Enabling "write watch" for a mapped region.
in [Win32 Kernel]
|
Prev: Serial communication and IO Completion Ports
Next: App startup time is slow using CreateProcess
From: Don Burn on 30 Dec 2009 15:40 MIcrosoft claims you can, but I don't know if MEM_WRITE_WATCH works, they only clam the PAGE_XXX constants in the doc's. These do not work for data mapped from a driver into a user process. -- Don Burn (MVP, Windows DKD) Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr Remove StopSpam to reply "Alexander Grigoriev" <alegr(a)earthlink.net> wrote in message news:OpBCiyYiKHA.4048(a)TK2MSFTNGP06.phx.gbl... > Does VirtualProtect work on file-mapped pages? > > "Don Burn" <burn(a)stopspam.windrvr.com> wrote in message > news:u0p%23qsYiKHA.4672(a)TK2MSFTNGP06.phx.gbl... >> Hugo, >> >> I have sat down with their guru's and pointed out the value of this >> for many things, the general feeling is that it is not worth it. At the >> time I was suggesting a kernel only model (you can always build a user >> space model on top of that). >> >> The only good news is that hyper-v folks seem to be leaning this way, >> at least according to some of their papers. Whether it is enough for >> ones interest is hard to say. >> >> >> -- >> Don Burn (MVP, Windows DKD) >> Windows Filesystem and Driver Consulting >> Website: http://www.windrvr.com >> Blog: http://msmvps.com/blogs/WinDrvr >> Remove StopSpam to reply >> >> >> >> "Hugo gleaves(a)hotmail.com>" <hugh<underbar> wrote in message >> news:DC0B6E0A-8274-499E-BF6F-17AAB28B08F9(a)microsoft.com... >>> Hi Don >>> >>> But surely it is possible (if the address space is allocated using >>> VirtualAlloc) because that particular call will accept the >>> MEM_WRITE_WATCH >>> flag? I guess you are seeking something more general though as you said. >>> >>> Don, as a very experienced and highly regarded authority in this area, >>> is >>> there no hope of influencing MS in some way? >>> >>> If you were to sit down with a couple of their gurus, how would you >>> suggest >>> that this page fault/access/write trapping capability, be implemented >>> without >>> causing undue hassle, what (in other words) would you like this >>> capability to >>> "look like"? >>> >>> Kernel mode only or generally available to user mode coders (like little >>> old >>> me)? >>> >>> Thanks >>> Hugh >>> >>> >>> "Don Burn" wrote: >>> >>>> It is not possible. I've been looking at how to track memory writes in >>>> Windows for the last 15 years, bottom line is that is not supported for >>>> any >>>> general case. >>>> >>>> >>>> -- >>>> Don Burn (MVP, Windows DKD) >>>> Windows Filesystem and Driver Consulting >>>> Website: http://www.windrvr.com >>>> Blog: http://msmvps.com/blogs/WinDrvr >>>> Remove StopSpam to reply >>>> >>>> >>>> >>>> "Hugo gleaves(a)hotmail.com>" <hugh<underbar> wrote in message >>>> news:BD424BE9-457B-460B-9301-0E6E1016ECB2(a)microsoft.com... >>>> > I've been exploring ways to enable write watch on a file mapping, so >>>> > far >>>> > with >>>> > no success. >>>> > >>>> > Now this is looking like it is probably not possible, I tried >>>> > >>>> > a) Calling VirtualAlloc before doing the mapping call, but this >>>> > approach >>>> > fails. >>>> > b) Passing MEM_WRITE_WATCH into MapViewOfFile, again no success. >>>> > c) Calling NtMapViewOfSection (its second to last arg set to >>>> > MEM_WRITE_WATCH). >>>> > >>>> > and that too fails (status = invalid parameter '9' (0xC00000F7 ). >>>> > >>>> > This could be a very useful feature if it were possible, but it looks >>>> > like >>>> > it may not be, does anyone have a view or a way to do this? >>>> > >>>> > Thax >>>> > Hugo >>>> > >>>> > >>>> > >>>> > __________ Information from ESET NOD32 Antivirus, version of virus >>>> > signature database 4730 (20091230) __________ >>>> > >>>> > The message was checked by ESET NOD32 Antivirus. >>>> > >>>> > http://www.eset.com >>>> > >>>> > >>>> > >>>> >>>> >>>> >>>> __________ Information from ESET NOD32 Antivirus, version of virus >>>> signature database 4730 (20091230) __________ >>>> >>>> The message was checked by ESET NOD32 Antivirus. >>>> >>>> http://www.eset.com >>>> >>>> >>>> >>>> >>>> . >>>> >>> >>> __________ Information from ESET NOD32 Antivirus, version of virus >>> signature database 4730 (20091230) __________ >>> >>> The message was checked by ESET NOD32 Antivirus. >>> >>> http://www.eset.com >>> >>> >>> >> >> >> >> __________ Information from ESET NOD32 Antivirus, version of virus >> signature database 4730 (20091230) __________ >> >> The message was checked by ESET NOD32 Antivirus. >> >> http://www.eset.com >> >> >> >> > > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 4730 (20091230) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > > __________ Information from ESET NOD32 Antivirus, version of virus signature database 4730 (20091230) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
From: Alexander Grigoriev on 30 Dec 2009 16:40 Write watch can be simulated by mapping the pages R/O, and catching the write exception, then changing the protection to R/W. "Don Burn" <burn(a)stopspam.windrvr.com> wrote in message news:ujvPcBZiKHA.5524(a)TK2MSFTNGP06.phx.gbl... > MIcrosoft claims you can, but I don't know if MEM_WRITE_WATCH works, they > only clam the PAGE_XXX constants in the doc's. These do not work for > data mapped from a driver into a user process. > > > -- > Don Burn (MVP, Windows DKD) > Windows Filesystem and Driver Consulting > Website: http://www.windrvr.com > Blog: http://msmvps.com/blogs/WinDrvr > Remove StopSpam to reply > > > > > "Alexander Grigoriev" <alegr(a)earthlink.net> wrote in message > news:OpBCiyYiKHA.4048(a)TK2MSFTNGP06.phx.gbl... >> Does VirtualProtect work on file-mapped pages? >> >> "Don Burn" <burn(a)stopspam.windrvr.com> wrote in message >> news:u0p%23qsYiKHA.4672(a)TK2MSFTNGP06.phx.gbl... >>> Hugo, >>> >>> I have sat down with their guru's and pointed out the value of this >>> for many things, the general feeling is that it is not worth it. At the >>> time I was suggesting a kernel only model (you can always build a user >>> space model on top of that). >>> >>> The only good news is that hyper-v folks seem to be leaning this >>> way, at least according to some of their papers. Whether it is enough >>> for ones interest is hard to say. >>> >>> >>> -- >>> Don Burn (MVP, Windows DKD) >>> Windows Filesystem and Driver Consulting >>> Website: http://www.windrvr.com >>> Blog: http://msmvps.com/blogs/WinDrvr >>> Remove StopSpam to reply >>> >>> >>> >>> "Hugo gleaves(a)hotmail.com>" <hugh<underbar> wrote in message >>> news:DC0B6E0A-8274-499E-BF6F-17AAB28B08F9(a)microsoft.com... >>>> Hi Don >>>> >>>> But surely it is possible (if the address space is allocated using >>>> VirtualAlloc) because that particular call will accept the >>>> MEM_WRITE_WATCH >>>> flag? I guess you are seeking something more general though as you >>>> said. >>>> >>>> Don, as a very experienced and highly regarded authority in this area, >>>> is >>>> there no hope of influencing MS in some way? >>>> >>>> If you were to sit down with a couple of their gurus, how would you >>>> suggest >>>> that this page fault/access/write trapping capability, be implemented >>>> without >>>> causing undue hassle, what (in other words) would you like this >>>> capability to >>>> "look like"? >>>> >>>> Kernel mode only or generally available to user mode coders (like >>>> little old >>>> me)? >>>> >>>> Thanks >>>> Hugh >>>> >>>> >>>> "Don Burn" wrote: >>>> >>>>> It is not possible. I've been looking at how to track memory writes >>>>> in >>>>> Windows for the last 15 years, bottom line is that is not supported >>>>> for any >>>>> general case. >>>>> >>>>> >>>>> -- >>>>> Don Burn (MVP, Windows DKD) >>>>> Windows Filesystem and Driver Consulting >>>>> Website: http://www.windrvr.com >>>>> Blog: http://msmvps.com/blogs/WinDrvr >>>>> Remove StopSpam to reply >>>>> >>>>> >>>>> >>>>> "Hugo gleaves(a)hotmail.com>" <hugh<underbar> wrote in message >>>>> news:BD424BE9-457B-460B-9301-0E6E1016ECB2(a)microsoft.com... >>>>> > I've been exploring ways to enable write watch on a file mapping, so >>>>> > far >>>>> > with >>>>> > no success. >>>>> > >>>>> > Now this is looking like it is probably not possible, I tried >>>>> > >>>>> > a) Calling VirtualAlloc before doing the mapping call, but this >>>>> > approach >>>>> > fails. >>>>> > b) Passing