[转]Part1: Understanding !PTE , Part 1: Let’s get physical
Hello. It’s Ryan Mangipano again (Ryanman). Today’s blog will be the first in a multi-part post designed to help you understand the output of the !PTE debuger comand along with the basics of hardware Virtual Addressing. To better understand Virtual Addressing, we will use the debugger to manually translate a 4-KByte Page Table PAE virtual address into the actual physical addresses in order to understand what !PTE is displaying. I’ll provide relevant information about Virtual Addresses and Virtual Memory along the way.
We’ll start by translating a non-prototype valid hardware VA from an x86 PAE system
The actual process of manually decoding a virtual addresses is going to vary according to the architecture (x86, x64), size of the page, whether or not the virtual address is a large page, whether the page is marked as valid, whether it’s a hardware or software PTE, and whether PAE is enabled. For simplicity, we will not be going over the table entry (PTE/PDE) flags until part two of the blog. For my first example, I am going to demonstrate how to use the information in the processor manuals together with the debugger to decode a valid non-prototype virtual address into the physical memory that it references. You can then try this on your own using windbg and the !pte command to validate your findings.
Finding an address to translate
To start, we'll need to locate a virtual address that maps to a valid PTE. I am going to use the following highlighted virtual address which I found in a memory dump.
f9a12d0c ff155400a1f9 call dword ptr [sfilter+0x4054 (f9a10054)]
Get out your processor manuals
The AMD and Intel manuals both contain helpful reference material on this subject. PDFs of these manuals are available online. Since my CPU is an Intel, I’m going to refer to the Intel manuals.
1: kd> !cpuinfo
CP F/M/S Manufacturer MHz PRCB Signature MSR 8B Signature Features
0 15,6,4 GenuineIntel 3192 0000000400000000 a0073fff
My Intel manuals arrived on CD via snail mail a few days after placing my free order:
http://www.intel.com/products/processor/manuals/order.htm
Is PAE in use?
On this Intel x86 system, we first need to determine if we are using PAE. In the Intel “System Programming section 3.6.1 Paging Options” I found that the PAE (Physical Address Extension) flag can be found in bit 5 of the CR4 register. The PG (Paging) flag in CR0 which enables paging must of course also be set. Register bit numbering starts at zero so it’s the fifth bit from the right. Let’s examine cr4 and convert the value it contains into binary:
1: kd> r cr4
cr4=000006f9
1: kd> .formats 000006f9
Binary: 00000000 00000000 00000110 11111001
You can use the debugger to check for other flags in the same manner
You can use the above method to check for other flags that you find documented in the processor manuals. For example, you can see that bit 4 is also set in the cr4 register output above. This is the Page Size Extensions (PSE) bit which enables large page sizes.
Terminology
Paging is simply a method of dividing up the linear address space into chunks. Pages are simply the name that we give to the chunks that result. The size of these sections is referred to as the Page Size. On x86 systems, the standard page size is 4-KBytes. A Large Page means that the page is larger than the standard size (2MB on PAE x86 or 4MB on non-PAE x86).
Keep the last three
On a standard 4-KByte page size virtual address, the address f9a10054 can be thought of as being split up as follows:
Information needed to locate the base of the page in physical memory f9a10
Offset into that physical page once it is found 054
This means that the last three hexadecimal digits of our physical address will also be 0x054. Once we find the base of our physical page(which will always end in three zeros), we can simply add it to the offset 0x54 and we will have our physical address.
Are there any commands that work with physical addresses?
We will also need a way to work with these physical addresses. Most of us are familiar with using the dd command with virtual addresses. There is also a command that accepts a physical address instead of a virtual address: !dd (notice the ! before the command). There are also variants of the!dd command, such as !db , !du , !dq.
What data do we need to obtain to perform this conversion?
We need to determine how to use the f9a10 portion of the virtual address to find the physical page base. The Memory Management System sets up and maintains a hierarchy of tables that keep track of the mappings between virtual addresses and physical addresses. You will need the following information to traverse the tables yourself and convert this address.
1. Starting point. This will be in the form of a pointer to the base of the first table that you need to check
2. The number of table levels in use on the system and the size of each entry in the tables on our system
3. The offsets into the different tables and the bases of each table.
Once you have all the above information, you can use the debugger to traverse these tables.
Let’s get our plan together for how we are going to obtain these three pieces of information
1. Starting point. This can be obtained from the PDBR. The CR3 register is known as the Page Directory Base Register (PDBR) which points to the physical address of the base of the first table.
