| View previous topic :: View next topic |
| Author |
Message |
lcineyes
Newbie cheater
![]() Reputation: 0
Joined: 19 May 2025
Posts: 10
|
 Posted: Thu Jul 31, 2025 1:14 am Post subject: Why does VMCALL_KERNELMODE need to set IF to 0? |
 |
|
| Should IF be set to 1 immediately after entering ring 0 via VMCALL_KERNELMODE?
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25763
Location: The netherlands
|
| Posted: Thu Jul 31, 2025 7:09 am Post subject: |
|
|
Feel free to set IF to 1 afterwards. You're in ring0, so go ahead
This is just to protect you from unexpected interrupts that detect kernelmode running in usermode execution regions
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
lcineyes
Newbie cheater
![]() Reputation: 0
Joined: 19 May 2025
Posts: 10
|
| Posted: Sat Aug 02, 2025 8:47 am Post subject: |
|
|
| Dark Byte wrote: | Feel free to set IF to 1 afterwards. You're in ring0, so go ahead
This is just to protect you from unexpected interrupts that detect kernelmode running in usermode execution regions |
Why does my code crash on page faults even though the IRQL is PASSIVE_LEVEL after entering kernel mode? Normally, kernel modules (like your driver) can safely access a full user-mode PE image without locking memory, but mine fails.
|
|
| Back to top |
|
|
lcineyes
Newbie cheater
![]() Reputation: 0
Joined: 19 May 2025
Posts: 10
|
| Posted: Sun Aug 03, 2025 5:29 am Post subject: |
|
|
| Issue: After entering kernel mode via VMCALL_KERNELMODE, enabling interrupts (STI) leads to memory corruption (e.g., recently accessed files overwritten with zeros). Despite IRQL being 0 (PASSIVE_LEVEL), page faults are unhandled.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25763
Location: The netherlands
|
| Posted: Sun Aug 03, 2025 10:58 am Post subject: |
|
|
| Quote: |
Why does my code crash on page faults even though the IRQL is PASSIVE_LEVEL after entering kernel mode? Normally, kernel modules (like your driver) can safely access a full user-mode PE image without locking memory, but mine fails.
|
Windows recognizes the cause of the issue to be my driver, checks it's security stuff and then allows it.
When done outside of a known loaded driver, it'll bug out. (same reason why Try/except don't work in manually loaded drivers)
also, CE's driver has a routine to read only paged in memory by looking at the pagetable, and a secondary fallback by disabling the pagefault interrupt handler while it's reading the memory, with interrupts disabled)
Look into VMCALL_DISABLE_DATAPAGEFAULTS and VMCALL_ENABLE_DATAPAGEFAULTS
| Quote: |
After entering kernel mode via VMCALL_KERNELMODE, enabling interrupts (STI) leads to memory corruption (e.g., recently accessed files overwritten with zeros). Despite IRQL being 0 (PASSIVE_LEVEL), page faults are unhandled.
|
Do you also call VMCALL_USERMODE to return?
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
lcineyes
Newbie cheater
![]() Reputation: 0
Joined: 19 May 2025
Posts: 10
|
| Posted: Sun Aug 03, 2025 7:35 pm Post subject: |
|
|
1.Currently, my approach to handling Ring-3 memory access exceptions is to return to user mode via VMCALL_USERMODE, access the target memory in user space, and then re-enter kernel mode.
2.The above method cannot handle code running in kernel space.
3.I've tried using VMCALL_DISABLE_DATAPAGEFAULTS and VMCALL_ENABLE_DATAPAGEFAULTS, but they fail to prevent page faults from occurring, still resulting in BSODs.
4.When I use VMCALL_KERNELMODE to operate in kernel address space and execute KeStackAttach before returning, after several runs it causes BSODs due to page faults. Additionally, I've observed that content from some recently accessed files gets completely overwritten with zeros while the file sizes remain unchanged.
5.When a page fault triggers a blue screen, Windbg can successfully query the target memory, which leads me to suspect CR3 corruption. I'll conduct two tests and report back here:
5.1 Test without KeStackAttach:
Verify whether CR3 corruption still occurs when avoiding process attachment.
5.2 Continuous Process Memory Access Test:
Check if accessing memory within the same process triggers page faults
Validate whether such faults can be handled
(Given that Ring-3 faults couldn't be handled previously, this will likely fail too)
The testing environment is VMware 17 with an i7 CPU running Windows 10.
|
|
| Back to top |
|
|
lcineyes
Newbie cheater
![]() Reputation: 0
Joined: 19 May 2025
Posts: 10
|
| Posted: Mon Aug 04, 2025 7:20 pm Post subject: |
|
|
Root Cause Identified:
The Windows thread scheduler doesn't preserve CR4 during context switches. Many kernel APIs trigger thread scheduling, and enabling interrupts (STI) makes the thread susceptible to preemption. When the thread resumes execution:
1.It may land on a different CPU core
2.The new core's CR4 has SMEP/SMAP enabled (not disabled like the original context)
3.This causes page faults at DISPATCH_LEVEL
4.Paradoxically, the target data pages remain resident in memory
Thank you for taking the time to answer my questions.
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25763
Location: The netherlands
|
| Posted: Tue Aug 05, 2025 1:55 am Post subject: |
|
|
Maybe you can edit the pagetable entrys your code runs in and mark it as a supervisor page before you enable interrupts
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
