Post by: torne on February 07, 2006, 10:00:00 AM
Does the xbox, when running the MS kernel, use virtual memory mapping in the 'usual' way? (translating VA->PA via the page tables or TLB). If so, what does the virtual memory map look like? I realise it only runs one process at a time and thus there will be only one set of page tables, and that all code runs in ring 0 and thus there is no memory protection from the supervisor bits.. but if it's a Windows kernel under there I can't imagine it's using direct memory access...
The reason I'm curious is because if it does, then it seems like it would be possible to use a replacement page fault handler and desynced TLBs to hide modifications to kernel code, as used in some experimental rootkit developments on Windows and explained in Phrack #63. This might be amusing as it could, say, conceal the presence of nkpatcher or similar from detection by games.
I've not done any xbox development other than working on xbox-linux kernel code, but my day job is an embedded OS kernel developer, so please don't assume I don't know what I'm talking about in general.. it's just the xbox specifics I don't know about yet.