2. The number of table levels in use on the system and the size of each entry in the tables on our system. This information can also be obtained from the Intel processor manuals. As previously mentioned, the number of tables, the size of the entries in the tables, the flags, where the bits are split up, and the names of the tables vary according to platform and if you are using PAE or not. All of these, however, use the same basic concepts:
Register pointing to a àTable with entries pointing to a table à with more entries pointing to à another tableà pointing to the physical address of the page in memory.
Table1: By reading the Intel Processor Manual “System Programming: Section 3.8, Physical Address Extension”, I was able to determine that the first table used for x86 PAE virtual addressing is called the Page-Directory-Pointer Table. It’s a table with only 4 Entries that are 64 bits (which is 8 bytes) wide. Each entry is referred to as a Page Directory Pointer Entry and abbreviated as PPE, PDP or PDPE depending on the source. These entries provide the index into the page directory, which is known as the Page Directory Index (PDI). One of these four pointers will lead you to the physical address of the base of the next table that you need to visit in the x86 PAE hierarchy. Just like the pointer that we used from the CR3register, some of the bits in these table entries are not used as part of the index (referred to as a pointer in some documentation). We will grab the relevant bits and add the appropriate number of zeros to the index to obtain our physical address pointer. I will cover what these other bits are used for in part two of this blog. We must substitute zeros for these bits.
Table2: The table at the second level of tables in the x86 PAE hierarchy (which is referenced by the pointers in Table Level One) is called the Page Directory Table. Don’t confuse this with the Page-Directory-Pointer Table. Each Page Directory table can hold 512 entries which are 64 bits in size. The entries in this table are called Page Directory Entries (PDE) and they provide Page Table Index (PTI). Just like the last table, these entries contain indexes (which we convert to a pointer by simply adding zeros) to the base of the next table in the hierarchy.
Table3: The last table is referred to as the Page Table. Each Entry in the page table is called a Page Table Entry (PTE) and provides the Page Offset. Just like the last table, not all the bits are used for pointers. Each page table contains up to 512 entries which are also 64 bits in size. Each 64 bits entry in the table contains a pointer to the base of the page in physical memory.
In summary there are 3 levels of tables when using x86 PAE. These are the Page Directory Pointer Table, Page Directory Tables, and the Page Tables.
1. The offsets into the different tables and the bases of each table.
Each table above is a listing of indexes that will be used to locate the base of the next table. However, once we arrive at each table, we will need to know the index or offset into the table in order to know which table to get to next. These offsets into the tables can be obtained from the virtual address itself. Let’s review our virtual address again. However, this time we will break the address down in binary:
Virtual Address: f9a10054
1: kd> .formats 0xf9a10054
Binary: 11111001 10100001 00000000 01010100
Page Directory Pointer Index(PDPI) 11 Index into 1st table(Page Directory Pointer Table)
Page Directory Index(PDI) 111001 101 Index into 2nd table(Page Directory Table)
Page Table Index(PTI) 00001 0000 Index into 3rd table(Page Table)
Byte Index 0000 01010100 0x054, the offset into the physical memory page
So as you can see, the virtual address is nothing more than a bunch of indexes/offsets.
Putting all this data together to find the physical address
Now that we have all the required data, let’s proceed to locate our physical address
1. Obtain our base pointer to the first table. As we discussed earlier, we can obtain this value from the cr3 register. Bits 0-4 of this register are not used for the pointer to the table base. This means that in order to get the base pointer, we will need to replace these 5 least-significant bits with zero. This will result in the table base being located on a physical address that is always aligned to a 32-bit boundary.
Keep in mind that CR3 will have a different value here for each process. You must make sure that you are in the appropriate process context before proceeding. This is because user mode tables are specific to a particular process. Notice that I said processes, not threads. CR3 will not be changed when swapping threads, since each thread in a given process shares the same address space. Tables relating the system address space (kernel mode) are shared between all processes.
We’ll need to dump out the CR3 register (PDBR) in a format where we can view the last 5 bits. As you can see in the .formats output below, the 5 least significant bits are already set to zero. This means that the hexadecimal value located in the cr3 register is a pointer to the base of the first table. So we now have our starting point. Physical address 023406e0 is the base of the first table.
1: kd> .formats @cr3
Hex: 023406e0
Binary: 00000010 00110100 00000110 11100000
The proper way to display the pointer out the value would be to & against the following mask
1: kd> ? 0y11111111111111111111111111100000
Evaluate expression: -32 = ffffffe0
1: kd> .formats (@cr3 & ffffffe0)
Binary: 00000010 00110100 00000110 11100000
You can use the!process command to get and/or verify this value.