MEM_WRITE_WATCH into MapViewOfFile, again no success. >>>>> > c) Calling NtMapViewOfSection (its second to last arg set to >>>>> > MEM_WRITE_WATCH). >>>>> > >>>>> > and that too fails (status = invalid parameter '9' (0xC00000F7 ). >>>>> > >>>>> > This could be a very useful feature if it were possible, but it >>>>> > looks like >>>>> > it may not be, does anyone have a view or a way to do this? >>>>> > >>>>> > Thax >>>>> > Hugo >>>>> > >>>>> > >>>>> > >>>>> > __________ Information from ESET NOD32 Antivirus, version of virus >>>>> > signature database 4730 (20091230) __________ >>>>> > >>>>> > The message was checked by ESET NOD32 Antivirus. >>>>> > >>>>> > http://www.eset.com >>>>> > >>>>> > >>>>> > >>>>> >>>>> >>>>> >>>>> __________ Information from ESET NOD32 Antivirus, version of virus >>>>> signature database 4730 (20091230) __________ >>>>> >>>>> The message was checked by ESET NOD32 Antivirus. >>>>> >>>>> http://www.eset.com >>>>> >>>>> >>>>> >>>>> >>>>> . >>>>> >>>> >>>> __________ Information from ESET NOD32 Antivirus, version of virus >>>> signature database 4730 (20091230) __________ >>>> >>>> The message was checked by ESET NOD32 Antivirus. >>>> >>>> http://www.eset.com >>>> >>>> >>>> >>> >>> >>> >>> __________ Information from ESET NOD32 Antivirus, version of virus >>> signature database 4730 (20091230) __________ >>> >>> The message was checked by ESET NOD32 Antivirus. >>> >>> http://www.eset.com >>> >>> >>> >>> >> >> >> >> __________ Information from ESET NOD32 Antivirus, version of virus >> signature database 4730 (20091230) __________ >> >> The message was checked by ESET NOD32 Antivirus. >> >> http://www.eset.com >> >> >> > > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 4730 (20091230) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > > >
From: Hugo gleaves on 31 Dec 2009 10:11 Yes this does work for mapped pages whether backed by a file or paging area. Yes one can make the pages read-only and then trap the exception verify its cause etc and enable read-write access, I have done this succefully too. One could use that as a basis for write-watch but with the real write watch there is no need for an exception handler. Also with write-watch the OS tracks the pages that have been written to on its own, and this is the metadata that is queried with GetWriteWatch (or whatever its called). I guess this must be tracked per-process and could thus be stored in the process/user heap until queried by some API. H "Alexander Grigoriev" wrote: > Write watch can be simulated by mapping the pages R/O, and catching the > write exception, then changing the protection to R/W. > > "Don Burn" <burn(a)stopspam.windrvr.com> wrote in message > news:ujvPcBZiKHA.5524(a)TK2MSFTNGP06.phx.gbl... > > MIcrosoft claims you can, but I don't know if MEM_WRITE_WATCH works, they > > only clam the PAGE_XXX constants in the doc's. These do not work for > > data mapped from a driver into a user process. > > > > > > -- > > Don Burn (MVP, Windows DKD) > > Windows Filesystem and Driver Consulting > > Website: http://www.windrvr.com > > Blog: http://msmvps.com/blogs/WinDrvr > > Remove StopSpam to reply > > > > > > > > > > "Alexander Grigoriev" <alegr(a)earthlink.net> wrote in message > > news:OpBCiyYiKHA.4048(a)TK2MSFTNGP06.phx.gbl... > >> Does VirtualProtect work on file-mapped pages? > >> > >> "Don Burn" <burn(a)stopspam.windrvr.com> wrote in message > >> news:u0p%23qsYiKHA.4672(a)TK2MSFTNGP06.phx.gbl... > >>> Hugo, > >>> > >>> I have sat down with their guru's and pointed out the value of this > >>> for many things, the general feeling is that it is not worth it. At the > >>> time I was suggesting a kernel only model (you can always build a user > >>> space model on top of that). > >>> > >>> The only good news is that hyper-v folks seem to be leaning this > >>> way, at least according to some of their papers. Whether it is enough > >>> for ones interest is hard to say. > >>> > >>> > >>> -- > >>> Don Burn (MVP, Windows DKD) > >>> Windows Filesystem and Driver Consulting > >>> Website: http://www.windrvr.com > >>> Blog: http://msmvps.com/blogs/WinDrvr > >>> Remove StopSpam to reply > >>> > >>> > >>> > >>> "Hugo