Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


virtual to physical address VMware

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming
View previous topic :: View next topic  
Author Message
remedy1
Newbie cheater
Reputation: 0

Joined: 04 Aug 2015
Posts: 11

PostPosted: Sat Jan 13, 2018 12:42 am    Post subject: virtual to physical address VMware Reply with quote

Related to this thread: (http)://forum.cheatengine.org/viewtopic.php?t=507489

Dark Byte wrote:
I have no idea, perhaps you can find the base of the physical memory, then the base of the loaded windows kernel, from there try to find the eprocess list, and in there find the CR3 address of the specied process
Then use that and the relative addresses to map the virtual addresses to physical addresses and back to virtual again and read that


I have a game running on guest and CE running on the host.

I found the physical memory of the vmware process:
PhysMemAddres: 0x27399a50000
PhysMemSize: 0x27d000000

I have the CR3 of my game in vmware guest:
CR3Game: 0x1ab000

And a virtual address of the guest:
myAddr: 0xffff8b05ce50b320


Now I want to translate that virtual address to physical so I can read it on the host's CE.

How would I do this? If I had to translate the address on the same system I could use the virtualpagedir plugin translation function (LookupAddressPAE).
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Sat Jan 13, 2018 3:16 am    Post subject: Reply with quote

CR3 of 0x1ab000 means the PML4 table will be at 0x27399a50000 + 0x1ab000

Now first figure out what indexes will be used to traverse the pagemap
address=0xffff8b05ce50b320

offset=address & 0xfff=0x320
pagetableindex=(address >> 12) & 0x1ff=267
pagedirindex=(address >> 21) & 0x1ff=114
pagedirptrindex=(address >> 30) & 0x1ff=23
pml4index=(address >> 39) & 0x1ff=278

Now read the QWORD at pml4table+278*8 (pml4index) to get the physical address of the pagedirptr table (strip of the first 12 bits, so AND it with 0xfffffffffffff000 )

then convert that physical address to host virtual address (add 0x27399a50000 to it), that will be the pagedirptrtable

Then read the QWORD at pagedirptrtable+23*8 (pagedirptrindex) to get the physical address of the pagedir table (strip of the first 12 bits, so AND it with 0xfffffffffffff000 )

then convert that physical address to host virtual address (add 0x27399a50000 to it), that will be the pagedirtable

Then read the QWORD at pagedirtable+114*8 (pagedirindex) to get the physical address of the pagetable (strip of the first 12 bits, so AND it with 0xfffffffffffff000 )

then convert that physical address to host virtual address (add 0x27399a50000 to it), that will be the pagetable

then read the QWORD at pagetable+267*8 (pagetableindex) to get the physical address of the page (strip of the first 12 bits, so AND it with 0xfffffffffffff000 )

then convert that physical address to host virtual address (add 0x27399a50000 to it), that will be the page you're interested in
Now just add the offset (0x320) and you're where you want to be


Note though that this is a kernel address, and if your VM is running windows 10 with the latest patches then you may need the CR3 of the kernel itself (the latest version may be separating kernelmode pages from usermode processes. Which is one of the reasons it's slower than older windows versions due to an increase of TLB misses)

(This assumes that the page you're interested in isn't a big page (2MB) else you should check out the pagedir PS bit and AND it with 0xFFFFFFFFFFFFE000)

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
remedy1
Newbie cheater
Reputation: 0

Joined: 04 Aug 2015
Posts: 11

PostPosted: Sun Jan 14, 2018 11:46 am    Post subject: Reply with quote

Dark Byte wrote:

Note though that this is a kernel address, and if your VM is running windows 10 with the latest patches then you may need the CR3 of the kernel itself (the latest version may be separating kernelmode pages from usermode processes. Which is one of the reasons it's slower than older windows versions due to an increase of TLB misses)

(This assumes that the page you're interested in isn't a big page (2MB) else you should check out the pagedir PS bit and AND it with 0xFFFFFFFFFFFFE000)


Indeed the guest system is win10 with latest updates.

