Windows kernel analysis index directory : https: //www.cnblogs.com/onetrainee/p/11675224.html
PFN database stores the physical properties of the page
A, PFN basic concepts
Page frame : namely the CPU tab, common size is 4KB pages. I.e., a paging operating system page frame as a minimum unit.
In protected mode before we learned to PTE, its point is the page address + page attributes. (This page address is a physical address, only)
Page frame number : 4KB, namely 1000h, each page size 1000h, that is, the first address of each page of description must be a multiple of 1000h.
And because the page frame has a unique physical address, the address x / 1000h, generated by a unique number, which number is called a page frame number.
PFN database : the attributes of the page frame address of each extracted data structure composed of a PFN (Page Frame number), together with a continuous tissue PFN database is called a page frame.
This means that as long as we get the physical address of a page, you can see that the page frame number of the page by page frame number PFN database to be searched to PFN, and finally get the properties on the page.
Two, PFN data structure
1. wrk (windows search kernel) we have to search for the data structure of its PFN
Below, this data structure, there are many union consortium. Because there are many different page frame attributes (such as the active page / release pages, etc., will be introduced later), so have such a different union members.
1 typedef struct _MMPFN { 2 union { 3 PFN_NUMBER Flink; 4 WSLE_NUMBER WsIndex; 5 PKEVENT Event; 6 NTSTATUS ReadStatus; 7 8 // 9 // Note: NextStackPfn is actually used as SLIST_ENTRY, however 10 // because of its alignment characteristics, using that type would 11 // unnecessarily add padding to this structure. 12 // 13 14 SINGLE_LIST_ENTRY NextStackPfn; 15 } u1; 16 PMMPTE PteAddress; 17 union { 18 PFN_NUMBER Blink; 19 20 // 21 // ShareCount transitions are protected by the PFN lock. 22 // 23 24 ULONG_PTR ShareCount; 25 } u2; 26 union { 27 28 // 29 // ReferenceCount transitions are generally done with InterlockedXxxPfn 30 // sequences, and only the 0->1 and 1->0 transitions are protected 31 // by the PFN lock. Note that a *VERY* intricate synchronization 32 // scheme is being used to maximize scalability. 33 // 34 35 struct { 36 USHORT ReferenceCount; 37 MMPFNENTRY e1; 38 }; 39 struct { 40 USHORT ReferenceCount; 41 USHORT ShortFlags; 42 } e2; 43 } u3; 44 #if defined (_WIN64) 45 ULONG UsedPageTableEntries; 46 #endif 47 union { 48 MMPTE OriginalPte; 49 LONG AweReferenceCount; 50 }; 51 union { 52 ULONG_PTR EntireFrame; 53 struct { 54 # if defined (_WIN64) 55 ULONG_PTR PteFrame: 57 ; 56 PMIB_GET_TRAP_INFO 57 ULONG_PTR PteFrame: 25 ; 58 #endif 59 ULONG_PTR InPageError: 1 ; 60 ULONG_PTR VerifierAllocation: 1 ; 61 ULONG_PTR AweAllocation: 1 ; 62 ULONG_PTR Priority: MI_PFN_PRIORITY_BITS; 63 ULONG_PTR MustBeCached: 1 ; 64 }; 65 } u4; 66 67 } MMPFN,
2. PFN Category
There may be a physical page which states: active, standby, modified state, has been modified but not write, transfer state, idle state, the zero state, a bad state. (Because of space limitations, not introduced on the first of these states, we will have the opportunity to add)
Therefore, PFN will have several different types, the following introduction.
1) PFN data structure of the active page
1> PFN in PteAddress at the address where the PTE, ShareCount share represents the number of times. As long as ShareCount greater than zero, it can not be removed from memory.
2> ReferenceCount which represents the number of times cited, such lock is determined by reference to this value.
3> u3 of e1 (MMPFNENTNTRY) shows a state of the physical page, which is a shared property. (Because of the physical page is divided into several categories, and of the same class have the same attributes, the structural members share)
a. there represents some of the physical page status, such as whether it has been modified, is reading or writing.
b. important members PageLocation (3 bits can represent eight states), which represents the current state of the page type, the list also indicates which page is defined in the system.
c. MMPFN contains original content PTE points to this page, it may be a prototype PTE.
The intention is to assign a physical page to a PTE, it records the page original PTE; thereafter the physical page when it is not used, can restore the original PTE
4. Finally, a member of the U4 points to the physical page frame number of the PTE page table page is located, as well as some of the flag.
2) a standby state or a modified state data structure PFN
1> for the physical page in this state, although no longer valid PTE pointing to it, it no longer belongs to any of the working page set, but they are added to the spare list, or modify the list of system.
Therefore, the first or third members MMPFN 4 bytes then it becomes directly linked list of pointers before and after.
2> has been modified but not page write state is the same data structure.
3) PFN being transferred state data structure
a. For being a transition state, a first synchronization time point either, or point to an error code.
. B If the I / 0 are continuing the process, the event will be notified; if it occurred on the page change in process, the ReadStatus includes representatives of this I / O error status codes.
c. the transferring state PFN item is to identify or eliminate conflicts of page faults.
3. Physical Organization list page
Before we find out about PFNDatabse, which is aligned with one PFN, there are different types.
