JIURL play Win2k memory paging mechanism Part (d) of: JIURL Home: http://jiurl.yeah.net Date: 2003-7-30
Why is the size of the address space of 4G use 32bit's CPU, and the 32bit data is better. This determines that the address that will be used very frequently in the code is 32bit. The 32bit address can address the range from 0x00000000 to 0xFfffffffffff, that is, 4GB (for the address of the byte) size. The size of the address space is 4G. Why is the size of a page is 4K (just my personal opinion) determines the size of the virtual address space, and decides to use paging to perform memory management. Weighing the virtual address into the efficiency of the physical address and saves the price used by the paging information, determines the use of the page directory and page table 2. The most fair way to use 2 layers is the same as the number of items in the page directory and the number of items in the page table. Since it is necessary to save enough information, it is also a reason for the size of a PTE or a PDE due to the 32bit CPU. When these are determined, the size of a page is determined. A page size is x, the unit is byte. So this is (x / 4) PTE or PDE. A PTE can correspond to the address space of a page, that is, the size of X-bytes of address space, a PAGE TABLE page with PTE, so a Page Table page can correspond to (x / 4) * x The address space of the byte. A PDE can find a page table page, which is the size of (x / 4) * x byte, a Page Directory page is (x / 4) PDE, so a page directory page can correspond to (X / 4) (x / 4) * X byte of address space. Now you need to use a PDE page to correspond to the entire address space, the entire address space is 4G bytes, that is, 4 * 1024 * 1024 * 1024 bytes. So (x / 4) (x / 4) * x = 4 * 1024 * 1024 * 1024 can calculate x = 4 * 1024 bytes, which is 4K bytes. The performance of address translation once the paging is used (the paging flag bit of the CPU is set), all memory operations use virtual addresses, and the CPU will automatically convert into physical addresses, which can be imagined to have very large address conversions. One conversion may need to read the page directory table, read the page table, and finally read and write data in the page. So there is reason to put some page directory items and page table items into the cache to increase the speed of address transformation. This is also doing this, for the X86 CPU, if the paging is enabled, the CPU will use a cache called TLB (Translation Look-Aside Buffer to store the frequently used page directory and page entry. The address of the page directory is C0300000, 1 page directory plus 1024 page tables why only 1024 * 4K address space is required to map the entire 4G address space, it is a 1024 page table and 1 page directory, each It is 4KB size, that is, 1024 * 4KB 1 * 4KB = 4MB 4KB. In practice, Win2K maps each process's page directory and page table to the 4MB address space from 0xC0000000 to 0xc03FFFF (4K) at 0xC0300000. Note that the 4MB address space rather than 4MB 4KB. 1024 page tables and 1 page directory should be (1024 1) * 4KB address space. And now Win2K only uses 1024 * 4KB address space this is why? The reason is that the page table is mapped to the address space of the process.
If the page table and page directory are not mapped to the address space of the process, and the 4GB address space of a process mapped the physical memory, then 1024 physical pages are really required to store page tables, and another physical page. To store the page directory, that is, (1024 1) * 4KB physical memory. However, the page table is mapped to the address space of the process, which has caused the content of a page table and the content of the page directory. It is exactly the same, so that the 1024 page tables will be mapped to 1 page directory map. The address space only requires 1024 * 4KB address space, one of which is completely coincident with the page table and page directory. A page table 1024 items, each corresponding 4KB address space, a page table corresponding to 4MB address space. 1024 corresponds to the entire 4GB address space. 