tags:

views:

61

answers:

1

"Consider a typical Windows x86 or AMD64 architecture, the memory is divided in executable sections that cannot be written to and data sections that can be written to but cannot be executed (think DEP)."

"JIT compiles methods in-memory, does (generally) not store anything to disk, instead moves it around where the next instruction pointer can reach it, changes the current instruction pointer (pointing to the JIT) to point to the newly generated code and then executes it."

These two paragraphs, while a bit over-simplified, are what I basically understand of JIT and Windows' memory model. I also know that when I try to copy some executable code in memory by hand and try to execute it, I will generally be unable to do it (unless with DLL injection).

How did the JIT-designers overcome this hurdle? Do they use a ring-0 driver or is everything done in user mode?

+3  A: 

It is simply done with the Windows VirtualProtect() API function. It changes the virtual memory page attributes. From PAGE_READWRITE so the JIT compiler can write the machine code to PAGE_EXECUTE_READ so it can be executed. No special privileges are required to do so since the page is owned by the process that also runs the JIT compiler.

Hans Passant
Really, *that* simple? Makes sense. (OT) Ah, I remember, last time I needed to inject something it was not in my own process (i.e., to delete the current running executable you need to first unload the executable, typical chicken / egg problem).
Abel
@Hans: reading further about it, I wonder how that relates to this [Social MSDN post](http://social.msdn.microsoft.com/Forums/en-US/clr/thread/2a043d8c-3ac4-4b3d-9837-0bfe8e7d6788), explaining you need Admin rights to use `VirtualProtect` to change the flag and claiming it can't work that way. With ActionScript, the same principle works with `VirtualAlloc`, [as apparently shown by this blogger](http://null.co.in/2010/04/29/spraying-just-in-time/) (he gets the names wrong, see subscript to his 3rd image). Both posts let me assume it'd be `VirtualAlloc` instead. What are your thoughts here?
Abel
@Abel: looks familiar. No, I noted in that post that admin rights were not needed. The OP agreed.
Hans Passant
@Hans: yes, I reacted to quick. Looking through [`VirtualProtect`](http://msdn.microsoft.com/en-us/library/aa366898%28VS.85%29.aspx) there's no mention of this either. Note that in SSCLI I didn't find VirtualProtect used in fjitcompiler.cpp, only VirtualAlloc. VirtualProtect was redefined/undefined often in hosting.cpp (into `Dont_Use_VirtualProtect` lol). Finally, it seems to come down to a call to [`IHostMemoryManager->VirtualProtect`](http://msdn.microsoft.com/en-us/library/ms164513.aspx), if available, else `::VirtualProtect` (the Win32 API) is called (which is what you said)
Abel
PS: sorry I dragged on about this, but I needed some reassurance. Fortunately you gave enough an answer to research further on the subject. Thanks!
Abel
It's there, clr\src\utilcode\hostimpl.cpp, ClrVirtualProtect() method.
Hans Passant