能力值:
(RANK:15 )
|
-
-
2 楼
win7有页表隔离?
|
能力值:
( LV4,RANK:45 )
|
-
-
3 楼
はつゆき
win7有页表隔离? 恩
同一份内核文件的,win7 7601 SP1
最后于 2021-1-14 13:40
被ookkaa编辑
,原因:
|
能力值:
( LV5,RANK:60 )
|
-
-
4 楼
https://support.microsoft.com/zh-cn/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in 奇怪的是我直接在内核搜相关注册表字符是搜不到的,怀疑相关字符做了编码
|
能力值:
( LV9,RANK:280 )
|
-
-
5 楼
https://social.technet.microsoft.com/Forums/zh-cn/7fc82174-0cd9-4690-b043-6ba3285fbcd9/how-to-enable-kvashadowkpti-manually-?forum=winserver8zhcn
|
能力值:
( LV5,RANK:60 )
|
-
-
6 楼
~
最后于 2021-1-14 16:12
被hhkqqs编辑
,原因:
|
能力值:
( LV5,RANK:60 )
|
-
-
7 楼
hzqst
https://social.technet.microsoft.com/Forums/zh-cn/7fc82174-0cd9-4690-b043-6ba3285fbcd9/how-to-enable ...
这个注册表项的读取是在其他内核模块还是在nt里被编码了,我直接搜字符没看到
|
能力值:
( LV9,RANK:280 )
|
-
-
8 楼
hhkqqs
这个注册表项的读取是在其他内核模块还是在nt里被编码了,我直接搜字符没看到
ntoskrnl和winload里面都有吧
|
能力值:
( LV4,RANK:45 )
|
-
-
9 楼
感谢二位
|
能力值:
( LV5,RANK:60 )
|
-
-
10 楼
试了下:如果打了内核页表隔离补丁,缺省情况内核页表隔离是开启的。
把注册表键值: FeatureSettingsOverride及FeatureSettingsOverrideMask都设为3,重启系统后,内核页表隔离就关闭了。
1.缺省情况:
1: kd> rdmsr 0xC0000082
msr[c0000082] = fffff800`04021bc0
1: kd> uf fffff800`04021bc0
nt!KiSystemServiceUser:
fffff800`03ef0982 c645ab02 mov byte ptr [rbp-55h],2
fffff800`03ef0986 65488b1c2588010000 mov rbx,qword ptr gs:[188h]
fffff800`03ef098f 0f0d8bd8010000 prefetchw [rbx+1D8h]
fffff800`03ef0996 0fae5dac stmxcsr dword ptr [rbp-54h]
fffff800`03ef099a 650fae142580010000 ldmxcsr dword ptr gs:[180h]
fffff800`03ef09a3 807b0300 cmp byte ptr [rbx+3],0
fffff800`03ef09a7 66c785800000000000 mov word ptr [rbp+80h],0
fffff800`03ef09b0 0f8481000000 je nt!KiSystemServiceUser+0xb5 (fffff800`03ef0a37) Branch
...
nt!KiSystemCall64Shadow: ;fffff800`04021bc0为影子入口,说明内核页表隔离是开启的。
fffff800`04021bc0 0f01f8 swapgs
fffff800`04021bc3 654889242510600000 mov qword ptr gs:[6010h],rsp
fffff800`04021bcc 65488b242500600000 mov rsp,qword ptr gs:[6000h]
fffff800`04021bd5 650fba24251860000001 bt dword ptr gs:[6018h],1
fffff800`04021bdf 7203 jb nt!KiSystemCall64Shadow+0x24 (fffff800`04021be4) Branch
nt!KiSystemCall64Shadow+0x21:
fffff800`04021be1 0f22dc mov cr3,rsp
nt!KiSystemCall64Shadow+0x24:
fffff800`04021be4 65488b242508600000 mov rsp,qword ptr gs:[6008h]
fffff800`04021bed 6a2b push 2Bh
fffff800`04021bef 65ff342510600000 push qword ptr gs:[6010h]
...
nt!KiSystemCall64ShadowCommon+0x228:
fffff800`04021e15 0faee8 lfence
nt!KiSystemCall64ShadowCommon+0x22b:
fffff800`04021e18 e965ebecff jmp nt!KiSystemServiceUser (fffff800`03ef0982) Branch
2.关闭内核页表隔离: 1: kd> rdmsr 0xC0000082
msr[c0000082] = fffff800`03ef0780
1: kd> uf fffff800`03ef0780
Flow analysis was incomplete, some code may be missing
nt!KiSystemCall64: ;fffff800`03ef0780为真正入口了,说明内核页表隔离已关闭
fffff800`03ef0780 0f01f8 swapgs
fffff800`03ef0783 654889242510000000 mov qword ptr gs:[10h],rsp
fffff800`03ef078c 65488b2425a8010000 mov rsp,qword ptr gs:[1A8h]
fffff800`03ef0795 6a2b push 2Bh
fffff800`03ef0797 65ff342510000000 push qword ptr gs:[10h]
fffff800`03ef079f 4153 push r11
fffff800`03ef07a1 6a33 push 33h
fffff800`03ef07a3 51 push rcx
fffff800`03ef07a4 498bca mov rcx,r10
fffff800`03ef07a7 4883ec08 sub rsp,8
fffff800`03ef07ab 55 push rbp
fffff800`03ef07ac 4881ec58010000 sub rsp,158h
fffff800`03ef07b3 488dac2480000000 lea rbp,[rsp+80h]
fffff800`03ef07bb 48899dc0000000 mov qword ptr [rbp+0C0h],rbx
fffff800`03ef07c2 4889bdc8000000 mov qword ptr [rbp+0C8h],rdi
fffff800`03ef07c9 4889b5d0000000 mov qword ptr [rbp+0D0h],rsi
fffff800`03ef07d0 488945b0 mov qword ptr [rbp-50h],rax
fffff800`03ef07d4 48894db8 mov qword ptr [rbp-48h],rcx
fffff800`03ef07d8 488955c0 mov qword ptr [rbp-40h],rdx
fffff800`03ef07dc 65488b0c2588010000 mov rcx,qword ptr gs:[188h]
fffff800`03ef07e5 488b8910020000 mov rcx,qword ptr [rcx+210h]
fffff800`03ef07ec 488b89e8040000 mov rcx,qword ptr [rcx+4E8h]
fffff800`03ef07f3 6548890c2570230000 mov qword ptr gs:[2370h],rcx
fffff800`03ef07fc 650fb604257b230000 movzx eax,byte ptr gs:[237Bh]
fffff800`03ef0805 653804257a230000 cmp byte ptr gs:[237Ah],al
fffff800`03ef080d 7411 je nt!KiSystemCall64+0xa0 (fffff800`03ef0820) Branch
...
最后于 2021-1-16 00:02
被低调putchar编辑
,原因:
|
|
|