1024 page tables are also mapped to the 4MB address space from 0xC0000000 to 0xc03FFFF. This 4MB address space is also corresponding to a page table. Let's see a page table corresponding to the 4MB address space from 0xC0000000 to 0xc03FFFF. This page has 1024 items, each item corresponding to the address space, indicating whether it is in physical memory, if, the physical address is much. And this page table is the 4MB address space in the corresponding page table, so each page of each item is exactly the page where each page is located. That is to say, each item of this page indicates whether a page table has physical memory mapping. If any, how much is the physical address. This is the work done by the page directory. Map 1024 page tables to address space, resulting in one of the contents and pages of 1024 page tables completely coincident, which is both a page directory and a page table. So 1 page directory plus 1024 page tables only use 1024 * 4K address space. The page table is mapped to where the address space is determined by the designer of the operating system, and he will consider various problems and make the final decision. However, once the address space of the page table is determined, the address of the page directory will decide, unless he intends to use a page address space save and now exactly the same content in a page table. The page table is mapped to the 4MB address space from 0xc0000000 to 0xc03FFFF, and we calculate the address of the page table responsible for this 4M address space, the page table is the page table with the page table. The first address of the 4MB address space 0xC0000000 is obviously responsible for the first item of the page table, and we use this address to calculate. PTE_ADDRESS = (VirtualAddress >> 12) * 4 0xC0000000, (0xC0000000 >> 12) * 4 0xC0000000 = 0xc0000 * 4 0xC0000000 = 0x300000 0xC0000000 = 0xc0300000 is the virtual address of the page directory. 0xc0300000 to 0xC0300FFF This 4KB address space, as a normal page, indicated the physical address of the physical page in a PTE, as a page table is located, indicated by a PDE, the physical address of the physical page, as a page directory, indicated by CR3 The physical address of the physical page. 0xc0300000 to 0xc0300FFF This 4KB is a normal page which PTE corresponds, PTE_address = (VirtualAddress >> 12) * 4 0xc0000000, calculated 0xc0300C00. That is to say, 4 bytes at the 0xc0300C00 are used as PTE, indicating the physical address of the 0xC0300000 to 0xC0300FFF.
0xc0300000 to 0xc0300FFF This 4kb is located as a page table where is the PDE corresponds, PDE_Address = 22) * 4 0XC0300000, calculate 0xc0300C00. That is, the 4 bytes at the 0xc0300C00 are used as PDE, indicating the physical address of the physical page where 0xC0300000 to 0xC0300FFF is located. 0xc0300000 to 0xC0300FFF This 4KB is used as a page directory, and the physical address of the physical page is indicated by CR3. Therefore, the value of 4 bytes at 0xc0300C00, the logo bit is 0, it is equal to the value in CR3. The conversion process of this special address below, you will find the page directory and a page table is really coincident, and it is both a page directory and a page table. The virtual address C0300C00 is converted into a physical address, and the following output is from KD. KD> R CR3R CR3CR3 = 069CA000 // CPU The first step according to the physical address in CR3 Find the physical page where the page directory is located //-Take the maximum 10bit, 1100 0000 00 = 11 0000 0000 = 300, as a page directory entry index, due to // 4 bytes long so that each physical address of the page directory entry is 300 * 4 069ca000 = 069cac00kd>! dd 069cac00! dd 069cac00 # 69cac00 069ca063 01e2b063 00000000 01670163 # 69cac10 01671163 01672163 01673163 01674163 # 69cac20 01675163 01676163 01657163 01658163 # 69cac30 01659163 0165a163 0165b163 0165c163 # 69cac40 0165d163 0165e163 0165f163 016c0163 # 69cac50 01681163 01682163 01683163 01684163 # 69cac60 01685163 01686163 01687163 01688163 # 69cac70 01689163 0168a163 0168b163 0168c163 // result of the physical address of the page directory entry (page directory entry is high 20bit physical page frame No., low 12bit is the logo) is the physical address of the 069CA000 // note the page table. The physical address of the page is equal to the physical address of the page.
