Flag: Tornado! Hurricane!

 Forums >>  Brainstorms - General  >>  Windows Guard Pages

Topic created on: January 6, 2006 14:12 CST by pedram .

I can't see to find an "official" answer to this issue ... maybe someone our here knows the answer.

When setting VirtualProtectEx(PAGE_GUARD) on an address range that spans across two pages, I assumed that a page hit would result in only that page having the PAGE_GUARD removed. However, that doesn't appear to be the case. Testing shows that all the pages affected by the original VirtualProtect are cleard of the guard as soon as any of them are hit.

Or am I missing something?

  Piotr     January 7, 2006 03:35.00 CST
PAGE_GUARD protection - Pages in the region become guard pages. Any attempt to access a guard page causes the operating system to raise a STATUS_GUARD_PAGE exception and turn off the guard page status. Guard pages thus act as a one-shot access alarm.

  injstar     January 7, 2006 09:59.32 CST
i guess the VirtualProtectEx documentation didnt gave u the "offical" answer so maybe this one http://msdn.microsoft.com/library/default.asp?url=/library/en-us/memory/base/creating_guard_pages.asp

"If a program attempts to access an address within a guard page, the system raises a STATUS_GUARD_PAGE_VIOLATION (0x80000001) exception. The system also clears the PAGE_GUARD modifier, removing the memory [page's] guard page status. The system will not stop the next attempt to access the memory page with a STATUS_GUARD_PAGE_VIOLATION exception. "

  pedram     January 7, 2006 13:15.04 CST
I probably wasn't clear in my original question. The fact that PAGE_GUARD serves as a one-time acces alarm was not the question. Rather, consider the following:

   0123456789a           0123456789abcdefg
  [-- buf a --]         [----- buf b -----]
[--- page 1 ---][--- page 2 ---][--- page 3 ---]

Above, buf-a sits withins the boundaries of a single page (page-1) and buf-b spans across two pages (page-2 and page-3). When guarding the entire address range of buf-b, both page-2 and page-3 will have PAGE_GUARD set. Now, if an access is made to buf-b[2], which sits on page-2 does the OS drop the PAGE_GUARD protection for only page-2 or for both page-2 and page-3.

My original assumption was that only page-2's guard protection would be dropped on that access, but testing shows that both are dropped (or however many pages were affected by the call to VirtualProtect()).

Hope that clears it up.

  Darawk     January 11, 2006 01:25.17 CST
Hmm...that is interesting.  It may be related to the fact that the structure returned by VirtualQuery(MEMORY_BASIC_INFORMATION) contains information about the region of page being queried.

Maybe they reset the guard flag on the memory "region" based on a call to VirtualQuery(or w/e other equivalent lower level API they probably use down there)?

  sebastianapelt     October 10, 2006 03:01.00 CDT
it removes the page_guard status for only 1 page.
i cropped up a small code which does the following:
allocate 2 pages (8192 bytes) at 0x50000000 without page_guard.
then set page_guard from 0x50000000 + 4000 until 0x50000000 + 4200 (crossing page 1 and 2)
then do a virtuallock at 0x50000000 + 4050 of 2 bytes 2 times. first time it fails (page_guard), 2nd time it works (page_guard removed after 1st time).
then to check the beginning of the second page: virtuallock again of 2 bytes at 0x50000000 + 4150 2 times. fails 1 time and works the 2nd time.
so as it seems it only removes the page_guard of 1 page. not both in one go. if someone needs the code just tell me.

  AlexIonescu     October 11, 2006 10:25.49 CDT
MmAccessFault which handles the violation will remove the flag only for the PTE with the guard_page bit set. If the guard page was on the user stack however, it will attempt allocating another guard page and enlarging the stack (if this fails, then it's a double access fault and a guard page error is returned without a bigger stack).

Since a PTE only handles 4KB of memory (typically), then guard-pages are per-page.

Note: Registration is required to post to the forums.

There are 31,272 total registered users.

Recently Created Topics
Reverse Engineering ...
let 'IDAPython' impo...
set 'IDAPython' as t...
GuessType return une...
About retrieving the...
How to find specific...
How to get data depe...
Identify RVA data in...
Question about memor...

Recent Forum Posts
Finding the procedur...
Question about debbu...
Identify RVA data in...
let 'IDAPython' impo...
How to find specific...
Problem with ollydbg
How can I write olly...
New LoadMAP plugin v...
Intel pin in loaded ...
OOP_RE tool available?

Recent Blog Entries
Breaking IonCUBE VM

Anatomy of a code tracer

IAT Patcher - new tool for ...

CryptoShark: code tracer ba...

Build a debugger in 5 minutes

More ...

Recent Blog Comments
nieo on:
IAT Patcher - new tool for ...

djnemo on:
Kernel debugger vs user mod...

acel on:
Kernel debugger vs user mod...

pedram on:
frida.github.io: scriptable...

capadleman on:
Using NtCreateThreadEx for ...

More ...

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit