Page 1 of 1

MmMapIoSpace on Page Tables (1803/Redstone 4)

PostPosted:Thu Aug 30, 2018 3:13 am
by lotsch
With the Windows Update 1803, I noticed that when trying to call MmMapIoSpace on any of the Page Tables (PML4, PDPT, PD, PT) it is always going to fail with 0x3E6 (Invalid access to memory location.).
I also tested the exact same code on older versions and it works perfectly fine there. Apparently, the issue is related to the Meltdown Patches from Microsoft.
I wonder if anyone figured out how to disable/uninstall or fix this issue. I already tried disabling KVA Shadowing (Registry) and uninstalling the Patches via Control Panel.
I greatly appreciate any help :)

Re: MmMapIoSpace on Page Tables (1803/Redstone 4)

PostPosted:Thu Aug 30, 2018 8:33 am
by EP_X0FF
I noticed that too (its from earlier insider builds of Rs4). This change have broke exploits based on bugged 3rd party drivers allowing access to physical memory (like cpu-z CVE-2017-15303 for example). Apparently this is now by design.

Re: MmMapIoSpace on Page Tables (1803/Redstone 4)

PostPosted:Fri Aug 31, 2018 7:25 pm
by lotsch
Hm, yeah I've seen that this function is very abusable on many drivers, would there be any easy way to figure out how to patch it back to working on Page Tables?
I'm not very familiar with kernel debugging but I imagine you could try putting a breakpoint on MmMapIoSpace in your driver, call the function and step through the code and figure out where it bails out and returns 0x3E6?

Re: MmMapIoSpace on Page Tables (1803/Redstone 4)

PostPosted:Sat Sep 01, 2018 6:30 am
by EP_X0FF
No way. This behavior is now by _design_. You may try to experiment with something different like MmCopyMemory.

Re: MmMapIoSpace on Page Tables (1803/Redstone 4)

PostPosted:Sun Sep 02, 2018 1:14 am
by lotsch
yeah ok, I will be using something different instead.

Re: MmMapIoSpace on Page Tables (1803/Redstone 4)

PostPosted:Sun Mar 31, 2019 9:57 am
by RIP0X1
MmGetVirtualForPhysical should work to get virtual address of CR3/PML4/PDPTE/PDE/PTE entries.