// CPU Second Step According to the physical address of the directory item, find the 10bit, 11 0000 0000 = 300 after the c0300000 of 10BIT, as the page table item index, 4 words for each item // section so the physical address of the page table entry 300 * 4 069ca000 = 069cac00kd>! dd 069cac00! dd 069cac00 # 69cac00 069ca063 01e2b063 00000000 01670163 # 69cac10 01671163 01672163 01673163 01674163 # 69cac20 01675163 01676163 01657163 01658163 # 69cac30 01659163 0165a163 0165b163 0165c163 # 69cac40 0165d163 0165e163 0165f163 016c0163 # 69cac50 01681163 01682163 01683163 01684163 # 69cac60 01685163 01686163 01687163 01688163 # 69cac70 01689163 0168a163 0168b163 0168c163 // results of the physical address of the page table entry (high 20bit page directory entry is the physical page frame number is low 12bit Sign) is the 069CA000 // CPU third step according to the physical address in the page table item, uses the C0300000 low 12bit as the page offset, // Added to get the physical address, 12bit, 1100 0000 0000 = C00, C00 069ca000 = 069cac00 // thus obtained 069cac00kd physical address corresponding to the virtual address C0300C00>! dd 069cac00! dd 069cac00 # 69cac00 069ca063 01e2b063 00000000 01670163 # 69cac10 01671163 01672163 01673163 01674163 # 69cac20 01675163 01676163 01657163 01658163 # 69cac30 01659163 0165a163 0165b163 0165c163 # 69cac40 0165d163 0165e163 0165f163 016c0163 # 69cac50 01681163 016 82163 01683163 01684163 # 69cac60 01685163 01686163 01687163 01688163 # 69cac70 01689163 0168a163 0168b163 0168c163 // DWORD value 069ca063 // there is to see in front of a physical memory value 069ca000 a process of CR3 page directory and page tables needed for the process itself Requires the physical page to place the page table and page directory, if there is a 1024 page table, don't you need 1024 * 4k = 4m physical memory? Is a process just need 4M physical memory? However, in fact, a valid flag (0th, lowest bit) in the page directory is 0, then the corresponding page table does not exist, it is not necessary to take up a physical page. In the example of the previous page directory we have seen how many invalid items in the user address space (all things in the system address space, basically everyone is the same). That is, how much physical memory is not used to save a page table for saving a process. This is why 2 levels of address transformation. If you only use the first level, just the page table, then each process 1024 page table must be placed in physical memory, that is, each process requires 4M physical memory to page the page, this cost is too big for the current .
With a 2-level address conversion, more steps, although the conversion speed will slow down, but save physical memory and seek balance between speed and memory. The WRITE flag of the Page Category item from the front page directory, you can see the flag bits1-1 Write of the page directory, always 1. Indicates that the physical page where the page table is located is always writable. This is because the page tables and page directories are maintained by the system, and the system needs to write something. Protection mode, FLAT MODEL, linear address, logical address, RING0, RING3 The following content is only for the X86 Win2k run under protection mode, whether it is running in protection mode, depending on the PE (Protection Enable) flag (CR0) Bit 0). To 0 represented the real-address mode (when the machine power is started and restarted, the X86 CPU is in real mode), indicating the protection mode. Observing the Bit0 of Win2K CR0, the value is 1, indicating that it is running in protection mode. For the X86 architecture, the segmentation mechanism is required (paging mechanism is optional, segmented, and paging can be used simultaneously, Win2k uses paging mechanisms). For example, the CPU execution code is always the reference code segment. In the protection mode, the segment register (CS, DS, SS, ES, FS, GS) is placed in a segment selector for finding a segment descriptor in a descriptor table. The segmentation mechanism in the protection mode has a variety of use models, and Win2k is used is a flat model (flat model). It is to set the segment base address to 0, and the segment is limited to 4G, so that each segment is the entire address space, which hides the segmentation mechanism. Global Description Table Global Description Table (GDT, Global Descriptor Table) is used to store descriptors and only one of the entire system. The location and size are pointed out by GDTR (global descriptor table register). Since the boundary portion in GDTR is 16 bits, the global descriptor table can be 64KB, each descriptor accounts for 8 bytes, so the global descriptor table can be placed in the global descriptor table. 8192 descriptors. The format of the segment selector (CS, DS, SS, ES, FS, GS is segment selector) is defined as follows (from the Intel Manual): Segment Selector, 2 bytes long, 16bit. Index: Bit3-Bit15 13 In the global descriptor table or the index in the local descriptor table, you can index 8192 descriptors Ti Flag: Bit2 1 Ti, Table Indicator, specify a descriptor table. To 0 in the Global Description Table (GDT), 1 Select RPL: Bit0-Bit1 2 Privilege Level Global Descriptor Table Register (GDTR, 48bit) format in the current local descriptor table (LDT) Define the following (from the Intel Manual): Table Limit: Bit0-bit15 16-bit specifies the number of bytes of descriptors. Base Address: Bit16-bit47 32-bit address of the descriptor table. It is a linear address.
Descriptor format is defined as follows: typedef struct _SEG_DESCRIPTOR // size 8 bytes {unsigned short limit_0_15; unsigned short base_0_15; unsigned char base_16_23; unsigned char accessed: 1; unsigned char r_w_e: 1; unsigned char e_c: 1; unsigned char code_data: 1; unsigned char app_system: 1; unsigned char dpl: 2; unsigned char present: 1; unsigned char limit_16_19: 4; unsigned char unused: 1; unsigned char always_0: 1; unsigned char seg_16_32: 1; unsigned char granularity: 1; Unsigned char base_24_31;} seg_descriptor, * pSEG_DEScriptor; Limit_0_15, Limit_16_19, Granularity Segment Binary, two parts, a total of 20 bits. If the Gran Guity bit is 0, the value of the segment boundary is in bytes. The length is up to 1MB. If the Granularity bit is 1, the value of the segment boundary is 4kb. The length is 4GB. Base_0_15, base_16_23, base_24_31 segment base, three parts, total 32bit. Accessed, readable, confore, code_dataaccessed indicates that it has been accessed. Code_data is 0 represents a code segment, indicating a data segment. For data segments, the R_W_E bit indicates whether it can be written, 0 read only, and can be written. The E_C bit represents the growth direction and grows down. For code segments, the R_W_E bit indicates whether it is readable, only 0 is executed, 1 readable. The E_C bit represents conforming or nonconforming. App_system0 = System, 1 = Code or Data. At 1, it indicates the code segment or data segment. At 0, it indicates that the system segment, the meaning of some bits of the system segment and the data segment or code segment. The following system segments: 16-Bit TSS (Available), LDT, 16-Bit TSS (Busy), 16-Bit Call Gate, Task Gate, 16-Bit Interrupt Gate, 16-Bit Trap Gate, 32-bit TSS (Available), 32-Bit TSS (Busy), 32-Bit Call Gate, 32-Bit Interrupt Gate, 32-bit trap gate. More details can be referred to the Intel manual. DPL specified privilege level. Does the Present section in the memory seg_16_32 segment is 16 bits or 32 bits.
Let's see the actual usage of the actual usage of Win2k (available using the VC debugger, you can also write the program yourself, you can also use SoftICE to break into a Ring3 program to get ...) CS = 001B DS = 0023 ES = 0023 SS = 0023 fs = 0038 GS = 0000 segment register of a RING0 program (available using KD, can also write the driver to be obtained, or by SoftICE to break into a Ring0 program ...) CS = 0008 ss = 0010 DS = 0023 ES = 0023 FS = 0030 GS = 0000GDTR content can be obtained by the instruction SGDT (SGDT is not privileged, and RING3 can also be performed). The following content is from Softice :: gdtsel. Type base = 80036000 limit = 03ff // gdtbase = 80036000 limit = 03FF, you can use the SGDT command to verify // 16bit's boundary value of 03FF, indicating that the GDT in Win2k is only 1K,
Can store 128 descriptors 0008 Code32 00000000 FFFFFFFF 0 P RE0010 Data32 00000000 FFFFFFFF 0 P RW001B Code32 00000000 FFFFFFFF 3 P RE0023 Data32 00000000 FFFFFFFF 3 P RW0028 TSS32 801F4000 000020AB 0 P B0030 Data32 FFDFF000 00001FFF 0 P RW003B Data32 00000000 00000FFF 3 P RW0043 Data16 00000400 0000FFFF 3 P RW0048 Reserved 00000000 00000000 0 NP0050 TSS32 80470040 00000068 0 P0058 TSS32 804700A8 00000068 0 P0060 Data16 00022AB0 0000FFFF 0 P RW0068 Data16 000B8000 00003FFF 0 P RW0070 Data16 FFFF7000 000003FF 0 P RW0078 Code16 80400000 