However I disabled the Meltdown and Spectre fixes in registry, not sure if it makes a difference tho:
winaero.(com)/blog/disable-meltdown-fix-amd-cpus-installing-kb4056892/

You were also right about the translation of a big page.
I used WinDbg to check my debugging results with the offsets from there.

lkd> !vtop 001ab000 0xffff8b05ce50b320
Amd64VtoP: Large page mapped phys X

In the end it worked perfectly. Thanks.
I am now having a look at 1 GByte pages as this seems to be a thing also.
Back to top
View user's profile Send private message
remedy1
Newbie cheater
Reputation: 0

Joined: 04 Aug 2015
Posts: 11

PostPosted: Mon Jan 15, 2018 12:48 pm    Post subject: Reply with quote

Dark Byte wrote:
CR3 of 0x1ab000 means the PML4 table will be at 0x27399a50000 + 0x1ab000


Sadly I have a new problem now. Before I was reading kernel addresses.

For this game I have CR3 of: 0x290900000

PhysMemAddres: 0x215704f0000
PhysMemSize: 0x27d000000
virtualAddress I want to translate: 0x7ff6c4171790

So my PML4 table would be at: 0x215704f0000 + 0x290900000 = 0x21800DF0000.

However that address is outside of my physical memory range (0x217ED4F0000) and my read procedure fails so I cannot read the pageentrysize.

Read(pml4table + pml4index*8, (void*)&pagedirptrtable, 8 );

How would I translate addresses for this CR3?
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Mon Jan 15, 2018 1:01 pm    Post subject: Reply with quote

No idea, all I can say is that the CR3 you have is invalid for your guest
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
remedy1
Newbie cheater
Reputation: 0

Joined: 04 Aug 2015
Posts: 11

PostPosted: Mon Jan 15, 2018 1:07 pm    Post subject: Reply with quote

Dark Byte wrote:
No idea, all I can say is that the CR3 you have is invalid for your guest


I checked it on the guest with WinDbg and the CR3 seems to be correct:
Code:
lkd> !process 17b8 0
Searching for Process with Cid == 17b8
PROCESS ffff82843c7d23c0
    SessionId: 1  Cid: 17b8    Peb: 00b34000  ParentCid: 13ac
    DirBase: 290900000  ObjectTable: ffffe78a65a06e40  HandleCount: 725.



That should be correct or does the value differ on the host side?


Translation on guest side:
Code:

lkd> !vtop 290900000 0x7ff6c4171790
Amd64VtoP: Virt 00007ff6c4171790, pagedir 0000000290900000
Amd64VtoP: PML4E 00000002909007f8
Amd64VtoP: PDPE 0000000030dfaed8
Amd64VtoP: PDE 0000000225dfb100
Amd64VtoP: PTE 00000002263e1b88
Amd64VtoP: Mapped phys 0000000218bb5790
Virtual address 7ff6c4171790 translates to physical address 218bb5790.
Back to top
View user's profile Send private message
Dark Byte
Site Admin
Reputation: 457

Joined: 09 May 2003
Posts: 25262
Location: The netherlands

PostPosted: Mon Jan 15, 2018 1:45 pm    Post subject: Reply with quote

then the memory size of your VM is misreported, or there is a gap of memory. Are you sure your guest machine is configured to have 10.5GB ram ?

I know back in 32-bit vmware used to split up the .vmem mapped regions into 2GB blocks, not sure if something similar happens here

_________________
Do not ask me about online cheats. I don't know any and wont help finding them.

Like my help? Join me on Patreon so i can keep helping
Back to top
View user's profile Send private message MSN Messenger
remedy1
Newbie cheater
Reputation: 0

Joined: 04 Aug 2015
Posts: 11

PostPosted: Mon Jan 15, 2018 2:24 pm    Post subject: Reply with quote

Dark Byte wrote:
then the memory size of your VM is misreported, or there is a gap of memory. Are you sure your guest machine is configured to have 10.5GB ram ?

I know back in 32-bit vmware used to split up the .vmem mapped regions into 2GB blocks, not sure if something similar happens here


Yea, the VM has 10GiB of ram. I confirmed with ce show memory regions and filesize of .vmem file.

I will investigate this some more. Thanks again for your help.
Back to top
View user's profile Send private message
OldCheatEngineUser
Whateven rank
Reputation: 20

Joined: 01 Feb 2016
Posts: 1586

PostPosted: Mon Jan 15, 2018 2:54 pm    Post subject: Reply with quote

im not sure about vmware specific, but in general here is an example of 16-bit memory
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
STN wrote:
i am a sweetheart.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites