All memory, processes etc. are accessible. Four-F has shown us how to hand shake with Windows to allow priviledge level zero (ring zero) access. If you take the simplest driver I think it's called "Beep.sys", your in. Once in your can be interrupted by none other than the interrupts. The IRQL levels can be pushed up by hardware interrupts. This is where you come face to face with the dreaded BSOD "Blue Screen of Death". I have found that this IRQ or rather these interrupts are the two debug interrupts DBG1 and DBG3. So.....handle them, at ring 0 your are in control. Now you have forced the system to wait on you while still allowing hardware interrupts to occur. You may run a driver that takes 5 minutes to complete and you will notice it on your task bar clock but that is just user mode software. If you reboot you will notice you never missed a TICK.
Next is to access memory. Your driver is only active for a short period of time so you can do a little system level manipulation as long as you restore the parameters before your driver exits. What would you need to manipulate you say? Well the Page Directory of course. You can think of the Page Directory Entries (PDE's) as segments in old DOS environment. The Page Directory contains 4Meg pages and pointers to the PTE's 4k pages. Well if one PDE describes an entire 4Meg block of memory and your in ring 0 than when your done reading or writing that 4Meg why not adjust the PDE for the next 4Meg. Yes I'm saying you can read and write all of memory with one Page Directory Entry. The trick is the processor has an internal cache that keeps track of the pages through what is known as the Translation Lookaside Buffer (TLB). You must flush this buffer before you change the entry. Simply load the pointer with the PDE you wish to flush like this:

invlpg dword ptr

Now you can put in your own entry and it will work!

I've had a couple of reqest for a driver I've been using to read and write memory and please excuse my sloppiness but I work as a hardware engineer so this is play time for me. But in the driver you will see ways of communicating to a user mode program by manipulating the Page directory and scanning for known code strings then sending information back and forth between a driver and user mode code. It can hunt search strings and deliver addresses of say "ntoskrnl.exe" if you like. I am continplating bringing it forth to a full blown memory editor. Sure would appreciate your input on rather you feel this could be a useful tool or not. Thanks, take a look
Posted on 2004-02-17 18:21:17 by mrgone