0000FFFF 0 P RE0080 Data16 80400000 0000FFFF 0 P RW0088 Data16 00000000 00000000 0 P RW0090 Reserved 00000000 00000000 0 NP0098 Reserved 00000000 00000000 0 NP00A0 TSS32 8141A348 00000068 0 P00A8 Reserved 00000000 00000000 0 NP00B0 Reserved 00000000 00000000 0 NP00B8 Reserved 00000000 00000000 0 NP00C0 Reserved 00000000 00000000 0 NP00C8 Reserved 00000000 00000000 0 NP00D0 Reserved 00000000 00000000 0 NP00D8 reserved 00000000 00000000 0 NP00E0 CODE16 F0450000 0000FFFF 0 P RE ED00E8 Data16 00000000 0000FFFF 0 P RW00F0 Code16 8042DCE8 000003B7 0 P EO00F8 Data16 00000000 0000FFFF 0 P RW0100 Data32 F0460000 0000FFFF 0 P RW0108 Data32 F0460000 0000FFFF 0 P RW0110 Data32 F0460000 0000FFFF 0 P RW0118 Reserved 00008003 00006120 0 NP0120 Reserved 00008003 00006128 0 NP0128 Reserved 00008003 00006130 0 NP0130 Reserved 00008003 00006138 0 NP0138 Reserved 00008003 00006140 0 NP0140 Reserved 00008003 00006148 0 NP0148 Reserved 00008003 00006150 0 NP0150 Reserved 00008003 00006158 0 NP0158 Reserved 00008003 00006160 0 NP0160 Reserved 00008003 00006168 0 NP0168 Reserved 00008003 00006170 0 NP0170 Reserved 00008003 00006178 0 NP0178 Reserved 00008003 00006180 0 np0180 reserved 00008003 00006188 0 np0188 reserved 00008003
00006190 0 NP0190 Reserved 00008003 00006198 0 NP0198 Reserved 00008003 000061A0 0 NP01A0 Reserved 00008003 000061A8 0 NP01A8 Reserved 00008003 000061B0 0 NP01B0 Reserved 00008003 000061B8 0 NP01B8 Reserved 00008003 000061C0 0 NP01C0 Reserved 00008003 000061C8 0 NP01C8 Reserved 00008003 000061D0 0 NP01D0 Reserved 00008003 000061D8 0 NP01D8 Reserved 00008003 000061E0 0 NP01E0 Reserved 00008003 000061E8 0 NP01E8 Reserved 00008003 000061F0 0 NP01F0 Reserved 00008003 000061F8 0 NP01F8 Reserved 00008003 00006200 0 NP0200 Reserved 00008003 00006208 0 NP0208 Reserved 00008003 00006210 0 NP0210 Reserved 00008003 00006218 0 NP0218 Reserved 00008003 00006220 0 NP0220 Reserved 00008003 00006228 0 NP0228 Reserved 00008003 00006230 0 NP0230 Reserved 00008003 00006238 0 NP0238 Reserved 00008003 00006240 0 NP0240 Reserved 00008003 00006248 0 NP0248 Reserved 00008003 00006250 0 NP0250 Reserved 00008003 00006258 0 NP0258 Reserved 00008003 00006260 0 NP0260 Reserved 00008003 00006268 0 NP0268 Reserved 0 0008003 00006270 0 NP0270 Reserved 00008003 00006278 0 NP0278 Reserved 00008003 00006280 0 NP0280 Reserved 00008003 00006288 0 NP0288 Reserved 00008003 00006290 0 NP0290 Reserved 00008003 00006298 0 NP0298 Reserved 00008003 000062A0 0 NP02A0 Reserved 00008003 000062A8 0 NP02A8 Reserved 00008003 000062B0 0 NP02B0 Reserved 00008003 000062B8 0 NP02B8 Reserved 00008003 000062C0 0 NP02C0 Reserved 00008003 000062C8 0 NP02C8 Reserved 00008003 000062D0 0 NP02D0 Reserved 00008003 000062D8 0 NP02D8 Reserved 00008003 000062E0 0 NP02E0 Reserved 00008003 000062E8 0 NP02E8 Reserved 00008003 000062F0 0 NP02F0 Reserved 00008003 000062F8 0 NP02F8 Reserved 00008003 00006300 0 NP0300 Reserved 00008003 00006308 0 NP0308 Reserved 00008003 00006310 0 NP0310 RES
