Fix injector: reject CR3 updates from KiSystemCall64Shadow prologue in setup_usermode_trap_x64 (KPTI early CR3 switch)

[psrok1]

Hello,

This PR fixes issue #1865 by explicitly checking if CR3 change was caused by mov cr3, rsp so RSP should be equal with CR3. In any normal circumstances RSP should point at kernel stack, but in KiSystemCall64Shadow prologue (just after syscall) RSP is not properly set yet and is reused to move a new CR3 value from KPRCB::KernelDirectoryTableBase to the register.

I have checked that the same KiSystemCall64Shadow prologue with mov cr3, rsp is present in Windows 7 (6.1.7601.24000 with KB4056894), Windows 10 22H2 (10.0.19045.5854) and Windows 11 25H2 (10.0.26220.7872).

63-bit of RSP is masked because "If CR4.PCIDE = 1, bit 63 of the source operand to MOV to CR3 determines whether the instruction invalidates entries in the TLBs and the paging-structure caches (see Section 4.10.4.1, “Operations that Invalidate TLBs and Paging-Structure Caches,” in the Intel® 64 and IA-32 Architectures Software Developer’s Manual, Volume 3A). The instruction does not modify bit 63 of CR3, which is reserved and always 0.".

PCID bits are also ignored during MOV to CR3 if PCIDs are not enabled but I see that in that case, Windows kernel just put zeroes there as well, so there is no need to mask them out.

Patch is tested on Windows 10.0.19045.5854 where I'm able to easily reproduce the bug - works correctly and solves the problem. I have also briefly tested in on Windows 7 and don't observe any regression.

closes #1865

[drakvuf-jenkins]

Can one of the admins verify this patch?

[tklengyel]

@drakvuf-jenkins Test this please