However, the presence of such a drawback, the same type of search is a top PFN efficiency is not high, and therefore leads to its organization list
MMLIST data type and MMPFNLIST
1) MMLISTS is the enumeration member whose value represents the properties of the physical page, save an enumerated type of u3.e1.PageLocation domain MMPFN data structure is MMLIST of.
For example PageLocatio 001, the corresponding physical page is StandbyPageList type of physical pages.
2) The global array mmPageLocationList these lists are organized according MMLISTS enumeration value.
a. That opened up a data account for eight elements, each member is PMMPFINLIST, represent a linked list head.
Before b. We can see MMPFN data structure (Free type), on behalf of its predecessor u1, u2 on behalf of the drive.
3) PFN database organization chart
a. transition state event page or pages list is not formed.
B. nulling configuration page or only a single free page list.
C. The remaining double circular list.
4. The physical page status change
Memory manager based on the amount of memory each process and memory requirements dynamically scheduling the use of physical pages.
For example, the following:
a. When a process requires memory, memory manager may find one or more pages from the list of zero or free list to meet the needs of the process.
b. When the process exits, the memory manager process to recover the page.
c. When the shortage of physical memory, the memory manager to a specific strategy to process some pages swapped out to external memory, thus freeing up physical memory for other uses.
Third, the actual traversing through windbg PFN list (for example to FreePageList)
1. The two global variables PFNDataBase and nt! MmZeroedPageListHead
First of all, we need to get two global variables stored in memory, a database is a pointer to PFNDataBase starting position and the other is FreePageList list.
If you can not remember the name, x + way wildcard instruction fuzzy search can be used
1) PFNDataBase (which is a pointer, so the real address which points to the first address)
kd> dd nt!MmPfnDatabase
80560b68 80c36000 0000ff00 00000000 0000000f
2 )nt!MmZeroedPageListHead
KD> dd NT! MmZeroedPageListHead
805523e0 0001111b 00000000 0001808d 00013a98
according MMPFNLIST data structure corresponding to the result (the picture content changes, but the corresponding attribute)
2. Get the size of the data structure PFN
Since these data are continuously arranged in PFNDATABASE database, we need to know the size of a single data effectively resolved.
kd> dt _MMPFN -v
nt!_MMPFN
struct _MMPFN, 6 elements, 0x18 bytes
······
Which together account for 18 bytes.
3. Review the list by the formula
A first address * MMPfnDataBase + (nt! MmFreePageListHead. {Flink / Blink} * 0x18c) search acquires
After the address * MMPfnDataBase + (MMPFN. {U1 (Flink) / u2 (Blink)} * 0x18c)
kd> dd 80c36000+0001808d*0x18 l6
80e76d38 00018093 00060234 ffffffff 00003000
80e76d48 0001809d 00000000
We can see it because it is the first linked list, so the Blink ffffffff (does not exist)
Flink 00018093
Fourth, by driving the code to traverse the list
It should address global variable memory search using violence to find, but the technology is still not mature, it is mandatory to locate the address.
1 #include <ntddk.h> 2 #include <ntstatus.h> 3 #include <wdm.h> 4 5 typedef struct _MMPFNLIST { 6 HEAD Total; 7 HEAD listname; 8 HEAD Flink; 9 HEAD Blink; 10 } MMPFNLIST, * PMMPFNLIST; 11 12 typedef struct _MMPFN { 13 unsigned U1; 14 PULONG32 PteAddress; 15 HEAD u2; 16 HEAD U3; 17 HEAD OrininalPte; 18 HEAD u4; . 19 } MMPFN, * PMMPFN; 20 is 21 is // find the start address of global variables pfn database 22 // Note: * MmPfnDataBase for the real starting address 23 is a ULONG32 MmPfnDatabase = (a ULONG32) 0x80c36000 ; 24 // find the global variables MmFreePageListHead 25 PMMPFNLIST = MmFreePageListHead (PMMPFNLIST) 0x805523f0 ; 26 is // drive uninstall function 27 NTSTATUS the DriverUnload (PDRIVER_OBJECT driver) { 28 return STATUS_SUCCESS; 29 } 30 31 is // driver entry function 32 The DriverEntry NTSTATUS (PDRIVER_OBJECT Driver, PUNICODE_STRING RegPath) { 33 is PMMPFN Node; // represents each node in the linked list 34 is UINT32 index; 35 _asm { 36 int . 3 37 [ } 38 is // Check the number of the list 39 a ULONG32 Total = MmFreePageListHead-> the Total ; 40 // set start portion 41 is index = MmFreePageListHead-> Flink; 42 is // loop through chain 43 is 44 is for (ULONG I = 0 ; I <Total; I ++ ) { 45 a ULONG32 T * index = 0x18; 46 is a ULONG32 X = T + MmPfnDatabase; 47 // obtaining node information 48 Node = (PMMPFN) X; 49 DbgPrint ( " U1:% X | PteAddress:% X | U2:% X | U3:% X | OrininalPte: X% | U4:% X " 50 , node-> U1, node-> PteAddress, node-> U2, node-> U3, node-> OrininalPte, node-> U4); 51 is DbgPrint ( " % X | X% " , node, index); 52 is // next traverse a node 53 is index = node-> U1; 54 is } 55 56 is NTSTATUS Status; 57 is 58 return STATUS_SUCCESS; 59 }