erved 00008003 00006318 0 NP0318 Reserved 00008003 00006320 0 NP0320 Reserved 00008003 00006328 0 NP0328 Reserved 00008003 00006330 0 NP0330 Reserved 00008003 00006338 0 NP0338 Reserved 00008003 00006340 0 NP0340 Reserved 00008003 00006348 0 NP0348 Reserved 00008003 00006350 0 NP0350 Reserved 00008003 00006358 0 NP0358 Reserved 00008003 00006360 0 NP0360 Reserved 00008003 00006368 0 NP0368 Reserved 00008003 00006370 0 NP0370 Reserved 00008003 00006378 0 NP0378 Reserved 00008003 00006380 0 NP0380 Reserved 00008003 00006388 0 NP0388 Reserved 00008003 00006390 0 NP0390 Reserved 00008003 00006398 0 NP0398 Reserved 00008003 000063A0 0 NP03A0 Reserved 00008003 000063A8 0 NP03A8 Reserved 00008003 000063B0 0 NP03B0 Reserved 00008003 000063B8 0 NP03B8 Reserved 00008003 000063C0 0 NP03C0 Reserved 00008003 000063C8 0 NP03C8 Reserved 00008003 000063D0 0 NP03D0 Reserved 00008003 000063D8 0 NP03D8 Reserved 00008003 000063E0 0 NP03E0 Reserved 00008003 000063E8 0 NP03E8 Reserved 00008003 000063F0 0 NP 03F0 reserved 00008003 00000063F8 0 np03f8 reserved 00000000 000,000 0 NP: DD 80036000 L 4000010: 80036000 0000000 0000000 0000ffffff9b00 ................ 0010: 80036010 0000FFFFFFFFF9300 0000FFFFFFFFFB00 ..... ......... 0010: 80036020 0000FFFFFFFF300 400020AB 80008B1F .......... @ .... 0010: 80036030 F0000001 FFC093DF 00000FFF 0040F300 .......... .... @. 0010: 80036040 0400ffff 0000f200 0000000000000000000010: 80036050 0040068 80008947 00A80068 80008947 h. @. G ... h ... g. ..0010: 80036060 2AB0FFFF 00009302 80003FFF 0000920B ... * ..... ... 0000003FF FF0092FF 0000FFFF 80009A40 ... P ........ @ ... 0010: 80036080 0000FFF 80009240 00000000 00009200 .... @ ......... 0010: 80036090 0000000000000000000000000000000000000000000000000000
000 .............. 0010: 800360A0 A3480068 81008941 00000000 00000000 HHA ........ 0010: 800360B0 0000000 000,000 00000000 000,00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ........ ........ 0010: 800360C0 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ............ .... 0010: 800360E0 0000FFFFFFFFFFFFF 10009200 .... E ......... 0010: 800360F0 DCE803B7 80009842 0000fffff 00009200 .... b ........... 0010: 80036100 0000FFFFFFFFFFFFFF F0409346 .... f. @ ..... f. @. 0010: 80036110 0000fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff. 80036130 00000000 (a ... 0a ... 0010: 80036130 80036138 000000 80036140 000000 8A ... @ a ... 0010: 80036140 80036148 00000000 80036150 00000000 HA ... ... pa ... 0000336158 00000000 80036160 000000 x ... `a ... 0010: 80036160 80036168 00000000 80036170 00000000 Ha ... PA ... ... 0010: 80036170 80036178 00000000 80036180 00000000 xa ....... a ... 0010: 80036180 80036188 000000 80036190 00000000 .a .... ... a ... 0010: 80036190 80036198 000000 800361a0 00000000 .a ....... a ... 0010: 800361a0 800361a8 00000000 800361B0 00000000 .a ....... a ... 0010: 800361B0 800361B8 00000000 800361C0 00000000 .a ....... a ... 0010: 800361c0 800361C8 00000000 800361D0 00000000 .a ....... a .... ..0010: 800361D0 800361D8 00000000 800361E0 00000000 .a ....... a ... 0010: 800361E0 800361E8 00000000800361F0 00000000 .a ....... a ... 0010: 800361F0 800361F8 00000000 80036200 00000000 .a ....... b ... 0010: 800000000 80036210 0000008.b ....... b ... 0010: 80036210 80036218 00000000 80036220 00000000 .b ... b ... 0010: 80036220 80036228 00000000 80036230 00000000 (B ... 0B ... 0010: 80036230 80036238 000000 80036240 000000 8B .... .. & #
