A small library to modify all page-table levels of all processes from user space for x86_64 (Linux and Windows 10) and ARMv8 (Linux). It also allows to read and program memory types (i.e., PATs on x86 and MAIRs on ARM).
The library relies on the pteditor
kernel module (Linux) or kernel driver (Windows). The kernel part is provided as source code for compilation (Linux and Windows), PPA (Linux), and as pre-built binary (Windows).
The library can be used by linking it to the application (see example.c
) or as a single header (ptedit_header.h
) which can be directly included (see the demos).
First, add the public key of the PPA and the PPA URL to the package manager, and update the package manager
curl -s "https://misc0110.github.io/ppa/KEY.gpg" | sudo tee /etc/apt/trusted.gpg.d/pteditor.asc
sudo curl -s -o /etc/apt/sources.list.d/misc0110.list "https://misc0110.github.io/ppa/file.list"
sudo apt update
Then, simply install the kernel module
sudo apt install pteditor-dkms
The repository also contains a pre-built driver for Windows 10 in the driver
folder.
To load the driver, you have to first disable secure boot and driver signature enforcement.
Hold the shift key while clicking on "Restart" in the start menu. This brings up a restart menu, where you can disable driver signature enforcement in "Troubleshoot > Advanced Options > Startup Settings". Press "Restart", and the in the startup settings press "7" or "F7" to disable driver signature enforcement. After the PC is started, the driver can be loaded. Keep in mind that the driver signature enforcement is enabled when the PC is rebooted.
To permanently disable driver signature enforcement, enable Windows test mode by entering
bcdedit /set testsigning on
in an administrator command prompt. To disable test mode, run
bcdedit /set testsigning off
To load and active the driver, the repository contains a loader in driver/PTEditorLoader
. Simply run
PTEditorLoader.exe
as an administrator. To unload the driver, run
PTEditorLoader.exe --unload
Alternatively, you can also use any other driver-loading tool, e.g., OSRLoader or NoVirusThanks Kernel-Mode Driver Loader.
Building the kernel module requires the kernel headers of the kernel. On Ubuntu, they can be installed by running
sudo apt install linux-headers-$(uname -r)
Both the library and the the kernel module can be build by running
make
The resulting kernel module can be loaded using
sudo insmod module/pteditor.ko
The kernel driver for Windows requires Visual Studio with Visual C++, the Windows SDK, and the Windows Driver Kit (WDK) to build. Using the Visual Studio project, the driver can then simply be built from Visual Studio.
The library requires a recent Linux kernel (continuously tested on the current kernel for 20.04 (kernel 5.8), and 22.04 (kernel 5.15 and 6.2)) or Windows 10. It supports both x86_64 and ARMv8.
The library does not rely on any other library. It uses only standard C functionality. On Linux, the library does not require root privileges, whereas on Windows it requires administrator privileges.
To test whether the kernel part and the library works, the repository contains unit tests.
The tests are found in the folder test
and can be compiled with make
(Linux) or Visual Studio (Windows).
The basic functionality (ptedit_init
and ptedit_cleanup
) is always required.
After the initialization, all functions provided by the library can be used.
For examples see example.c
or the examples in the demo
folder.
The demo
folder contains multiple examples:
memmap
: Starting from the root of paging, the demo iterates through all page tables of all levels and dumps the contents of the entries.map_pt
: A Rowhamer exploit simulation, which maps the page table to a user-accessible address for manipulation.uncachable
: This demos manipulates the memory type of a mapping to uncachable and back to cachable.nx
: After setting a function to non-executable, it uses the page tables to make the function executable again.virt2phys
: Converts a virtual to a physical address.performance
: Measures how many addresses can be resolved per second.
