保护模式(八):MmIsAddressValid逆向(PAE)
kd> u MmIsAddressValid l50h
nt!MmIsAddressValid:
80511980 8bff mov edi,edi
80511982 55 push ebp
80511983 8bec mov ebp,esp
80511985 51 push ecx
80511986 51 push ecx
80511987 8b4d08 mov ecx,dword ptr [ebp+8] ;参数address
8051198a 56 push esi
8051198b 8bc1 mov eax,ecx
8051198d c1e812 shr eax,12h ;eax>>18
80511990 bef83f0000 mov esi,3FF8h ;
80511995 23c6 and eax,esi ;eax=(DPD)*8
80511997 2d0000a03f sub eax,3FA00000h ;eax+C0600000(PDT基址)
8051199c 8b10 mov edx,dword ptr [eax] ;edx=PDE后半段
8051199e 8b4004 mov eax,dword ptr [eax+4] ;eax=PDE前半段
805119a1 8945fc mov dword ptr [ebp-4],eax
805119a4 8bc2 mov eax,edx
805119a6 57 push edi
805119a7 83e001 and eax,1
805119aa 33ff xor edi,edi
805119ac 0bc7 or eax,edi
805119ae 7461 je nt!MmIsAddressValid+0x91 (80511a11) ;判断P位是否有效,P=0跳转返回假
805119b0 bf80000000 mov edi,80h
805119b5 23d7 and edx,edi ;判断PS位
805119b7 6a00 push 0
805119b9 8955f8 mov dword ptr [ebp-8],edx
805119bc 58 pop eax ;eax=0
805119bd 7404 je nt!MmIsAddressValid+0x43 (805119c3) ;PS=0跳转(小页)
805119bf 85c0 test eax,eax
805119c1 7452 je nt!MmIsAddressValid+0x95 (80511a15) ;PS=1(大页)返回真
805119c3 c1e909 shr ecx,9 ;address>>9(取T)
805119c6 81e1f8ff7f00 and ecx,7FFFF8h ;
805119cc 8b81040000c0 mov eax,dword ptr [ecx-3FFFFFFCh] ;[ecx+0xC0000004](eax为PTE前段)
805119d2 81e900000040 sub ecx,40000000h ;ecx=ecx+C0000000(页表基址)
805119d8 8b11 mov edx,dword ptr [ecx] ;edx为PTE后段
805119da 8945fc mov dword ptr [ebp-4],eax
805119dd 53 push ebx
805119de 8bc2 mov eax,edx
805119e0 33db xor ebx,ebx
805119e2 83e001 and eax,1
805119e5 0bc3 or eax,ebx
805119e7 5b pop ebx
805119e8 7427 je nt!MmIsAddressValid+0x91 (80511a11) ;PTE,P=0,返回FALSE
805119ea 23d7 and edx,edi ;PAT位
805119ec 6a00 push 0
805119ee 8955f8 mov dword ptr [ebp-8],edx
805119f1 58 pop eax ;eax=0
805119f2 7421 je nt!MmIsAddressValid+0x95 (80511a15) ;PAT=0返回TRUE
805119f4 85c0 test eax,eax
805119f6 751d jne nt!MmIsAddressValid+0x95 (80511a15) ;不会执行
805119f8 23ce and ecx,esi ;PAT=1时情况
805119fa 8b89000060c0 mov ecx,dword ptr [ecx-3FA00000h] ;不往下分析了
80511a00 b881000000 mov eax,81h
80511a05 23c8 and ecx,eax
80511a07 33d2 xor edx,edx
80511a09 3bc8 cmp ecx,eax
80511a0b 7508 jne nt!MmIsAddressValid+0x95 (80511a15)
80511a0d 85d2 test edx,edx
80511a0f 7504 jne nt!MmIsAddressValid+0x95 (80511a15)
80511a11 32c0 xor al,al //return FALSE
80511a13 eb02 jmp nt!MmIsAddressValid+0x97 (80511a17)
80511a15 b001 mov al,1 //return TRUE
80511a17 5f pop edi
80511a18 5e pop esi
80511a19 c9 leave
80511a1a c20400 ret 4
BOOLEAN MmIsAddressValid(
PVOID VirtualAddress
);
结论
PDE=[((VirtualAddress>>18)&0x3FF8)+0xC0600000]
PTE=[((VirtualAddress>>9)&0x7FFFF8)+0xC0000000]