Searching for Page Directories (3)
In a blog post Jacky Wu describes how to search for Page Directories if Windows XP SP2 is operating in PAE mode.
In x86 mode it is possible to identify physical pages as Page Directories (PD) just by checking a single DWORD. This is possible because PDs are self-relative.
When in PAE mode, the PD consists of four physical pages (4 kiB each) instead of a single page in x86 mode. So it's becoming a bit more difficult to search for them using the same simple criterion. Now Jacky Wu found out that the 4th page of a PD is still self-relative, though at a different offset.
In addition to the example given by Jacky Wu I provide a screenshot of a PD as shown by 010 Editor and a template:
At first there is the Page Directory Pointer Table. Its four entries point to the four PDs. Here the PDs are located in the page frames numbered from 0x311 to 0x314. Please note that the 4th PD is located in page frame 0x314.
In the bottom half you'll find a detailed view of this PD and some of its Page Directory Entries (PDE). As you can clearly see, the 4th PDE (PDE[3]) points to the base address of the 4th PD. So the PD is self-relative in PAE mode, too. Please note that the first three PDEs point to the other three PDs.
So the first 4 PDE of the 4th PD could serve as a Page Directory Pointer Table. This is shown in one of Wu's figures.
However, I was not able to reproduce this exact behavior on Microsoft Windows XP SP2, build 5.1.2600.2622. Please have a look at the following extract from PTFinder output. Here CR3 does not directly point to the beginning of the 4th PD, but to a Page Directory Pointer Table (PDPT) that has been stored elsewhere. Well, to be precise, "elsewhere" here means one of just two different pages. Page 0x310 holds the PDPT for System/Idle, while the PDPTs for all other processes are kept in page frame no. 0x5280.
No. Type PID CR3 Remarks ---- ---- ------ ---------- ---------------- 1 Proc 0 0x00310000 Idle 2 Proc 184 0x05280240 explorer.exe 3 Proc 796 0x052800e0 svchost.exe 4 Proc 476 0x05280040 csrss.exe 5 Proc 544 0x05280080 services.exe 6 Proc 1064 0x05280160 svchost.exe 7 Proc 1504 0x052801e0 alg.exe 8 Proc 412 0x05280020 smss.exe 9 Proc 720 0x052800c0 svchost.exe 10 Proc 236 0x05280100 VMwareTray.exe 11 Proc 4 0x00310000 System 12 Proc 452 0x052802a0 notepad.exe 13 Proc 556 0x052800a0 lsass.exe 14 Proc 1096 0x05280180 spoolsv.exe 15 Proc 1304 0x052801c0 VMwareService.e 16 Proc 2044 0x05280220 userinit.exe 17 Proc 500 0x05280060 winlogon.exe 18 Proc 1852 0x05280200 wuauclt.exe 19 Proc 1216 0x052801a0 netdde.exe 20 Proc 872 0x05280120 svchost.exe 21 Proc 244 0x05280260 VMwareUser.exe 22 Proc 944 0x05280140 svchost.exe 23 Proc 260 0x05280280 rundll32.exe
