I have a page beside a thread inside a process in Windows system which I attend to cut its hand from other pages. It is an executable page, I want when it reads/writes from/into other virtual memory pages, an exception rising. I can not make guard protection on all available pages on process. Do you have any idea about isolating this page from other pages?

Hi

Tricky question. I'll say something at least just to get a discussion going. You might be able to set the page to non-executable or non-present which would raise a page fault exception which you could handle. See the PaX implementation for more on this.

Like PAGE_GUARD though this seems like it would be a one-shot deal. Sure you could be notified when your page is forced to (re)load into memory, but what could you effectively do then other than preventing execution entirely? If the code contained in that page needs to run so the app doesn't crash, and the memory read/writes to *other* pages that you are trying to intercept occurs later in that page, you haven't really done much.

Can you describe more what you are trying to accomplish? As a stab in the dark I might guess you want to detect when a packer section writes or reads to another executable (or data) section and/or vice versa.

Kayaker

OP looks like it was Babelfished.

I still don't understand why you can't set it as a guard page.

I should mention some notes regarding to virtual machine monitor, it is not completely a emulator, it executes code in control mode, when it detect a privilege instruction, it emulated the code otherwise it run code in controlled thread. By this aspect, I plan to make a simple virtual machine; I can detect the privilege code by EXCEPTION_PRIV_INSTRUCTION but I do not know how detect the following code:

MOV [XXX], XXX

I need to detect it in order to redirect to a Virtual RAM.

You can detect MOV [XXX], XXX with guard pages. You can use SEH or VEH inside the target or you can use a debugger process to monitor the target process instead.

When I set a GUARD PAGE Protection on all available pages of process how code of parent thread is going to be run. I want when the MOV [XXX],XXX, the code of physical memory run an exception rising and it helps to execute code by Emulator. Do you think another point has been applied in VMWare or Virtua PC. About privileged exception, I am sure because you can detect VMWare by exception of IN or OUT instructions. Are there really Memory guard the note which has employed in those native code virtual machine?

Your real code should be in one set of memory pages. Your VM code should be in another set of memory pages. Set page-guards on the latter. Problem solved. (And if this isn't a valid solution then you need to do a better job explaining the problem.)

I want just give some info about the job which I plan to do. This link might be useful.

http://www.floobydust.com/virtualization/lawton_1999.txt

This is the important note:

http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1=6,397,242.PN.&OS=PN/6,397,242&RS=PN/6,397,242

Just remember p4 can be set to break on conditionals, it can save you many problems and give a big speedup.