Basic Functionality | Descriptions |
---|---|
int ptedit_init () |
Initializes (and acquires) PTEditor kernel module |
void ptedit_cleanup () |
Releases PTEditor kernel module |
void ptedit_use_implementation (int implementation) |
Select the PTEditor implementation to use |
Page tables | Descriptions |
---|---|
ptedit_entry_t ptedit_resolve (void * address,pid_t pid) |
Resolves the page-table entries of all levels for a virtual address of a given process. |
void ptedit_update (void * address,pid_t pid,ptedit_entry_t * vm) |
Updates one or more page-table entries for a virtual address of a given process. The TLB for the given address is flushed after updating the entries. |
void ptedit_pte_set_bit (void * address,pid_t pid,int bit) |
Sets a bit directly in the PTE of an address. |
void ptedit_pte_clear_bit (void * address,pid_t pid,int bit) |
Clears a bit directly in the PTE of an address. |
unsigned char ptedit_pte_get_bit (void * address,pid_t pid,int bit) |
Returns the value of a bit directly from the PTE of an address. |
size_t ptedit_pte_get_pfn (void * address,pid_t pid) |
Reads the PFN directly from the PTE of an address. |
void ptedit_pte_set_pfn (void * address,pid_t pid,size_t pfn) |
Sets the PFN directly in the PTE of an address. |
TYPE ptedit_cast (size_t entry, TYPE) |
Casts a paging structure entry (e.g., page table) to a structure with easy access to its fields |
System Info | Descriptions |
---|---|
int ptedit_get_pagesize () |
Returns the default page size of the system |
Page frame numbers (PFN) | Descriptions |
---|---|
size_t ptedit_set_pfn (size_t entry,size_t pfn) |
Returns a new page-table entry where the page-frame number (PFN) is replaced by the specified one. |
size_t ptedit_get_pfn (size_t entry) |
Returns the page-frame number (PFN) of a page-table entry. |
Physical pages | Descriptions |
---|---|
void ptedit_read_physical_page (size_t pfn,char * buffer) |
Retrieves the content of a physical page. |
void ptedit_write_physical_page (size_t pfn,char * content) |
Replaces the content of a physical page. |
void * ptedit_pmap (size_t physical,size_t length) |
Map a physical address range to the virtual address space. |
Paging | Descriptions |
---|---|
size_t ptedit_get_paging_root (pid_t pid) |
Returns the root of the paging structure (i.e., CR3 on x86 and TTBR0 on ARM). |
void ptedit_set_paging_root (pid_t pid,size_t root) |
Sets the root of the paging structure (i.e., CR3 on x86 and TTBR0 on ARM). |
TLB/Barriers | Descriptions |
---|---|
void ptedit_invalidate_tlb (void * address) |
Invalidates the TLB entry of current process for a given address on all CPUs. |
void ptedit_invalidate_tlb_pid (pid_t pid, void * address) |
Invalidates the TLB for a given PID and address on all CPUs. |
void ptedit_full_serializing_barrier () |
A full serializing barrier which stops everything. |
Memory types (PATs/MAIRs) | Descriptions |
---|---|
size_t ptedit_get_mts () |
Reads the value of all memory types (x86 PATs / ARM MAIRs). This is equivalent to reading the MSR 0x277 (x86) / MAIR_EL1 (ARM). |
void ptedit_set_mts (size_t mts) |
Programs the value of all memory types (x86 PATs / ARM MAIRs). This is equivalent to writing to the MSR 0x277 (x86) / MAIR_EL1 (ARM) on all CPUs. |
char ptedit_get_mt (unsigned char mt) |
Reads the value of a specific memory type attribute (PAT/MAIR). |
void ptedit_set_mt (unsigned char mt,unsigned char value) |
Programs the value of a specific memory type attribute (PAT/MAIR). |
unsigned char ptedit_find_mt (unsigned char type) |
Generates a bitmask of all memory type attributes (PAT/MAIR) which are programmed to the given value. |
int ptedit_find_first_mt (unsigned char type) |
Returns the first memory type attribute (PAT/MAIR) which is programmed to the given memory type. |
