pwndbg> p/x (*PML4).entries
$5 = {{
value = 0x100001007
}, {
value = 0x0
} <repeats 255 times>, {
value = 0x100002007
}, {
value = 0x1103d0007
}, {
value = 0x0
} <repeats 253 times>, {
value = 0x1103d1007
}}for entry 0
pwndbg> p/x (*(PageTable*)(*PML4).entries[0].getAddress()).entries
$8 = {{
value = 0x83
}, {
value = 0x40000083
}, {
value = 0x80000083
}, {
value = 0xc0000083
}, {
value = 0x0
} <repeats 508 times>}for entry 256
pwndbg> p/x (*(PageTable*)(*PML4).entries[256].getAddress()).entries
$10 = {{
value = 0x100087
}, {
value = 0x40100083
}, {
value = 0x80000083
}, {
value = 0xc0000083
}, {
value = 0x100000083
}, {
value = 0x140000083
}, {
value = 0x0
} <repeats 506 times>}for entry 257
pwndbg> p/x (*(PageTable*)(*PML4).entries[257].getAddress()).entries
$11 = {{
value = 0x0
} <repeats 500 times>, {
value = 0xfd00000083
}, {
value = 0xfd40000083
}, {
value = 0xfd80000083
}, {
value = 0xfdc0000083
}, {
value = 0xfe00000083
}, {
value = 0xfe40000083
}, {
value = 0xfe80000083
}, {
value = 0xfec0000083
}, {
value = 0xff00000083
}, {
value = 0xff40000083
}, {
value = 0xff80000083
}, {
value = 0xffc0000083
}}for entry 511
pwndbg> p/x (*(PageTable*)(*PML4).entries[511].getAddress()).entries
$12 = {{
value = 0x0
} <repeats 510 times>, {
value = 0x1103d2007
}, {
value = 0x0
}}Assuming PML3 = PML4.entries[0].getAddress()
PML3.entries[0].value was 0x83, thus being a large page and having not pointing to PML2.
PML3.entries[1] (empty, idk why):
$24 = {
entries = {{
value = 0x0
} <repeats 512 times>}
}PML3.entries[2] is not accessible (no idea??, i also tried converting it to virtual address first but it still doesn't work and gives the same error!!)
pwndbg> p/x *(PageTable*)((*(PageTable*)(*PML4).entries[0].getAddress()).entries[2].getAddress())
Cannot access memory at address 0x80000000PML3.entries[3] is in the same condition
pwndbg> p/x *(PageTable*)((*(PageTable*)(*PML4).entries[0].getAddress()).entries[3].getAddress())
Cannot access memory at address 0xc0000000Now, assuming PML3 = PML4.entries[256].getAddress()
PML3.entries[0] is empty
pwndbg> p/x *(PageTable*)((*(PageTable*)(*PML4).entries[256].getAddress()).entries[0].getAddress())
$26 = {
entries = {{
value = 0x0
} <repeats 512 times>}
}PML3.entries[1] is like this
pwndbg> p/x *(PageTable*)((*(PageTable*)(*PML4).entries[256].getAddress()).entries[1].getAddress())
$27 = {
entries = {{
value = 0x0
} <repeats 509 times>, {
value = 0x100005007
}, {
value = 0x100006007
}, {
value = 0x100007007
}}
}PML3.entries[2] is the same address as that for the previous assumption of PML3, that is 0x80000000, which is not accessible.
pwndbg> p/x *(PageTable*)((*(PageTable*)(*PML4).entries[256].getAddress()).entries[2].getAddress())
Cannot access memory at address 0x80000000PML3.entries[3] is suffering from the same case
pwndbg> p/x *(PageTable*)((*(PageTable*)(*PML4).entries[256].getAddress()).entries[3].getAddress())
Cannot access memory at address 0xc0000000PML3.entries[4] is valid:
pwndbg> p/x *(PageTable*)((*(PageTable*)(*PML4).entries[256].getAddress()).entries[4].getAddress())
$28 = {
entries = {{
value = 0x100001007
}, {
value = 0x0
} <repeats 255 times>, {
value = 0x100002007
}, {
value = 0x1103d0007
}, {
value = 0x0
} <repeats 253 times>, {
value = 0x1103d1007
}}
}PML3.entries[5] is invalid:
pwndbg> p/x *(PageTable*)((*(PageTable*)(*PML4).entries[256].getAddress()).entries[5].getAddress())
$29 = {
entries = {{
value = 0x0
} <repeats 512 times>}
}