About MemoryMapperReadMemorySafe instead of RtlCopyMemory

[L1B0]

Hi, I'm trying to add #VE feature for Hypervisor From Scratch, as well as I'm learning the source code of HyperDbg too.

I need to put a custom handler in IDT entry 20, so I have to make a shadow IDTR, and catch the exit-reason EXIT_REASON_ACCESS_GDTR_OR_IDTR, then I can copy the original IDTR to target address when executing sidt instruction.

At this point, I need a function to copy memory from original IDTR to target address, and I guess this address maybe not in user mode.

I have learnt ksm too, and I found ksm and HyperDbg use custom memory access function instead of RtlCopyMemory API.

So I want to figure out why, and I notice the comment of HyperDbg says "RtlCopyMemory can't be used in user mode addresses", and MemoryMapperReadMemorySafe function uses a mapping page address to calculate a new address from PaAddressToRead.

Is it to prevent paging mechanism?

Thanks!

[SinaKarvandi]

Hello,
Thanks a lot for asking.

Is it to prevent paging mechanism?

Nope, I assume by "paging" you mean that the page came from the disk to the RAM (page-fault handlers also handle other things like invalid access to the memory, like executing a memory that is not supposed to be executed).

We use MemoryMapperReadMemorySafe (and its write variant) for two reasons. First, bypass all of the page-attributes restrictions. For example, a page might not be accessible due to its writing restriction. So, we map its physical address to a kernel address and access the page safely with our new address's page attributes.
The second reason is that you cannot access a memory address that resides in user-mode by using simple MOV instructions from vmx-root. Thus, we map it to a kernel virtual address and instead access the kernel virtual address.

Also, HyperDbg always operates on the system process (pid=4) memory layout. In these cases, we access the target process's memory layout (cr3=GUEST_CR3) through these functions.

Let me know if any part is still unclear to you.

Thanks.

[L1B0]

Thanks for your detailed answer. I seem like understand the MemoryMapper features, which copy the original pfn into a new page entry(readable and writable), as well as the structure of page entry is different to EPT's page entry.