gleaves(a)hotmail.com>" <hugh<underbar> wrote in message > >>> news:DC0B6E0A-8274-499E-BF6F-17AAB28B08F9(a)microsoft.com... > >>>> Hi Don > >>>> > >>>> But surely it is possible (if the address space is allocated using > >>>> VirtualAlloc) because that particular call will accept the > >>>> MEM_WRITE_WATCH > >>>> flag? I guess you are seeking something more general though as you > >>>> said. > >>>> > >>>> Don, as a very experienced and highly regarded authority in this area, > >>>> is > >>>> there no hope of influencing MS in some way? > >>>> > >>>> If you were to sit down with a couple of their gurus, how would you > >>>> suggest > >>>> that this page fault/access/write trapping capability, be implemented > >>>> without > >>>> causing undue hassle, what (in other words) would you like this > >>>> capability to > >>>> "look like"? > >>>> > >>>> Kernel mode only or generally available to user mode coders (like > >>>> little old > >>>> me)? > >>>> > >>>> Thanks > >>>> Hugh > >>>> > >>>> > >>>> "Don Burn" wrote: > >>>> > >>>>> It is not possible. I've been looking at how to track memory writes > >>>>> in > >>>>> Windows for the last 15 years, bottom line is that is not supported > >>>>> for any > >>>>> general case. > >>>>> > >>>>> > >>>>> -- > >>>>> Don Burn (MVP, Windows DKD) > >>>>> Windows Filesystem and Driver Consulting > >>>>> Website: http://www.windrvr.com > >>>>> Blog: http://msmvps.com/blogs/WinDrvr > >>>>> Remove StopSpam to reply > >>>>> > >>>>> > >>>>> > >>>>> "Hugo gleaves(a)hotmail.com>" <hugh<underbar> wrote in message > >>>>> news:BD424BE9-457B-460B-9301-0E6E1016ECB2(a)microsoft.com... > >>>>> > I've been exploring ways to enable write watch on a file mapping, so > >>>>> > far > >>>>> > with > >>>>> > no success. > >>>>> > > >>>>> > Now this is looking like it is probably not possible, I tried > >>>>> > > >>>>> > a) Calling VirtualAlloc before doing the mapping call, but this > >>>>> > approach > >>>>> > fails. > >>>>> > b) Passing MEM_WRITE_WATCH into MapViewOfFile, again no success. > >>>>> > c) Calling NtMapViewOfSection (its second to last arg set to > >>>>> > MEM_WRITE_WATCH). > >>>>> > > >>>>> > and that too fails (status = invalid parameter '9' (0xC00000F7 ). > >>>>> > > >>>>> > This could be a very useful feature if it were possible, but it > >>>>> > looks like > >>>>> > it may not be, does anyone have a view or a way to do this? > >>>>> > > >>>>> > Thax > >>>>> > Hugo > >>>>> > > >>>>> > > >>>>> > > >>>>> > __________ Information from ESET NOD32 Antivirus, version of virus > >>>>> > signature database 4730 (20091230) __________ > >>>>> > > >>>>> > The message was checked by ESET NOD32 Antivirus. > >>>>> > > >>>>> > http://www.eset.com > >>>>> > > >>>>> > > >>>>> > > >>>>> > >>>>> > >>>>> > >>>>> __________ Information from ESET NOD32 Antivirus, version of virus > >>>>> signature database 4730 (20091230) __________ > >>>>> > >>>>> The message was checked by ESET NOD32 Antivirus. > >>>>> > >>>>> http://www.eset.com > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> . > >>>>> > >>>> > >>>> __________ Information from ESET NOD32 Antivirus, version of virus > >>>> signature database 4730 (20091230) __________ > >>>> > >>>> The message was checked by ESET NOD32 Antivirus. > >>>> > >>>> http://www.eset.com > >>>> > >>>> > >>>> > >>> > >>> > >>> > >>> __________ Information from ESET NOD32 Antivirus, version of virus > >>> signature database 4730 (20091230) __________ > >>> > >>> The message was checked by ESET NOD32 Antivirus. > >>> > >>> http://www.eset.com > >>> > >>> > >>> > >>> > >> > >> > >> > >> __________ Information from ESET NOD32 Antivirus, version of virus > >> signature database 4730 (20091230) __________ > >> > >> The message was checked by ESET NOD32 Antivirus. > >> > >> http://www.eset.com > >> > >> > >> > > > > > > > > __________ Information from ESET NOD32 Antivirus, version of virus > > signature database 4730 (20091230) __________ > > > > The message was checked by ESET NOD32 Antivirus. > > > > http://www.eset.com > > > > > > > > > > > . >
First
|
Prev
|
Pages: 1 2 Prev: Serial communication and IO Completion Ports Next: App startup time is slow using CreateProcess |