Closed AppleSky6 closed 1 year ago
Thanks for reporting this bug!
I had some free time last weekend and triaged the issue. I appreciate you posting your implementation of finding the writable KUSER_SHARED_DATA
page.
I reversed the kdcom dll that ships with 22621 and discovered an easier way to modify that page of memory. Instead of searching for the page, VirtualKD-Redux can use RtlSetSystemGlobalData
, a new function that is exported from ntoskrnl. Take a look at commit 1a2babfd4d3df1ea574d41d9f733c21d5b330c7c to see how I did this.
I went ahead and released VirtualKD-Redux 2022.1 which adds support for build 22621 and beyond.
The reason may be Microsoft( https://msrc-blog.microsoft.com/2022/04/05/randomizing-the-kuser_shared_data-structure-on-windows/ )As a result of the randomization of SharedUserData , the content on SharedUserData does not have the write attribute, and the content with the write attribute is mapped to the MmWriteableSharedUserData address (they all point to the same physical memory at the same time, and the address is randomized with the MiProtectSharedUserPage function. Therefore, the kdreceivepacket function should not be used directly.This is my suggestion for change. I'm sorry my English is very poor.
static PKUSER_SHARED_DATA NtSharedUserData = SharedUserData; static PKUSER_SHARED_DATA *KdvmSharedUserData = &NtSharedUserData;
NTSTATUS SearchPattern(IN const UCHAR pattern, IN UCHAR wildcard, IN ULONG_PTR len, IN const VOID base, IN ULONG_PTR size, OUT PVOID *ppFound) { ASSERT(ppFound != NULL && pattern != NULL && base != NULL); if (ppFound == NULL || pattern == NULL || base == NULL) return STATUS_INVALID_PARAMETER;
}
NTSTATUS GetMmWriteableSharedUserData() { NTSTATUS status = STATUS_SUCCESS; PCHAR resultPtr = NULL; UNICODE_STRING routineName; PVOID FsRtlDismountComplete = NULL;
}