACZR · 发表于 2024-6-18 23:28:44

已自行解决，问题出在映射时索引和偏移上，而且少映射了一次，隔了一个多月再看自己代码，感觉自己写的就是一坨

ACZR · 发表于 2024-5-10 00:43:05

测试的环境是win7 x64

oncall12 · 发表于 2024-5-10 01:21:08

[C++] 纯文本查看 复制代码

#include <ntifs.h>

HANDLE GetPhysicalHandle()
{
    static HANDLE hMemory = NULL;

    if (hMemory) return hMemory;

    UNICODE_STRING PhysicalMemoryString = { 0 };

    WCHAR PhysicalMemoryName[] = L"\\Device\\PhysicalMemory";
    RtlInitUnicodeString(&PhysicalMemoryString, PhysicalMemoryName);

    OBJECT_ATTRIBUTES obj;

    InitializeObjectAttributes(&obj, &PhysicalMemoryString, OBJ_CASE_INSENSITIVE, NULL, NULL);

    NTSTATUS status = ZwOpenSection(&hMemory, SECTION_MAP_READ | SECTION_MAP_WRITE, &obj);

    if (!NT_SUCCESS(status))
    {
        return NULL;
    }

    return hMemory;
}

ULONG64 Va2Pa(ULONG64 VirtAddr, int processId)
{
    ULONG64 virtaddr = VirtAddr;
    PEPROCESS Process = NULL;
    PsLookupProcessByProcessId((HANDLE)processId, &Process);
    ULONG64 CR3 = *(PULONG64)((PUCHAR)Process + 0x28);
    CR3 &= ~0xFFF;

    ULONG64 pml4Index = ((virtaddr >> 39) & 0x1FF) * 8;
    ULONG64 pdpteIndex = ((virtaddr >> 30) & 0x1FF) * 8;
    ULONG64 pdeIndex = ((virtaddr >> 21) & 0x1FF) * 8;
    ULONG64 pteIndex = ((virtaddr >> 12) & 0x1FF) * 8;

    PHYSICAL_ADDRESS phy = { 0 };
    phy.QuadPart = CR3 + pml4Index;

    HANDLE pHandle = GetPhysicalHandle();

    if (!pHandle) return STATUS_UNSUCCESSFUL;

    NTSTATUS status;
    PULONG64 pml4 = NULL;
    SIZE_T map_size = 8;
    ULONG64 retaddress = 0;

    status = ZwMapViewOfSection(pHandle, NtCurrentProcess(), (PVOID*)&pml4, 0, 8, &phy, &map_size, ViewUnmap, MEM_TOP_DOWN, PAGE_READWRITE);
    if (!NT_SUCCESS(status) || !pml4)
    {
        return 0;
    }

    PULONG64 pdpte = NULL;
    phy.QuadPart = (*pml4 & 0x000FFFFFFFFFF000) + pdpteIndex;
    status = ZwMapViewOfSection(pHandle, NtCurrentProcess(), (PVOID*)&pdpte, 0, 8, &phy, &map_size, ViewUnmap, MEM_TOP_DOWN, PAGE_READWRITE);
    if (!NT_SUCCESS(status) || !pdpte)
    {
        ZwUnmapViewOfSection(NtCurrentProcess(), pml4);
        return 0;
    }

    PULONG64 pde = NULL;
    phy.QuadPart = (*pdpte & 0x000FFFFFFFFFF000) + pdeIndex;
    status = ZwMapViewOfSection(pHandle, NtCurrentProcess(), (PVOID*)&pde, 0, 8, &phy, &map_size, ViewUnmap, MEM_TOP_DOWN, PAGE_READWRITE);
    if (!NT_SUCCESS(status) || !pde)
    {
        ZwUnmapViewOfSection(NtCurrentProcess(), pdpte);
        ZwUnmapViewOfSection(NtCurrentProcess(), pml4);
        return 0;
    }

    PULONG64 pte = NULL;
    phy.QuadPart = (*pde & 0x000FFFFFFFFFF000) + pteIndex;
    status = ZwMapViewOfSection(pHandle, NtCurrentProcess(), (PVOID*)&pte, 0, 8, &phy, &map_size, ViewUnmap, MEM_TOP_DOWN, PAGE_READWRITE);
    if (!NT_SUCCESS(status) || !pte)
    {
        ZwUnmapViewOfSection(NtCurrentProcess(), pde);
        ZwUnmapViewOfSection(NtCurrentProcess(), pdpte);
        ZwUnmapViewOfSection(NtCurrentProcess(), pml4);
        return 0;
    }

    if (*pte & 0x1)
    {
        retaddress = (*pte & 0xFFFFFFFFFFFFF000) + (virtaddr & 0xFFF);
    }
    else
    {
        retaddress = (*pte & 0xFFFFFFFFFFFFF000) + (virtaddr & 0xFFF);
    }