size_t ptedit_apply_mt (size_t entry,unsigned char mt) |
Returns a new page-table entry which uses the given memory type (PAT/MAIR). |
unsigned char ptedit_extract_mt (size_t entry) |
Returns the memory type (i.e., PAT/MAIR ID) which is used by a page-table entry. |
size_t ptedit_apply_mt_huge (size_t entry,unsigned char mt) |
Returns a new entry for a huge page which uses the given memory type (PAT/MAIR). |
unsigned char ptedit_extract_mt_huge (size_t entry) |
Returns the memory type (i.e., PAT/MAIR ID) which is used by a huge-page entry. |
const char * ptedit_mt_to_string (unsigned char mt) |
Returns a human-readable representation of a memory type (PAT/MAIR value). |
Pretty print | Descriptions |
---|---|
void ptedit_print_entry (size_t entry) |
Pretty prints a page-table entry. |
void ptedit_print_entry_line (size_t entry,int line) |
Prints a single line of the pretty-print representation of a page-table entry. |
int
ptedit_init
()
Initializes (and acquires) PTEditor kernel module
Returns 0 Initialization was successful
Returns -1 Initialization failed
void
ptedit_cleanup
()
Releases PTEditor kernel module
void
ptedit_use_implementation
(int implementation)
Select the PTEditor implementation to use
Parameters
implementation
The implementation to use. Depending on the operating system and architecture, one or more of the following are supported:PTEDIT_IMPL_KERNEL
,PTEDIT_IMPL_USER
,PTEDIT_IMPL_USER_PREAD
.PTEDIT_IMPL_KERNEL
uses the kernel functionality to resolve and update page tables (default on Linux).PTEDIT_IMPL_USER
maps the physical memory to user space and only requires switches to the kernel for flushing the TLB after page-table updates.PTEDIT_IMPL_USER_PREAD
implements the page walk in user space but relies on the kernel for reading and writing physical addresses (default on Windows).
ptedit_entry_t
ptedit_resolve
(void * address,pid_t pid)
Resolves the page-table entries of all levels for a virtual address of a given process.
Parameters
-
address
The virtual address to resolve -
pid
The pid of the process (0 for own process)
Returns A structure containing the page-table entries of all levels.
void
ptedit_update
(void * address,pid_t pid,ptedit_entry_t * vm)
Updates one or more page-table entries for a virtual address of a given process. The TLB for the given address is flushed after updating the entries.
Parameters
-
address
The virtual address -
pid
The pid of the process (0 for own process) -
vm
A structure containing the values for the page-table entries and a bitmask indicating which entries to update
void
ptedit_pte_set_bit
(void * address,pid_t pid,int bit)
Sets a bit directly in the PTE of an address.
Parameters
-
address
The virtual address -
pid
The pid of the process (0 for own process) -
bit
The bit to set (one of PTEDIT_PAGE_BIT_*)
void
ptedit_pte_clear_bit
(void * address,pid_t pid,int bit)
Clears a bit directly in the PTE of an address.
Parameters
-
address
The virtual address -
pid
The pid of the process (0 for own process) -
bit
The bit to clear (one of PTEDIT_PAGE_BIT_*)
unsigned char
ptedit_pte_get_bit
(void * address,pid_t pid,int bit)
Returns the value of a bit directly from the PTE of an address.
Parameters
-
address
The virtual address -
pid
The pid of the process (0 for own process) -
bit
The bit to get (one of PTEDIT_PAGE_BIT_*)
Returns The value of the bit (0 or 1)
size_t
ptedit_pte_get_pfn
(void * address,pid_t pid)
Reads the PFN directly from the PTE of an address.
Parameters
-
address
The virtual address -
pid
The pid of the process (0 for own process)
Returns The page-frame number (PFN)
void
ptedit_pte_set_pfn
(void * address,pid_t pid,size_t pfn)
Sets the PFN directly in the PTE of an address.
