Page Directory/Table

#15709 by _MAX_
Sat Sep 22, 2012 11:54 pm

Hello kernelmode,

As i have read in a paper :
"In windows each process has its own Page Directory and Page Tables" ,
How can i find Page Directory and All Page Tables for specific process/thread ?

Thank you for your helps

Username

_MAX_

Posts

16

Joined

Sat Sep 22, 2012 11:38 pm

Re: Page Directory/Table

#15712 by R00tKit
Sun Sep 23, 2012 6:02 am

Typically, the upper 20 bits of CR3 become the page directory base register (PDBR), which stores the physical address of the first page directory entry.
you can read :

Rootkit arsenal book
Intel developer manual
source code of shadow walker it manipulate PTE and TLB http://www.kernelmode.info/forum/downlo ... hp?id=1914

@R00tkitSMM

Username

R00tKit

Posts

129

Joined

Tue Nov 16, 2010 8:23 pm

Contact

Re: Page Directory/Table

#15714 by _MAX_
Sun Sep 23, 2012 9:19 am

What about

Code: Select all

    union {
        HARDWARE_PTE                PageDirectoryPte; // +0x148
        UINT64                      Filler; // +0x148
    };

in _EPROCESS Block ?
because i want to find procX.exe Page Directory and Page Table it most accessible some how depend on process name! i want to locate specific process/thread s Page Directory/Page Table

Username

_MAX_

Posts

16

Joined

Sat Sep 22, 2012 11:38 pm

Re: Page Directory/Table

#15716 by R00tKit
Sun Sep 23, 2012 11:32 am

find EPROCESS with name or PID so do this: (offset need fix)

Code: Select all

1: kd> !process
PROCESS ff981a58  SessionId: 0  Cid: 0d54    Peb: 7ffde000  ParentCid: 0550
    DirBase: 023406e0  ObjectTable: e1541510  HandleCount:  30.
 
1: kd>  dt nt!_EPROCESS ff981a58  Pcb.DirectoryTableBase
   +0x000 Pcb                    :
      +0x018 DirectoryTableBase     : [2] 0x23406e0

http://blogs.msdn.com/b/ntdebugging/arc ... sical.aspx

@R00tkitSMM

Username

R00tKit

Posts

129

Joined

Tue Nov 16, 2010 8:23 pm

Contact