Page Access Interception

The hardware paging features of the x86 and x64 architectures represent a potentially useful means of obtaining information about the memory access behavior of an application. This is especially true due to the well-defined actions that the processor takes when a reference is made to a linear address whose physical page is either not present or has had its access restricted. In these cases, the processor will assert the page fault interrupt (0x0E) and thereby force the operating system to attempt to gracefully handle the virtual memory reference. In Windows, the page fault interrupt is handled by nt!KiTrap0E. In most cases, nt!KiTrap0E will issue a call into nt!MmAccessFault which is responsible for making a determination about the nature of the memory reference that occurred. If the memory reference fault was a result of an access restriction, nt!MmAccessFault will return an access violation error code (0xC0000005). When an access violation occurs, an exception record is generated by the kernel and is then passed to either the user-mode exception dispatcher or the kernel-mode exception dispatcher depending on which mode the memory access occurred in. The job of the exception dispatcher is to give a thread an opportunity to gracefully recover from the exception. This is accomplished by providing each of the registered or vectored exception handlers with the exception information that was collected when the page fault occurred. If an exception handler is able to recover, execution of the thread can simply restart where it left off. Using the principles outlined above, it is possible to design a system that is capable of both trapping and handling memory references to specific pages in memory during the course of normal process execution.

• Design
• Implementation
• Considerations