Parameters
-
address
The virtual address -
pid
The pid of the process (0 for own process) -
pfn
The new page-frame number (PFN)
TYPE
ptedit_cast
(size_t entry, TYPE)
Casts a paging structure entry (e.g., page table) to a structure with easy access to its fields.
Parameters
-
entry
The entry to cast -
type
Data type of struct to cast to, one ofptedit_pgd_t
,ptedit_p4d_t
,ptedut_pud_t
,ptedit_pmd_t
,ptedit_pte_t
Returns
A struct of type type
which has bit-fields for the parts of the corresponding paging structure.
int
ptedit_get_pagesize
()
Returns the default page size of the system
Returns Page size of the system in bytes
size_t
ptedit_set_pfn
(size_t entry,size_t pfn)
Returns a new page-table entry where the page-frame number (PFN) is replaced by the specified one.
Parameters
-
entry
The page-table entry to modify -
pfn
The new page-frame number (PFN)
Returns A new page-table entry with the given page-frame number
size_t
ptedit_get_pfn
(size_t entry)
Returns the page-frame number (PFN) of a page-table entry.
Parameters
entry
The page-table entry to extract the PFN from
Returns The page-frame number
void
ptedit_read_physical_page
(size_t pfn,char * buffer)
Retrieves the content of a physical page.
Parameters
-
pfn
The page-frame number (PFN) of the page to read -
buffer
A buffer which is large enough to hold the content of the page
void
ptedit_write_physical_page
(size_t pfn,char * content)
Replaces the content of a physical page.
Parameters
-
pfn
The page-frame number (PFN) of the page to update -
content
A buffer containing the new content of the page (must be the size of a physical page)
void *
ptedit_pmap
(size_t physical,size_t length)
Map a physical address range to the virtual address space.
Parameters
-
physical
The physical address to map -
length
The length of the physical memory range to map
Returns A virtual address that can be used to access the physical address.
Note This function is not supported on Windows.
size_t
ptedit_get_paging_root
(pid_t pid)
Returns the root of the paging structure (i.e., CR3 on x86 and TTBR0 on ARM).
Parameters
pid
The proccess id (0 for own process)
Returns The phyiscal address (not PFN!) of the first page table (i.e., the PGD)
void
ptedit_set_paging_root
(pid_t pid,size_t root)
Sets the root of the paging structure (i.e., CR3 on x86 and TTBR0 on ARM).
Parameters
-
pid
The proccess id (0 for own process) -
root
The physical address (not PFN!) of the first page table (i.e., the PGD)
void
ptedit_invalidate_tlb
(void * address)
Invalidates the TLB for a given address on all CPUs.
Parameters
address
The address to invalidate
A full serializing barrier which stops everything.
size_t
ptedit_get_mts
()
Reads the value of all memory types (x86 PATs / ARM MAIRs). This is equivalent to reading the MSR 0x277 (x86) / MAIR_EL1 (ARM).
Returns The memory types in the same format as in the IA32_PAT MSR / MAIR_EL1
void
ptedit_set_mts
(size_t mts)
Programs the value of all memory types (x86 PATs / ARM MAIRs). This is equivalent to writing to the MSR 0x277 (x86) / MAIR_EL1 (ARM) on all CPUs.
Parameters
mts
The memory types in the same format as in the IA32_PAT MSR / MAIR_EL1
char
ptedit_get_mt
(unsigned char mt)
Reads the value of a specific memory type attribute (PAT/MAIR).
Parameters
mt
The PAT/MAIR ID (from 0 to 7)
Returns The PAT/MAIR value (can be one of PTEDIT_MT_*)
void
ptedit_set_mt
(unsigned char mt,unsigned char value)
Programs the value of a specific memory type attribute (PAT/MAIR).
Parameters
-
mt
The PAT/MAIR ID (from 0 to 7) -
value
The PAT/MAIR value (can be one of PTEDIT_MT_*)
unsigned char
ptedit_find_mt
(unsigned char type)
Generates a bitmask of all memory type attributes (PAT/MAIR) which are programmed to the given value.
