Windows kernel analysis index directory : https: //www.cnblogs.com/onetrainee/p/11675224.html
10-10-12 paging mechanism
1. CPU is how to find the physical address of the linear address?
2. MMU What is that?
3.CPU the general structure of the internal memory management framework?
4. write, direct, what concept does not cache?
5.CR3, the relationship between PDE, PTE?
6. Using a memory structure analysis process
7. operating system and CPU density of page
8. Use! Instruction physical address resolution, vtop
0 9. achieved by hanging the physical page address read
PDE and PTE 10. modify operation is implemented on the read-only attribute memory (strings)
11. A description of the page attribute bit, D-bit (Dirty dirty bit) and bit G
12.PDE the PS bit (large page)
1. CPU is how to find the physical address of the linear address?
By a memory control unit MMU
2. MMU What is that?
Memory management unit, is a module (we can also be seen as a function).
Physical address func (CR3, linear address);
Which is a linear address our steps resolved into a physical address (10-10-12).
3.CPU the general structure of the internal memory management framework?
4. write-back, directly, what concept does not cache?
Three are for terms of cache.
1) write back: first wrote cache, wait a minute amount of data written to memory and then enough.
2) Write-: simultaneously written to the cache write directly to memory.
3) does not cache: without cache, write directly to memory.
5.CR3, the relationship between PDE, PTE?
6. Using a memory structure analysis process
The program a global variable run two processes at the same time address to print out, then observe the structure of both the PTE.
Conclusion, a program run multiple copies, not linked to the same physical page.
GET VadRoot to Failed
the PROCESS 815d78b0 SessionId: 0 Cid: 00FC Peb: 7ffdf000 ParentCid: 0604
DirBase: 18d4f000 ObjectTable: e21786b8 HandleCount: 7.
Image: pteTest.exe Failed to GET VadRoot the PROCESS 81e96528 SessionId: 0 Cid: 00d8 Peb: 7ffd5000 ParentCid: 0604 DirBase: 193d7000 ObjectTable: e21f4ea8 HandleCount: 7. Image: pteTest.exe first case 18d4f000 18c5a000 18.943 million 18943a30 02 second case 193d7000 19.67 million 1950a000 1950aa30 02
7. operating system and CPU density of page
操作系统以64K为单位,CPU以4K为单位。
因此申请一块内存,最小不是4K而是一次64K,但是在内核记录时却被记录成多个4K的页的个数。
8.使用!vtop指令解析物理地址
对于分页的拆分,我们往往得到进程的CR3然后手动来拆分,当然如果我们熟练的话,可以直接使用!vtop指令。该指令会手动地帮助我们拆分物理地址。
!vtop [CR3地址] [物理地址]
使用效果:
kd> !vtop 1a3c9000 425a30
X86VtoP: Virt 0000000000425a30, pagedir 000000001a3c9000
X86VtoP: PDE 000000001a3c9004 - 19f1d067 (PDE)
X86VtoP: PTE 0000000019f1d094 - 1a286067 (PTE)
X86VtoP: Mapped phys 000000001a286a30 (物理地址)
Virtual address 425a30 translates to physical address 1a286a30.
9.通过挂物理页来实现0地址读写
线性地址0本质就是没有挂物理页,只要我们挂上物理页很容易实现
源代码:
#include "stdafx.h"
int x = 123;
int main(int argc, char* argv[])
{
printf("%x\n",&x);
getchar();
getchar();
getchar();
printf("%d\n",*(int*)0);
return 0;
}
操作方法:通过查看变量x的地址来获取其物理页的PDE、PTE,在windbg中修改零地址对应的PDE、PTE(其实只修改PTE即可,一般就是该位置为0),然后你发现就可以读取数据并不会报错。
10.修改PDE与PTE属性来实现对只读内存(字符串)的操作
注意:限制可能还被段限制,但一般是页限制,因为段一次就要限制很多,一般不会做过多限制。
我们知道PDE与PTE的后三位代表属性,具体属性见下图:
其该物理页的最终属性是 PDE & PTE 的结果。
我们结合!vtop指令,能让本来不可写的内存改为可写,具体操作如下。
#include "stdafx.h"
int main(int argc, char* argv[])
{
char *str = "abc";
printf("%x",str);
getchar();
getchar();
getchar();
str[0] = 'b';
printf("%s",str);
return 0;
}
其该地址 !vtop 解析的结果:
kd> !vtop 0de1d000 423020
X86VtoP: Virt 0000000000423020, pagedir 000000000de1d000
X86VtoP: PDE 000000000de1d004 - 0b925067
X86VtoP: PTE 000000000b92508c - 03014025
X86VtoP: Mapped phys 0000000003014020
Virtual address 423020 translates to physical address 3014020.
通过分析可以看出是其PTE的属性加以修改和限制,我们来修改这个即可。
!dq b92508c 03014067
之后运行程序,就可以发现其被修改。
11.页属性的A位、D位(Dirty脏位)与G位的说明
TLB存储缓存时当写满了会进行优化,然后找到最差的将其删除,来空出位置添加新的。
A表示访问,D表示写入,G表示不可删除。
TLB表中存在A位与D位的计数索引,来达到优化的目的,但是如果G位为1,则及时其是性能最差的,其CPU也不会将其从TLB中删除的。
12.PDE的PS位(大页)
大页是以4M为一个单位,当你一次申请100M的内存时,其可能给你分配个大页。
当遇到大页时,其没有PTE,后面22位就是偏移地址,在PDE的基础上来计算其偏移地址就好,这很好理解。