[ros-dev] [ros-diffs] [tkreuzer] 64591: [NTOSKRNL] - Improve the random address base code in MiCreatePebOrTeb to actually make sense and not rely on retarded hacks implicitly hardcoding the PEB size in pages into the ra...
The improvement is based on readability / coding style. I think the
comment explained the reason to improve it. But I can explain again in
more detail:
The old code created a random value for a page offset inside a 64k
region. The PEB was supposed to get into that region, but preferably not
below.
Obviously, we don't have ALL of these 16 possible 4k page locations
available, if we neither want to go above the upper or below the lower
margin, but still fit n pages between these 2.
The old code "fixed" the random value to account for that limitation by
hardcoding a 2 (for 2 pages), making sure that there are 2 pages
available to put the PEB in.
The new code will check the size of the PEB instead of relying on the
hardcoded magic value of 2, wich wasn't even explained anywhere. So all
I did here was remove a hack.
The rest of the change affects the path that we follow on a failure.
Instead of trying to allocate the PEB at a constant given address and if
that fails, try again from top down, we use the upper margin and try to
allocate at the highest address from there. So it cannot fail, unless
the whole address space is blocked. The commit message might not have
been describing this properly, but the claim that there is no change in
Windows behaviour still stays, since there is no way to predict the
address of the PEB anyway. It's random, from top down. And it stays that
way. Under normal circumstances only the NLS section would block the
address range and in that case the allocation will go below, so no
change at all. When it comes to cloned processes, things might be more
complicated, but then there is no chance to predict the location of the
PEB anyway, it could go anywhere, even below the 64k range. Again no change.
If you still have doubts, please let me know what exactly you think
could be wrong here, so I can address that accordingly.
Timo
PS: we are talking about randomized behavior here, that is done for
security reasons, so doing it differently without breaking assumptions
that user mode applications can make would most likely be beneficial.
When you write a security software that has prevention capabilities, you
also also change Windows behaviour. If that had a negative effect on
*legitimate* software running on the system, it would be bad. If it
doesn't have any negative effect, or only on "bad" software, it's good.
If you can reasonably argue, why this change could possibly affect
legitimate software in a negative way, then I can write a test based on
that.
Am 11.10.2014 18:37, schrieb Alex Ionescu:
> Where't the unit test proving your 'improved' algorithm matches XP
> SP2/SRV03 SP1?
>> Best regards,
> Alex Ionescu
>> On Tue, Oct 7, 2014 at 5:31 PM, <tkreuzer at svn.reactos.org
> <mailto:tkreuzer at svn.reactos.org>> wrote:
>> Author: tkreuzer
> Date: Wed Oct 8 00:31:35 2014
> New Revision: 64591
>> URL: http://svn.reactos.org/svn/reactos?rev=64591&view=rev
> Log:
> [NTOSKRNL]
> - Improve the random address base code in MiCreatePebOrTeb to
> actually make sense and not rely on retarded hacks implicitly
> hardcoding the PEB size in pages into the random value generation.
>> Modified:
> trunk/reactos/ntoskrnl/mm/ARM3/procsup.c
>> Modified: trunk/reactos/ntoskrnl/mm/ARM3/procsup.c
> URL:
> http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/mm/ARM3/procsup.c?rev=64591&r1=64590&r2=64591&view=diff
> ==============================================================================
> --- trunk/reactos/ntoskrnl/mm/ARM3/procsup.c [iso-8859-1]
> (original)
> +++ trunk/reactos/ntoskrnl/mm/ARM3/procsup.c [iso-8859-1] Wed
> Oct 8 00:31:35 2014
> @@ -48,13 +48,13 @@
> NTAPI
> MiCreatePebOrTeb(IN PEPROCESS Process,
> IN ULONG Size,
> - OUT PULONG_PTR Base)
> + OUT PULONG_PTR BaseAddress)
> {
> PETHREAD Thread = PsGetCurrentThread();
> PMMVAD_LONG Vad;
> NTSTATUS Status;