Parameters
type
A memory type, i.e., PAT/MAIR value (one of PTEDIT_MT_*)
Returns A bitmask where a set bit indicates that the corresponding PAT/MAIR has the given type
int
ptedit_find_first_mt
(unsigned char type)
Returns the first memory type attribute (PAT/MAIR) which is programmed to the given memory type.
Parameters
type
A memory type, i.e., PAT/MAIR value (one of PTEDIT_MT_*)
Returns A PAT/MAIR ID, or -1 if no PAT/MAIR of this type was found
size_t
ptedit_apply_mt
(size_t entry,unsigned char mt)
Returns a new page-table entry which uses the given memory type (PAT/MAIR).
Parameters
-
entry
A page-table entry -
mt
A PAT/MAIR ID (between 0 and 7)
Returns A new page-table entry with the given memory type (PAT/MAIR)
unsigned char
ptedit_extract_mt
(size_t entry)
Returns the memory type (i.e., PAT/MAIR ID) which is used by a page-table entry.
Parameters
entry
A page-table entry
Returns A PAT/MAIR ID (between 0 and 7)
size_t
ptedit_apply_mt_huge
(size_t entry,unsigned char mt)
Returns a new entry for a huge page which uses the given memory type (PAT/MAIR).
Parameters
-
entry
A page-table entry -
mt
A PAT/MAIR ID (between 0 and 7)
Returns A new page-table entry with the given memory type (PAT/MAIR)
unsigned char
ptedit_extract_mt
(size_t entry)
Returns the memory type (i.e., PAT/MAIR ID) which is used by a huge-page entry.
Parameters
entry
A page-table entry
Returns A PAT/MAIR ID (between 0 and 7)
const char *
ptedit_mt_to_string
(unsigned char mt)
Returns a human-readable representation of a memory type (PAT/MAIR value).
Parameters
mt
A memory type (PAT/MAIR value, e.g., one of PTEDIT_MT_*)
Returns A human-readable representation of the memory type
void
ptedit_print_entry
(size_t entry)
Pretty prints a page-table entry.
Parameters
entry
A page-table entry
void
ptedit_print_entry_line
(size_t entry,int line)
Prints a single line of the pretty-print representation of a page-table entry.
Parameters
-
entry
A page-table entry -
line
The line to print (0 to 3)
- Efficient and Generic Microarchitectural Hash-Function Recovery by Gerlach, Schwarz, Faroß, Schwarz (IEEE S&P 2024)
- Downfall: Exploiting Speculative Data Gathering by Moghimi (USENIX Security 2023)
- Collide+Power: Leaking Inaccessible Data with Software-based Power Side Channels by Kogler, Juffinger, Giner, Gerlach, Schwarzl, Schwarz, Gruss, Mangard (USENIX Security 2023)
- (M)WAIT for It: Bridging the Gap between Microarchitectural and Architectural Side Channels by Zhang, Kim, Weber, Schwarz (USENIX Security 2023)
- Indirect Meltdown: Building Novel Side-Channel Attacks from Transient Execution Attacks by Weber, Thomas, Gerlach, Zhang, Schwarz (ESORICS 2023)
- Layered Binary Templating by Schwarzl, Kraft, Gruss (ACNS 2023)
- ÆPIC Leak: Architecturally Leaking Uninitialized Data from the Microarchitecture by Borrello, Kogler, Schwarzl, Lipp, Gruss, Schwarz (USENIX Security 2022)
- Finding and Exploiting CPU Features using MSR Templating by Kogler, Weber, Haubenwallner, Lipp, Gruss, Schwarz (IEEE S&P 2022)