    ZwUnmapViewOfSection(NtCurrentProcess(), pte);
    ZwUnmapViewOfSection(NtCurrentProcess(), pde);
    ZwUnmapViewOfSection(NtCurrentProcess(), pdpte);
    ZwUnmapViewOfSection(NtCurrentProcess(), pml4);

    return retaddress;
}

VOID DriverUnload(PDRIVER_OBJECT pDriver)
{

}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg)
{
    ULONG64 ret = Va2Pa(0x00401F6A, 1996);
    
    DbgPrintEx(77, 0, "[=]:函数返回 ： %llx\r\n", ret);

    pDriver->DriverUnload = DriverUnload;
    return STATUS_SUCCESS;
}

ACZR · 发表于 2024-5-10 01:54:37

oncall12 发表于 2024-5-10 01:21
[mw_shl_code=cpp,true]#include

HANDLE GetPhysicalHandle()

大佬，你这份代码和还是我那个一样，到PDE就错了

IIIllIIl · 发表于 2024-5-10 02:32:33

问错地方了，应该去看雪问

ANormalUser · 发表于 2024-5-10 09:03:12

用__invlpg刷掉TLB试试吧（注意用__invlpg要关中断或提IRQL）

雨过天晴 · 发表于 2024-5-10 09:27:06

你确定这个东西在这里能找到答案？
这个页表结构有点花眼睛，当时我下载了一份写的很乱的代码优化了一个星期才搞清楚。

PTE_HOOK::PageTable PTE_HOOK:: GetPageTableStruct(ULONG64 Address)//表项
{
PTE_HOOK::PageTable res = { 0 };
ULONG64 vcr3 = reinterpret_cast <ULONG64>(PTE_HOOK::GetVirtualAddressByPhysical(__readcr3() & (~(PAGE_SIZE - 1))));
if (!MmIsAddressValid(reinterpret_cast<PVOID>(vcr3))) return res;

ULONG64 address = Address & (~0xfff);

ULONG pml4eIndex = (address & (((ULONG64)1 << 48) - 1)) >> 39;
ULONG ppeIndex = (address & (((ULONG64)1 << 39) - 1)) >> 30;
ULONG pdeIndex = (address & (((ULONG64)1 << 30) - 1)) >> 21;
ULONG pteIndex = (address & (((ULONG64)1 << 21) - 1)) >> 12;

res.PML4E = reinterpret_cast <PHardwarePml4e>(vcr3 + pml4eIndex * 8);

if (!MmIsAddressValid(res.PML4E))    return res;

ULONG64 p = reinterpret_cast <ULONG64>(PTE_HOOK::GetVirtualAddressByPhysical(res.PML4E->PageFrameNumber << PAGE_SHIFT));

if (!p)
{
return res;
}

res.PPE = reinterpret_cast <PHardwarePdpte>(p + ppeIndex * 8);

if (!MmIsAddressValid(res.PPE))    return res;
p = reinterpret_cast <ULONG64>(PTE_HOOK::GetVirtualAddressByPhysical(res.PPE->PageFrameNumber << PAGE_SHIFT));

if (!p)
{
return res;
}

res.PDE = reinterpret_cast <PHardwarePde>(p + pdeIndex * 8);

if (!MmIsAddressValid(res.PDE))    return res;
p = reinterpret_cast <ULONG64>(PTE_HOOK::GetVirtualAddressByPhysical(res.PDE->PageFrameNumber << PAGE_SHIFT));

if (p)
{
res.PTE = reinterpret_cast <PHardwarePte>(p + pteIndex * 8);
}

return res;

}
计算出 pte后将你需要映射地址的pte中的PageFrameNumber 修改为线性地址的PageFrameNumber 即便完成映射，并且要注意有些时候pte和pde存在大页的情况，映射完成后刷一下tlb

ACZR · 发表于 2024-5-10 17:00:18

我的小拇指啊发表于 2024-5-10 02:32
问错地方了，应该去看雪问

问了，看雪那边没人理我

ACZR · 发表于 2024-5-10 17:00:37

ANormalUser 发表于 2024-5-10 09:03
用__invlpg刷掉TLB试试吧（注意用__invlpg要关中断或提IRQL）

试了，还是不行

		自动登录	找回密码
密码			注册

[求助] 关于ZwMapViewOfSection在驱动中映射物理页的问题