MmMapIoSpace on Page Tables (1803/Redstone 4)

Discussion on reverse-engineering and debugging.
Post Reply
lotsch
Posts: 3
Joined: Thu Aug 30, 2018 2:56 am

Thu Aug 30, 2018 3:13 am

With the Windows Update 1803, I noticed that when trying to call MmMapIoSpace on any of the Page Tables (PML4, PDPT, PD, PT) it is always going to fail with 0x3E6 (Invalid access to memory location.).
I also tested the exact same code on older versions and it works perfectly fine there. Apparently, the issue is related to the Meltdown Patches from Microsoft.
I wonder if anyone figured out how to disable/uninstall or fix this issue. I already tried disabling KVA Shadowing (Registry) and uninstalling the Patches via Control Panel.
I greatly appreciate any help :)
User avatar
EP_X0FF
Global Moderator
Posts: 4905
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Thu Aug 30, 2018 8:33 am

I noticed that too (its from earlier insider builds of Rs4). This change have broke exploits based on bugged 3rd party drivers allowing access to physical memory (like cpu-z CVE-2017-15303 for example). Apparently this is now by design.
Ring0 - the source of inspiration
lotsch
Posts: 3
Joined: Thu Aug 30, 2018 2:56 am

Fri Aug 31, 2018 7:25 pm

Hm, yeah I've seen that this function is very abusable on many drivers, would there be any easy way to figure out how to patch it back to working on Page Tables?
I'm not very familiar with kernel debugging but I imagine you could try putting a breakpoint on MmMapIoSpace in your driver, call the function and step through the code and figure out where it bails out and returns 0x3E6?
User avatar
EP_X0FF
Global Moderator
Posts: 4905
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Sat Sep 01, 2018 6:30 am

No way. This behavior is now by _design_. You may try to experiment with something different like MmCopyMemory.
Ring0 - the source of inspiration
lotsch
Posts: 3
Joined: Thu Aug 30, 2018 2:56 am

Sun Sep 02, 2018 1:14 am

yeah ok, I will be using something different instead.
RIP0X1
Posts: 1
Joined: Wed May 24, 2017 6:40 am

Sun Mar 31, 2019 9:57 am

MmGetVirtualForPhysical should work to get virtual address of CR3/PML4/PDPTE/PDE/PTE entries.
Post Reply