Write a test.exe, in the context of this process, the kernel off live.
kd> !process 0 1 test.exe
PROCESS 83c74d60 SessionId: 0 Cid: 0360 Peb: 7ffdf000 ParentCid: 035c
DirBase: 14360000 ObjectTable: 83c8b7e8 TableSize: 18.
Image: Test.exe
VadRoot 83b49e28 Clone 0 Private 30. Modified 0. Locked 0.
DeviceMap 83fb40a8
Token e280b4b0
ElapsedTime 0:00:00.0250
UserTime 0:00:00.0015
KernelTime 0:00:00.0031
QuotaPoolUsage[PagedPool] 7736
QuotaPoolUsage[NonPagedPool] 1232
Working Set Sizes (now,min,max) (156, 50, 345) (624KB, 200KB, 1380KB)
PeakWorkingSetSize 156
VirtualSize 5 Mb
PeakVirtualSize 5 Mb
PageFaultCount 154
MemoryPriority FOREGROUND
BasePriority 8
CommitCharge 35
kd> ? cr3
Evaluate expression: 339083264 = 14360000
Which DirBase is, when the process of switching to this process, CR3 required value loaded. That is to say for different processes, CR3 value will be different. For the same virtual address different processes, corresponding physical address is different.
KD>! 14360 400000, vtop
Pdi Pti. 1 0
00400000 136df000 PFN (136df)
Where! The first parameter is the process CR3 top of the pfn, that is, when 20 high of CR3. CR3 is 14.36 million, high 20 to 14360. The physical address corresponding to 136df000, pfn is 136df.
Page directory index (PDI) is 1, 10-bits of
the page table index (PTI) is 0. Intermediate 10
Reproduced in: https: //www.cnblogs.com/fanzi2009/archive/2010/03/25/1696100.html