标签 PAGE_GUARD 下的文章 - 白帽Wiki

网上 PAGE_GUARD 的文章千篇一律 不知道在说什么JB 可能作者自己都不知道在说什么
这里给出WRK的答案:
在设置PAGE_GUARD后:
https://github.com/mic101/windows/blob/master/WRK-v1.2/base/ntos/mm/protect.c#L868

> The PTE is a private page which is valid, if the
specified protection is no-access or guard page
remove the PTE from the working set.

调用MiRemovePageFromWorkingSet
结果:
https://github.com/mic101/windows/blob/master/WRK-v1.2/base/ntos/mm/wslist.c#L781

> This function removes the page mapped by the specified PTE from
the process's working set list.

访问的时候会调用MiAccessCheck检查ProtectionCode:
https://github.com/mic101/windows/blob/master/WRK-v1.2/base/ntos/mm/acceschk.c#L160
MI_IS_GUARD 的定义是:
```cpp
#define MI_IS_GUARD(ProtectCode)    ((ProtectCode >> 3) == (MM_GUARD_PAGE >> 3))

```
ProtectionCode由来:

在访问内存的时候会调用
MiCheckVirtualAddress 
https://github.com/mic101/windows/blob/master/WRK-v1.2/base/ntos/mm/pagfault.c#L4701
如果是private 属性的,则会
https://github.com/mic101/windows/blob/master/WRK-v1.2/base/ntos/mm/pagfault.c#L4787
https://github.com/mic101/windows/blob/master/WRK-v1.2/base/ntos/mm/pagfault.c#L4806
取VAD里面的值
ProtectionCode就是这样来的
来了后 
### 废物百度

白帽Wiki

一只鸭子

白帽Wiki - 一个简单的wiki

[2020] PAGE_GUARD 内核原理探究