A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #32063  by lotsch
 Thu Aug 30, 2018 3:13 am
With the Windows Update 1803, I noticed that when trying to call MmMapIoSpace on any of the Page Tables (PML4, PDPT, PD, PT) it is always going to fail with 0x3E6 (Invalid access to memory location.).
I also tested the exact same code on older versions and it works perfectly fine there. Apparently, the issue is related to the Meltdown Patches from Microsoft.
I wonder if anyone figured out how to disable/uninstall or fix this issue. I already tried disabling KVA Shadowing (Registry) and uninstalling the Patches via Control Panel.
I greatly appreciate any help :)
 #32065  by EP_X0FF
 Thu Aug 30, 2018 8:33 am
I noticed that too (its from earlier insider builds of Rs4). This change have broke exploits based on bugged 3rd party drivers allowing access to physical memory (like cpu-z CVE-2017-15303 for example). Apparently this is now by design.
 #32078  by lotsch
 Fri Aug 31, 2018 7:25 pm
Hm, yeah I've seen that this function is very abusable on many drivers, would there be any easy way to figure out how to patch it back to working on Page Tables?
I'm not very familiar with kernel debugging but I imagine you could try putting a breakpoint on MmMapIoSpace in your driver, call the function and step through the code and figure out where it bails out and returns 0x3E6?
 #32079  by EP_X0FF
 Sat Sep 01, 2018 6:30 am
No way. This behavior is now by _design_. You may try to experiment with something different like MmCopyMemory.