mirror of
https://dev.lirent.ru/Vatrog/vm-introspection-engine.git
synced 2026-07-08 23:46:36 +03:00
32440c7104
Under KVA shadow (KPTI) the kernel CR3 marks user-half PML4Es NX as hardening, so OR-ing that top-level NX down the walk made every user region non-executable - even live code (ntdll .text read back r--u). Ring 3 executes those pages via the user/shadow CR3, which reaches the same shared lower tables through an NX-clear PML4E, so the kernel table's user-half PML4E NX is not what enforces user execution. Ignore it on the user half; sub-PML4E NX (shared between both CR3s) stays authoritative.