> - ULONG RandomCoeff;
> - ULONG_PTR StartAddress, EndAddress;
> + ULONG_PTR HighestAddress, RandomBase;
> + ULONG AlignedSize;
> LARGE_INTEGER CurrentTime;
> TABLE_SEARCH_RESULT Result = TableFoundNode;
> PMMADDRESS_NODE Parent;
> @@ -83,25 +83,30 @@
> /* Check if this is a PEB creation */
> if (Size == sizeof(PEB))
> {
> - /* Start at the highest valid address */
> - StartAddress = (ULONG_PTR)MM_HIGHEST_VAD_ADDRESS + 1;
> -
> - /* Select the random coefficient */
> + /* Create a random value to select one page in a 64k
> region */
> KeQueryTickCount(&CurrentTime);
> - CurrentTime.LowPart &= ((64 * _1KB) >> PAGE_SHIFT) - 1;
> - if (CurrentTime.LowPart <= 1) CurrentTime.LowPart = 2;
> - RandomCoeff = CurrentTime.LowPart << PAGE_SHIFT;
> -
> - /* Select the highest valid address minus the random
> coefficient */
> - StartAddress -= RandomCoeff;
> - EndAddress = StartAddress + ROUND_TO_PAGES(Size) - 1;
> + CurrentTime.LowPart &= (_64K / PAGE_SIZE) - 1;
> +
> + /* Calculate a random base address */
> + RandomBase = (ULONG_PTR)MM_HIGHEST_VAD_ADDRESS + 1;
> + RandomBase -= CurrentTime.LowPart << PAGE_SHIFT;
> +
> + /* Make sure the base address is not too high */
> + AlignedSize = ROUND_TO_PAGES(Size);
> + if ((RandomBase + AlignedSize) >
> (ULONG_PTR)MM_HIGHEST_VAD_ADDRESS + 1)
> + {
> + RandomBase = (ULONG_PTR)MM_HIGHEST_VAD_ADDRESS + 1 -
> AlignedSize;
> + }
> +
> + /* Calculate the highest allowed address */
> + HighestAddress = RandomBase + AlignedSize - 1;
>> /* Try to find something below the random upper margin */
> Result =
> MiFindEmptyAddressRangeDownTree(ROUND_TO_PAGES(Size),
> - EndAddress,
> + HighestAddress,
> PAGE_SIZE,
> &Process->VadRoot,
> - Base,
> + BaseAddress,
> &Parent);
> }
>> @@ -113,7 +118,7 @@
>> (ULONG_PTR)MM_HIGHEST_VAD_ADDRESS,
> PAGE_SIZE,
> &Process->VadRoot,
> - Base,
> + BaseAddress,
> &Parent);
> /* Bail out, if still nothing free was found */
> if (Result == TableFoundNode)
> @@ -125,12 +130,12 @@
> }
>> /* Validate that it came from the VAD ranges */
> - ASSERT(*Base >= (ULONG_PTR)MI_LOWEST_VAD_ADDRESS);
> + ASSERT(*BaseAddress >= (ULONG_PTR)MI_LOWEST_VAD_ADDRESS);
>> /* Build the rest of the VAD now */
> - Vad->StartingVpn = (*Base) >> PAGE_SHIFT;
> - Vad->EndingVpn = ((*Base) + Size - 1) >> PAGE_SHIFT;
> - Vad->u3.Secured.StartVpn = *Base;
> + Vad->StartingVpn = (*BaseAddress) >> PAGE_SHIFT;
> + Vad->EndingVpn = ((*BaseAddress) + Size - 1) >> PAGE_SHIFT;
> + Vad->u3.Secured.StartVpn = *BaseAddress;
> Vad->u3.Secured.EndVpn = (Vad->EndingVpn << PAGE_SHIFT) |
> (PAGE_SIZE - 1);
> Vad->u1.Parent = NULL;
>> @@ -146,7 +151,7 @@
> Vad->ControlArea = NULL; // For Memory-Area hack
> Vad->FirstPrototypePte = NULL;
> DPRINT("VAD: %p\n", Vad);
> - DPRINT("Allocated PEB/TEB at: 0x%p for %16s\n", *Base,
> Process->ImageFileName);
> + DPRINT("Allocated PEB/TEB at: 0x%p for %16s\n", *BaseAddress,
> Process->ImageFileName);
> MiInsertNode(&Process->VadRoot, (PVOID)Vad, Parent, Result);
>> /* Release the working set */
>>>>>> _______________________________________________
> Ros-dev mailing list
> Ros-dev at reactos.org
> http://www.reactos.org/mailman/listinfo/ros-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.reactos.org/pipermail/ros-dev/attachments/20141012/c5b53405/attachment.html>
More information about the Ros-dev
mailing list
CHAPTER VII. THE FOUR CLASSES OF SOCIETY. THE FOUR CLASSES OF SOCIETY. "After the herald had given the names of the wrestlers who were to make the first round, the fellows came in. They were dressed without any clothes to speak of, or rather they were quite undressed, with the exception of a cloth around their loins. They came in on opposite sides of the ring, and stood there about five feet apart, each man resting his hands on his knees, and glaring at the other like a wild beast. They[Pg 231] looked more like a pair of tigers than human beings, and for a moment I thought it was not at all unlike what a bull-fight in Spain might be. I turned upon her choking with anger, but her melting beauty rendered me helpless. Black