Control Register 3 (CR3)—Long Mode
Table Base Address Field. Bits 51:12. When 5-Level paging is enabled (CR4.LA57=1) this 40-bit
field points to the PML5 base address. Otherwise it points to the PML4 base address. The PML4 or
PML5 table is aligned on a 4-Kbyte boundary with the low-order 12 address bits (11:0) assumed to be
0. This yields a total base-address size of 52 bits. System software running on processor
implementations supporting less than the full 52-bit physical-address space must clear the
unimplemented upper base-address bits to 0.
Page-Level Writethrough (PWT) Bit. Bit 3. Page-level writethrough indicates whether the highestlevel page-translation table has a writeback or writethrough caching policy. When PWT=0, the table
has a writeback caching policy. When PWT=1, the table has a writethrough caching policy.
Page-Level Cache Disable (PCD) Bit. Bit 4. Page-level cache disable indicates whether the highestlevel page-translation table is cacheable. When PCD=0, the table is cacheable. When PCD=1, the table
is not cacheable.
Process Context Identifier. Bits 11:0. This 12-bit field determines the current Processor Context
Identifier (PCID) when CR4.PCIDE=1.
Reserved Bits. Reserved fields should be cleared to 0 by software when writing CR3.
实践
当我们将CR3的Reserved Bits不清零,会得到一个#GP异常
所以第一步先保存真实CR3
第二步将_KPROCESS.DirectoryTableBase | 1ui64 << 63,事实上此时根本不用DirectoryTableBase,可以使用魔数,随机数值代替
第三步运行指令是mov cr3,xxx时触发#GP,在通过异常回调将真实CR3写入
测试
真实CR3:
假CR3:
当触发异常时:
相关代码
总结
事实上可以干的事情很多,哪怕想要写入伪造CR3都可以,线程信息和异常地址可以拿到很有用的信息。包括实现隐藏地址[当线程切换时会写入CR3]
可以拿来反作弊,也可以拿来作弊。