Page Table Entries

When operating in protected mode, x86 processors support virtualizing the address space through the use of a feature known as paging. The paging feature makes it possible to virtualize the address space by adding a translation layer between linear addresses and physical addresses⁴. To translate addresses, the processor uses portions of the address being referenced to index directories and tables that convey flags and physical address information that describe how the translation should be performed. The majority of the details on how this translation is performed are outside of the scope of this document. If necessary, the reader should consult section 3.7 of the Intel System Programming Manual[23]. Many other papers in the references also discuss this topic[41].

The paging system is particularly interesting due to its potential for abuse in the context of a backdoor. When the processor attempts to translate a linear address, it walks a number of page tables to determine the associated physical address. When this occurs, the processor makes a check to ensure that the task referencing the address has sufficient rights to do so. This access check is enforced by checking the User/Supervisor bit of the Page-Directory Entry (PDE) and Page-Table Entry (PTE) associated with the page. If this bit is clear, only the supervisor (privilege level 0) is allowed to access the page. If the bit is set, both supervisor and user are allowed to access the page⁵.

The implications surrounding this flag should be obvious. By toggling the flag in the PDE and PTE associated with an address, a backdoor can gain access to read or write kernel-mode memory. This would indirectly make it possible to gain code execution by making use of one of the other techniques listed in this document.

Category: Type II

Origin: The modification of PDE and PTE entries has been supported since the hardware paging's inception. The authors were not able to find an exact source of the first use of this technique in a backdoor. There have been a number of examples in recent years of tools that abuse the supervisor bit in one way or another[29,41]. PaX team provided the first documentation of their PAGEEXEC code in March, 2003. In January, 1998, Mythrandir mentions the supervisor bit in phrack 52 but doesn't explicitly call out how it could be abused[28].

Capabilities: Access to kernel-mode data.

Considerations: Code that attempts to implement this approach would need to properly support PAE and non-PAE processors on x86 in order to work reliably. This approach is also extremely dangerous and potentially unreliable depending on how it interacts with the memory manager. For example, if pages are not properly locked into physical memory, they may be pruned and thus any PDE or PTE modifications would be lost. This would result in the user-mode process losing access to a specific page.

Covertness: This approach could be considered fairly covert without the presence of some tool capable of intercepting PDE or PTE modifications. Locking pages into physical memory may make it easier to detect in a polling fashion by walking the set of locked pages and checking to see if their associated PDE or PTE has been made accessible to user-mode.