woods were on our left. "Shall we turn in here?" I asked. "None of that with me," he growled. "Do you know who I am, Countess Lalage? I am Leon Lagage, Count of the Holy Roman Empire, and your husband. Incomparable woman, you cannot alter that fact. For better or worse, for richer or poorer, till death do us part!" I have in this way imperfectly indicated a methodical plan of generating a design, as far as words alone will serve, beginning with certain premises based upon a particular work to be performed, and then proceeding to consider in consecutive order the general character of the machine, mode of operation, movements and adjustments, general arrangement, strains, special arrangement, and proportions. ‘Alas! what is life, what is death, what are we, 11th January two best dresses. Commencement was as usual, with a few showers “All right,” agreed Sandy. “Dick, you and I are the ground crew. As soon as you’re ready, Mr. Whiteside, we’ll take hold!” Effects of Walpole's Administration—Formation of the new Ministry—Attitude of the Malcontents—Committee of Inquiry into Walpole's Administration—Walpole's Protectors—Ministerial Measures—Prorogation of Parliament—Disasters of the French—British Division in the Netherlands—Opening of Parliament—The German Mercenaries—Amendment of the Gin Act—George goes to Germany—Stair and De Noailles in Franconia—Stair in a Trap—Bold Resolution of King George—The Battle of Dettingen—Resignation of Stair—Retreat of the French—Negotiations for Peace—Treaty of Worms—Pelham becomes Prime Minister—The Attacks of Pitt on Carteret—Attempted Invasion of England—Its Failure—Progress of the French Arms—Frederick II. invades Bohemia—His Retirement—Resignation of Carteret—Pelham strengthens his Ministry—Death of the Emperor—Campaign in Flanders—Battle of Fontenoy—Campaign of Frederick II.—The Young Pretender's Preparations—Loss of the Elizabeth—Landing in the Hebrides—The Highland Clans join him—The First Brush—Raising of the Standard—Cope's Mistake—He turns aside at Dalwhinnie—Charles makes a Dash for Edinburgh—The March to Stirling—Right of the Dragoons—The "Canter of Coltbridge"—Edinburgh surprised by the Highlanders—Charles marching against Cope—Battle of Prestonpans—Delay in marching South—Discontent of the Highland Chiefs—The Start—Preparations in England—Apathy of the Aristocracy—Arrival of the Duke of Cumberland—Charles crosses the Border—Capture of Carlisle—The March to Derby—Resolution to retreat—"Black Friday"—The Retreat—Recapture of Carlisle—Siege of Stirling—Battle of Falkirk—Retreat to the Highlands—Cumberland's Pursuit—Gradual Collapse of the Highlanders—Battle of Culloden—Termination of the Rebellion—Cruelty of the Duke of Cumberland—Adventures of the Young Pretender—Trials and Executions—Ministerial Crisis. The next morning he was up betimes, and cooked the boys as good a breakfast as he could out of the remainder of his store and what he could get from the hospital, and then gave what was left to whoever came. The comfortable crib, which had cost the Deacon so much labor, had been pre-empted by the Surgeon for some of his weakest patients. "You two step forward one pace," he commanded. "Gentleman, I've got my six. The rest are yours." "Where are you goin'?" he said sternly. Every now and then the crowd would break into the latest rhymings of MacKinnon's poet: A large thicket, at this moment, gave the dusty foot an opportunity of doubling, and, for an instant, diverging from the straightforward course, though it availed him little, he seemed to feel the breath of his pursuer on the back of his neck; his foot sounded as if at his heels; he drew his garment closely around him, turned suddenly to the right, and, bounding from the ground, the next instant a splash was heard in the little river, and the fugitive was safe from his pursuer. HoME明日之后怎么免费刷一级纳米材料
ENTER NUMBET 0018ttzhua.com.cn www.boaisuxin.com.cn www.topupup.com.cn www.bouncer.net.cn wulianhua.com.cn www.hxwr.com.cn www.vtodo.com.cn www.yxqs.net.cn jijisong.net.cn www.fggy121.com.cn