Brian Dessent wrote on 12 March 2008 17:25:
> a) figure out which module of the process is the main one
> b) look up its ImageBase
> c) compute which page in that processes' VM corresponds to that
> ImageBase plus some magic offset (which also implicitly means that all
> subsystems must use exactly the same image header format for
> the entire
> lifespan of the operating system, a pretty lousy way to
> design a kernel)
> d) query the memory manager if that page is currently in the
> working set
> e) incurr a page fault if it is not
> f) wait for the disk manager to page in that sector from the pagefile,
> or from the image on the filesystem if the page has not been modified
Brian? We're in kernel mode here, but we aren't in a device driver
interrupt or DPC in some random process context; we're running in the
process space of the calling process, and can just read or write it like
ordinary memory.
> ... And doing this for every syscall?!?
No, since the code that implements this restriction is *only* executed
when you call NtSetInformationProcess with class equal to 9
(ProcessAccessToken).
> And that doesn't even begin to
> address the most obvious of security issues of having the
> kernel rely on
> userspace structures when enforcing access restrictions.
MS are not known for being entirely clever about security.
Anyway, I don't want to speculate. I want to get my hands on a Vista
machine and go digging around with WinDbg.
cheers,
DaveK
--
Can't think of a witty .sigline today....
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
