Flag: Tornado! Hurricane!

 Forums >>  Brainstorms - General  >>  Windows Guard Pages

Topic created on: January 6, 2006 14:12 CST by pedram .

I can't see to find an "official" answer to this issue ... maybe someone our here knows the answer.

When setting VirtualProtectEx(PAGE_GUARD) on an address range that spans across two pages, I assumed that a page hit would result in only that page having the PAGE_GUARD removed. However, that doesn't appear to be the case. Testing shows that all the pages affected by the original VirtualProtect are cleard of the guard as soon as any of them are hit.

Or am I missing something?

  Piotr     January 7, 2006 03:35.00 CST
PAGE_GUARD protection - Pages in the region become guard pages. Any attempt to access a guard page causes the operating system to raise a STATUS_GUARD_PAGE exception and turn off the guard page status. Guard pages thus act as a one-shot access alarm.

  injstar     January 7, 2006 09:59.32 CST
i guess the VirtualProtectEx documentation didnt gave u the "offical" answer so maybe this one http://msdn.microsoft.com/library/default.asp?url=/library/en-us/memory/base/creating_guard_pages.asp

"If a program attempts to access an address within a guard page, the system raises a STATUS_GUARD_PAGE_VIOLATION (0x80000001) exception. The system also clears the PAGE_GUARD modifier, removing the memory [page's] guard page status. The system will not stop the next attempt to access the memory page with a STATUS_GUARD_PAGE_VIOLATION exception. "

  pedram     January 7, 2006 13:15.04 CST
I probably wasn't clear in my original question. The fact that PAGE_GUARD serves as a one-time acces alarm was not the question. Rather, consider the following:

   0123456789a           0123456789abcdefg
  [-- buf a --]         [----- buf b -----]
[--- page 1 ---][--- page 2 ---][--- page 3 ---]

Above, buf-a sits withins the boundaries of a single page (page-1) and buf-b spans across two pages (page-2 and page-3). When guarding the entire address range of buf-b, both page-2 and page-3 will have PAGE_GUARD set. Now, if an access is made to buf-b[2], which sits on page-2 does the OS drop the PAGE_GUARD protection for only page-2 or for both page-2 and page-3.

My original assumption was that only page-2's guard protection would be dropped on that access, but testing shows that both are dropped (or however many pages were affected by the call to VirtualProtect()).

Hope that clears it up.

  Darawk     January 11, 2006 01:25.17 CST
Hmm...that is interesting.  It may be related to the fact that the structure returned by VirtualQuery(MEMORY_BASIC_INFORMATION) contains information about the region of page being queried.

Maybe they reset the guard flag on the memory "region" based on a call to VirtualQuery(or w/e other equivalent lower level API they probably use down there)?

  sebastianapelt     October 10, 2006 03:01.00 CDT
it removes the page_guard status for only 1 page.
i cropped up a small code which does the following:
allocate 2 pages (8192 bytes) at 0x50000000 without page_guard.
then set page_guard from 0x50000000 + 4000 until 0x50000000 + 4200 (crossing page 1 and 2)
then do a virtuallock at 0x50000000 + 4050 of 2 bytes 2 times. first time it fails (page_guard), 2nd time it works (page_guard removed after 1st time).
then to check the beginning of the second page: virtuallock again of 2 bytes at 0x50000000 + 4150 2 times. fails 1 time and works the 2nd time.
so as it seems it only removes the page_guard of 1 page. not both in one go. if someone needs the code just tell me.

  AlexIonescu     October 11, 2006 10:25.49 CDT
MmAccessFault which handles the violation will remove the flag only for the PTE with the guard_page bit set. If the guard page was on the user stack however, it will attempt allocating another guard page and enlarging the stack (if this fails, then it's a double access fault and a guard page error is returned without a bigger stack).

Since a PTE only handles 4KB of memory (typically), then guard-pages are per-page.

Note: Registration is required to post to the forums.

There are 31,310 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit