Re: [XenAccess-devel] Xenaccess examples with Windows XP/Vista
Status: Beta
Brought to you by:
bdpayne
Menu
▾
▴
Re: [XenAccess-devel] Xenaccess examples with Windows XP/Vista
|
From: Bryan D. P. <br...@th...> - 2008-01-22 15:05:52
|
> WOOT! > > Ok, I know what is happening. Cool... I'm glad that it's working. I was just starting to to dig into this deeper :-) > For debugging purposes, I changed get_ntoskrnl_base() to go search physical > memory for the string "System", then go back 0x174 bytes and look for > 0x001b0003. When I found that I knew the phyiscal address of the EPROCESS > block we're looking for: 0x25c8a00. Using a kernel debugger, I found that > the virtual address of the EPROCESS block is 0x821c8a00. Subtract the > numbers and the distance is 0x7fc00000, not 0x80000000. I changed > init_page_offset() to reflect this and recompiled. That worked and I got > the process list for my XP VM! > > I'm not sure what the 0x7fc00000 is though it looks familiar. I think I've > come across it in my readings but I haven't found it yet. Any ideas? Interesting. I'm not sure about this value. Does everything else seem to be working properly using that as the page offset? If it is, in fact, the right value. Then I'll need to figure out how to determine the correct value when bootstrapping xenaccess... > A couple things to note: > > 1) In get_ntoskrnl_base(), the while() loop only goes to 0x01000000 bytes > of memory. My VM has 512 MB and so I had to change the break condition up > to 0x20000000. Is there a way to know how much memory a VM has via an xc_ > function? (The xa_ code could always read the Xen config file used to boot > the VM.) Good point. I'll see about updating it so the search cutoff is based on the physical memory size. > 2) The "magic" number 0x001b0003 won't work for Vista. I haven't done any > rigorous checking, but on one process I have looked at, the number would be > 0x00000003. (Again, I don't know yet if this is consistent for all EPROCESS > blocks.) It doesn't surprise me that this number is different for Vista. However, it does surprise me that you're seeing the number that you mentioned. The '1b' is a size / length field, so I would think that this would not be set to '00'. But, stranger things have happened. I'll see if I can get Vista installed on my system one of these days to see if my system looks the same as yours. If so, then it's probably safe to assume that we have found the proper magic number. Thanks for keeping me updated, this is all very helpful... -bryan -- Bryan D. Payne Graduate Student, Computer Science Georgia Tech Information Security Center http://www.bryanpayne.org |
