I can't use get_ept_pte()

[Shadowairing]

When I use get_ept_pte(), it causes a BSOD which "system thread exception not handled".

I use "physical_address = MmGetPhysicalAddress((PVOID)addr).QuadPart & 0xFFFFFFFFFFFFF000" to find the physical_address page.

When I use "ept_pte* pte = get_ept_pte(ept, physical_address, true);", it can return a non-zero pointer.

But when I access any member of pte, such as "pte->execute_access", it causes BSOD.

[jonomango]

Hi, are you calling MmGetPhysicalAddress() from root-mode?

[Shadowairing]

here is the code

void test_pte() { PVOID addr = allocate_contignous_memory(0x1000); NT_ASSERT(KeGetCurrentIrql() <= APC_LEVEL); for (unsigned long i = 0; i < hv::ghv.vcpu_count; ++i) { auto const orig_affinity = KeSetSystemAffinityThreadEx(1ull << i); UINT64 physical_address = MmGetPhysicalAddress((PVOID)addr).QuadPart & 0xFFFFFFFFFFFFF000; ept_pte* pte = hv::get_ept_pte(hv::ghv.vcpus[i].ept, physical_address, true); if (pte) { //DbgPrint("execute_access %I64X\n", pte->execute_access); try { DbgPrint("execute_access %I64X\n", pte->execute_access); } except (1) { DbgPrint("error\n"); } } else { DbgPrint("pte error\n"); } KeRevertToUserAffinityThreadEx(orig_affinity); } }

NTSTATUS driver_entry(PDRIVER_OBJECT const driver, PUNICODE_STRING) { DbgPrint("[hv] Driver loaded.\n");

if (driver) driver->DriverUnload = driver_unload;

if (!hv::start()) { DbgPrint("[hv] Failed to virtualize system.\n"); return STATUS_HV_OPERATION_FAILED; }

if (ping() == hv::hypervisor_signature) DbgPrint("[client] Hypervisor signature matches.\n"); else DbgPrint("[client] Failed to ping hypervisor!\n");

test_pte(); return STATUS_SUCCESS; }

[jonomango]

You can't call get_ept_pte() from non-root mode, since get_ept_pte() internally reads physical memory using the host page tables (host_physical_memory_base). Make your function into a hypercall, and do your stuff there.

[Shadowairing]

thank you so much, I will try that later