- Half-Double: Hammering From the Next Row Over by Kogler, Juffinger, Qazi, Kim, Lipp, Boichat, Shiu, Nissler, Gruss (USENIX Security 2022)
- AMD Prefetch Attacks through Power and Time by Lipp, Gruss, Schwarz (USENIX Security 2022)
- Repurposing Segmentation as a Practical LVI-NULL Mitigation in SGX by Giner, Kogler, Canella, Schwarz, Gruss (USENIX Security 2022)
- Rapid Prototyping for Microarchitectural Attacks by Easdon, Schwarz, Schwarzl, Gruss (USENIX Security 2022)
- SGXDump: A Repeatable Code-Reuse Attack for Extracting SGX Enclave Memory by Yoon, Lee (Applied Sciences, 2022)
- SAM: A Mechanism to Facilitate Smear-Aware Forensic Analysis of Volatile System Memory by Parida, Nath, Das (Journal of Applied Security Research, 2022)
- Protected Functions: User Space Privileged Function Calls by Moti, Salkhordeh, Brinkmann (ARCS 2022)
- Systematic Analysis of Programming Languages and Their Execution Environments for Spectre Attacks by Naseredini, Gast, Schwarzl, Bernardo, Amel Smajic, Canella, Berger, Gruss (ICISSP 2021)
- Domain Page-Table Isolation by Canella, Kogler, Giner, Gruss, Schwarz (arXiv 2021)
- PLATYPUS: Software-based Power Side-Channel Attacks on x86 by Lipp, Kogler, Oswald, Schwarz, Easdon, Canella, Gruss (IEEE S&P 2021)
- Speculative Dereferencing of Registers: Reviving Foreshadow by Schwarzl, Schuster, Schwarz, Gruss (FC 2021)
- Understanding TEE Containers, Easy to Use? Hard to Trust by Liu, Chen, Wang, Li, Zhang, Wang, Tang (arXiv 2021)
- Simurgh: A Fully Decentralized and Secure NVMM User Space File System by Moti, Schimmelpfennig, Salkhordeh, Klopp, Cortes, Rückert, Brinkmann (ACM SC 2021)
- Improving Address Translation Performance in Virtualized Multi-Tenant Systems by Margaritov (PhD Thesis 2021)
- How Trusted Execution Environments Fuel Research on Microarchitectural Attacks by Schwarz and Gruss (IEEE Security & Privacy 2020)
- LVI: Hijacking Transient Execution through Microarchitectural Load Value Injection by Van Bulck, Moghimi, Schwarz, Lipp, Minkin, Genkin, Yarom, Sunar, Gruss, Piessens (IEEE S&P 2020)
- Data Sampling on MDS-resistant 10th Generation Intel Core (Ice Lake) by Moghimi (arXiv 2020)
- Medusa: Microarchitectural Data Leakage via Automated Attack Synthesis by Moghimi, Lipp, Sunar, Schwarz (USENIX Security 2020)
- KASLR: Break It, Fix It, Repeat by Canella, Schwarz, Haubenwallner, Schwarzl, Gruss (AsiaCCS 2020)
- JackHammer: Efficient Rowhammer on Heterogeneous FPGA-CPU Platforms by Weissman, Tiemann, Moghimi, Custodio, Eisenbarth, Sunar (TCHES 2020)
- ConTExT: A Generic Approach for Mitigating Spectre by Schwarz, Lipp, Canella, Schilling, Kargl, Gruss (NDSS 2020)
- ZombieLoad: Cross-Privilege-Boundary Data Sampling by Schwarz, Lipp, Moghimi, Van Bulck, Stecklina, Prescher, Gruss (CCS 2019)
- Fallout: Leaking Data on Meltdown-resistant CPUs by Canella, Genkin, Giner, Gruss, Lipp, Minkin, Moghimi, Piessens, Schwarz, Sunar, Van Bulck, Yarom (CCS 2019)
- A Systematic Evaluation of Transient Execution Attacks and Defenses by Canella, Van Bulck, Schwarz, Lipp, von Berg, Ortner, Piessens, Evtyushkin, Gruss (USENIX Security 2019)