Implementation

An implementation of this approach is included with the source code released along with this paper. This implementation has two main components: a kernel-mode driver and a user-mode DLL. The kernel-mode driver provides a device object interface that allows a user-mode process to create a mirrored mapping of a set of physical pages and to toggle the Owner bit of PTEs associated with address regions. The user-mode DLL is responsible for implementing a vectored exception handler that takes care of processing access violation exceptions by mirroring the address references to the appropriate mirrored region. The user-mode DLL also exposes an API that allows applications to create a memory mirror. This abstracts the entire process and makes it simple to begin tracking a specific memory region. The API also allows applications to register callbacks that are notified when an address reference occurs. This allows further analysis of the memory access behavior of the application.