Hello, please ask a question about how to use EPT technology to hide the memory fragments of the specified process？

Hello,
EPT can change an address, remap to a different page, deny RWX access to a page, whatever! What do you exactly mean?

RING3 a process, modify the memory of B process, can deceive the check of B process

Yes, it's possible, you can change the physical memory of a special page in any process.

However, if you want to change it just for a particular process, you can use the "cr3 exiting bit" of VMCS controls. This way, you'll get a chance to detect any cr3 change, and a cr3 change means that a process is changed (switched) due to the context switches.

thank you

yw

Is the meaning of operating system table the same as that of database table

what do mean by "operating system table" ?

Because I am not very good at English and the translation of some relevant materials in China is inaccurate, I want to confirm with you

For example, page table

That's okay,
so you mean "page table" is same as what? what is database table?

For another example, excel table

For example, is the concept of Excel table and page table the same

Honestly, I don't have any idea of what you mean about "Excel Table", it's probably something else that is translated like this. Do you know the exact word (in English) that refers to Excel table?

It is a data sheet used to record data. Haven't you used Excel software?

Oh yeah 😅
I thought you talk about some processor specific table.

hha

no, they're not the same.
OS page-tables are some structures that are stored in the memory as a special format (mostly designed by Intel).

These tables doesn't have header columns.

I mean, abstract understanding

yeah

Yes, these tables don't have header columns

Not really.
You can think about it like multiple memory addresses that are previously allocated and referenced to each other.

Have you ever read "Hypervisor From Scratch 4 and 7"?

In those parts, I explained about EPT which is similar to OS level page tables.

I think hypervisor from scratch 4 and 7 can be described in popular words, and some authors are trying to do so,

I need to read more of these articles

Yep 👌

Therefore, some strange words translate into other meanings

So, it's like you don't understand what "excel table" is

Well, I think previously someone translated these articles into Chinese . Did you read the translations?

Yes, some are wrong and few are right

☹️☹️

Just like you misunderstood "excel table"

😂

Yeah 😅

There are also page table entries. Does entry mean the same as "entry" in DriverEntry

DriverEntry is the driver function entry

Somehow, you can think about it like an array of structure.

EPT_ENTRY* MyStruct = malloc(sizeof(EPT_ENTRY) * 512);

What I want to say is entry. What does it mean? I can regard it as an array, but it has the meaning of items and entries in English translation

yeah，MyStruct is array

yep

If it is regarded as an array, is the child element of entries entry? Is the item of the array, so entry = item?

Item refer to the child elements of an array

No, if I understand you correctly, each of the tables are separate. Most of the times operating systems allocate them continuously.
each Page Table entry is like = MyStruct[1] or MyStruct[2] ... MyStruct[x]

In China, we understand mystruct [1] or mystruct [1]... As an element, also known as "item"

It's the same here.

Entry is just a name？In terms of array, I prefer to call it item, which is easier to understand

Perhaps you mean that items are not contiguous, and arrays can allocate space continuously?

"Entry" is the term that Intel is used in its SDM manual. It's the same as item or element.

yeah

In this way, it will be more influenced by the thoughts of Oriental people

Although this is the case, at present, very little information will specify what it means

yep

thank you，谢谢

you're welcome.

It is suggested that some professional terms in hypervisor from scratch can be abbreviated, for example, guest physical address = GPA, hypervisor = HV,

Yeah

👍

Just now, I thought of a question. Can you perform EPT hook if the CPU does not support secondary address translation

no, it's not possible without EPT

Is the secondary conversion address extend page table？

🤨

Didn't get it.

I tested it in cpui3 3200. EPT hook successfully hid the process, but I saw that the second level address translation (slat) was not supported using the tool

However, some hosts support slat, and VMware does not support slat

cpui3 3220.

VMware supports SLAT. Actually, nested EPT virtualization is SLAT.

I try to read related articles, thank you

good night💤

👍

This content should be pdpt?

yep

This is the wrong place of the original text. I think the translated articles should be translated by Google, so there are many wrong places. These novices will be confused when reading these articles, because there are errors in the original text, and there will be errors in its translation into articles in other languages

Yeah, these are google translate errors.

Those with poor English still need to understand more.