1: kd> !process
PROCESS ff981a58 SessionId: 0 Cid: 0d54 Peb: 7ffde000 ParentCid: 0550
DirBase: 023406e0 ObjectTable: e1541510 HandleCount: 30.
You can also obtain this information from the EPROCESS structure.
1: kd> dt nt!_EPROCESS ff981a58 Pcb.DirectoryTableBase
+0x000 Pcb :
+0x018 DirectoryTableBase : [2] 0x23406e0
2. Obtain our base to the second table by finding our index into the first table. The first table (Page Directory Pointer Table) only has 4 entries and each entry is 64 bits wide. We know from the first two bits of the Virtual Address above that our offset into this table is 0y11 (The ytells the debugger the value is binary, instead of eleven). Eleven would be represented in the debugger as 0n11. We can simply multiply the offset (0y11) by the size of each entry and add the result to the base of the table to get our entry. The entries in the table are 8 bytes wide. We shall use sizeof() as shown below to obtain this value. We can pass this math to the !dq command to dump the data at these physical addresses.
1: kd> !dq (@cr3 & 0xffffffe0)+(0y11*@@(sizeof(nt!_MMPTE))) L1
# 23406f8 00000000`05503801
The processor manuals indicate that the first 12 bits of the entry above are not part of the pointer and must be discarded. This will cause alignment on 4KB boundaries. Since each Hex digit above represents 4 bits, this means that we need to change 801 to 000. That gives us our physical address of the base of our second table, 05503000. We will accomplish this in the next step by ANDing our PDE against a mask.
3. Obtain our base to the third table by finding our index into the second table. The Second Table (Page Directory Table) works the same way, except that this table contains up to 512 entries (on PAE systems). Keep in mind that there can be more than one Page Directory Tables for each process on a PAE system, however we are only concerned with the one that contains the data relating to our virtual address. We know from the virtual address that the offset into this table is 0y111001101. Calculate the address in the same manner as before. We will also need to set the last 12 bits to zero, just like before.
1: kd> !dq (0x05503801 & 0xFFFFFF000) +( 0y111001101*@@(sizeof(nt! _MMPTE))) L1
# 5503e68 00000000`0102d963
The last three hexadecimal digits must be changed to zero, since they are not part of the pointer. This gives us the base address of our last table, the page table, 0x0102d000
4. Find the base of the physical page our memory resides in by finding our index into the third table. Using the base of the page table from the previous step, let’s add the index into this table that we obtained from the virtual address, 0y000010000. The last three digits need to be set to zero.
1: kd> !dq (0x102d963&0xFFFFFF000)+(0y000010000*@@(sizeof(nt! _MMPTE))) L1
# 102d080 00000000`02010121
5. So now we have the physical address of the base of the page, 2010000 Add the base of the page to our offset from the virtual address, 0x054.
1: kd> ? (2010121 & 0xFFFFFF000) +0x054
Evaluate expression: 33620052 = 02010054
A shortcut is to simply change the 0x121 to 0x054 in the previous step.
6. Now, let’s dump out the data at our physical address and the virtual address
1: kd> !dd (2010121 & 0xFFFFFF000) +0x054 L2
# 2010054 804ef09c 804ef12c
1: kd> dd 0xf9a10054 L2
f9a10054 804ef09c 804ef12c
You can see that the data displayed by the two commands is the same.
7. Now let’s dump out the virtual address using the !PTE extension. Notice the values that it provides you with. Look above and compare the values displayed above to what is displayed below. You should now understand what the highlighted and bolded fields mean.
1: kd> !pte 0xf9a10054
VA f9a10054
PDE at 00000000C0603E68 PTE at 00000000C07CD080
contains 000000000102D963 contains 0000000002010121
pfn 102d -G-DA--KWEV pfn 2010 -G--A—KREV
The virtual addresses in italics represent the virtual address of the PDE (Page Directory Entry) and the PTE (Page Table Entry). Also, please note thatPFN represents Page Frame Number. PFN is the term used to describe what I referred to as “pointers to the base of the next table” in the hierarchy. This is because it really isn’t a pointer; it’s an index into the table.
Hopefully, the output of !PTE makes a lot of sense to you now. In part two of this blog, I’ll discuss what the PDE/PTE flags (-G-DA—KWEV) represent and provide an example of manual conversion of x86 PAE Large Page Virtual Addresses to Physical.
[转]Part1: Understanding !PTE , Part 1: Let’s get physical的更多相关文章
- [转]Part 3: Understanding !PTE - Non-PAE and X64
http://blogs.msdn.com/b/ntdebugging/archive/2010/06/22/part-3-understanding-pte-non-pae-and-x64.aspx ...
- [转]Part2: Understanding !PTE, Part2: Flags and Large Pages
http://blogs.msdn.com/b/ntdebugging/archive/2010/04/14/understanding-pte-part2-flags-and-large-pages ...
- 分布式系统(Distributed System)资料
这个资料关于分布式系统资料,作者写的太好了.拿过来以备用 网址:https://github.com/ty4z2008/Qix/blob/master/ds.md 希望转载的朋友,你可以不用联系我.但 ...
- Application binary interface and method of interfacing binary application program to digital computer
An application binary interface includes linkage structures for interfacing a binary application pro ...
- Linux内存管理机制简析
Linux内存管理机制简析 本文对Linux内存管理机制做一个简单的分析,试图让你快速理解Linux一些内存管理的概念并有效的利用一些管理方法. NUMA Linux 2.6开始支持NUMA( Non ...
- Linux平台 Oracle 10gR2(10.2.0.5)RAC安装 Part1:准备工作
Linux平台 Oracle 10gR2(10.2.0.5)RAC安装 Part1:准备工作 环境:OEL 5.7 + Oracle 10.2.0.5 RAC 1.实施前准备工作 1.1 服务器安装操 ...
- Linux平台 Oracle 11gR2 RAC安装Part1:准备工作
一.实施前期准备工作 1.1 服务器安装操作系统 1.2 Oracle安装介质 1.3 共享存储规划 1.4 网络规范分配 二.安装前期准备工作 2.1 各节点系统时间校对 2.2 各节点关闭防火墙和 ...
- GOOD MEETINGS CREATE SHARED UNDERSTANDING, NOT BRDS!
Deliverables and artifacts were a focal point of BA work during the early part of my career. If I ...
- Understanding delete
简述 我们都知道无法通过delete关键字针对变量和函数进行操作,而对于显示的对象属性声明却可以进行,这个原因需要深究到js的实现层上去,让我们跟随 Understanding delete 来探究一 ...
随机推荐
- BitTorrent DHT 协议中文翻译
前言 做了一个磁力链接和BT种子的搜索引擎 {Magnet & Torrent},因此把 DHT 协议重新看了一遍. BitTorrent 使用"分布式哈希表"(DHT)来 ...
- Python开发【前端】:HTML
HTML HTML是英文Hyper Text Mark-up Language(超文本标记语言)的缩写,他是一种制作万维网页面标准语言(标记).相当于定义统一的一套规则,大家都来遵守他,这样就可以让浏 ...
- java字典序排序
import java.util.Comparator; import java.util.ArrayList; import java.util.Collections; public class ...
- Python之路----------ConfigParser模块
Python的ConfigParser 废话不说,拿去用 #coding=utf-8 import configparser ''' 基於Python3.0版本寫的配置文件的創建.增加.刪除.修改等方 ...
- 把 MWeb Lite 的文档库文档和数据搬到 MWeb 正式版中
MWeb Lite 版的文档库中的文档要搬到 MWeb 正式版中,如果 Lite 版的文档中没有图片或者只有少量图片,可以用导入导出为 Markdown 的方法. 否则的话请用以下方式(注意下面这个方 ...
- working with fitnesse wiki pages
fitnesse提供一个简单易用的wiki创建一个web页面用于测试.测试页面有一个button,允许所有的测试在这个页面运行,因此任何人在任何时间都可以去这个页面点击这个按钮,查看测试是否通过.fi ...
- VS快速生成JSON数据格式对应的实体
有固定好的Json数据格式,你还在手动敲对应的实体吗?有点low了!步入正题,这是一个json字符串,先去验证JSON数据格式(http://www.bejson.com/)如下: { & ...
- mySql 注入攻击
注入攻击 1.原理: a.只要是带有参数的动态网页且此网页访问了数据库,那么就有可能存在SQL注入; b.字符串拼接和没有判断用户输入是否合法------>导致用户可以玩填字游戏-----> ...
- $.ajx的用法
$.ajax({type:'post',//可选geturl:'action.php',//这里是接收数据的PHP程序data:'data='dsa'',//传给PHP的数据,多个参数用&连接 ...
- 创建支持eclipse的多模块maven项目
通过maven可以创建多个关联模块的项目(Multiple Module Projects).由一个总的模块,下面包含多个子模块(子模块还可以包含子模块). 这种maven功能能支持大型的项目构建,往 ...