64; B ... 000036248 00000000 80036250 00000000 HB ... PB ... 0010: 80036250 80036258 000000 80036260 000000 XB ... `b .... ..0010: 80036260 80036268 00000000 HB ... PB ... 0010: 80036270 80036278 00000000 80036280 00000000 xb ....... b ... 0010: 80036280 80036288 000000 80036290 000000.B ....... b ... 000036298 00000000 800362A0 00000000.b ....... b ... 0010: 800362a0 800362a8 00000000 800362B0 000000.B ....... b ... 0010: 800362B0 800362B8 00000000 800362C0 00000000.B ....... b ... 0010: 800362c0 800362c8 00000000 800362D0 000000 .b .... ... b ... 0010: 800362d0 800362d8 00000000 800362E0 00000000.B ....... B ... 0010: 800362E0 800362E8 00000000 800362F0 00000000.b ....... b ... 0010: 800362F0 800362F8 00000000 80036300 00000000.b ....... c ... 0010: 80036300 80036308 0000000080036310 00000000 .c ....... c .... ..0010: 80036310 80036318 00000000 80036320 00000000.c ... c ... 0010: 80036320 80036328 000000 80036330 00000000 (C ... 0C ... 0010: 80036330 80036338 00000000 80036340 00000000 8C ... @ c ... 0010: 80036340 80036348 00000000 80036350 000000 HC ... pc ... 0010: 80036350 80036358 000000 80036360 00000000 XC ... `C ... 0010: 80036360 80036368 00000000 80036370 00000000 hc ... pc ... 0010: 80036370 80036378 000000 00036380 000000 XC ...... .c ... 0000000036388 00000000 80036390 00000000 .c ....... c ... 0010: 80036390 80036398 00000000 800363A0 00000000 .c ....... c .. .... 0010: 800363A0 800363A8 00000000 800363B0 00000000.C ....... c ... 0010: 800363B0 800363B8 00000000 800363C0 00000000 .c ....... c ... 0010: 800363C0 800363C8 00000000 800363D0 00000000.c ....... c ... 0010: 800363D0 800363D8 00000000800363E0 00000000.c ....... c ... 0010: 800363e
0 800363E8 00000000 800363F0 00000000.c ....... c ... 0010: 800363F0 800363F8 0000000000000000 00000000.c ............ Let's analyze: RING3, CS = 001B DS = 0023 ES = 0023 SS = 0023 fs = 0038 GS = 0000, DS, ES, SS, point to the same segment. 001B = 0000000000011 0 110023 = 00000000000000100 0 11 So according to the definition of the previous segment selector, the CS, DS, ES, and SS are all selected in the global descriptor table. The privileged level of the selector is 3 (Ring3). For CS, the index is 3, since each descriptor is 8 bytes, the descriptor is 0x3 * 0x8 = 0x18 at the beginning of the GDT. For the DS, ES, SS, the index is 4, the descriptor is 0x4 * 0x8 = 0x20 at the beginning of the GDT. According to the definition of the previous paragraph descriptor, 8 bytes started at 80036018, and 8 bytes started with 80036020. 0010: 80036010 0000FFFFF 00cf9300 0000fff 00cffb00 .................. 0010: 80036020 0000fff 00cff300 400020AB 80008B1F .......... @ .... You can draw SEL. TYPE BASE LIMIT DPL Attributes001B Code32 00000000 ffffffffFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFfFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFffffFFFFFFFFFFFFFFFFFFE DPL is 3 (Ring3). The segment descriptor in the global descriptor table corresponding to the DS, ES, and SS is a data segment, the segment base address is 0, the segment limit is 4G, DPL is 3 (Ring3). For ring0, cs = 0008 ss = 0010 ds = 0023 es = 0023 fs = 0030 gs = 0000,0008 = 0000000000001 0 000010 = 0000000000010 0 000023 = 0000000000100 0 11Sel. Type Base Limit DPL Attributes0008 Code32 00000000 FFFFFFFF 0 P RE0010 Data32 00000000 FFFFFFFF 0 P RW0023 DATA32 00000000 FffffffFfff 3 P RW can be seen, the DPL of the code segment and the stack segment is 0 (Ring0). The segment base address of the three descriptors is 0, and the segment boundary is 4G. CS, DS, ES, SS, these paragraphs are fully overlapping, and they are current 4G address space. Another method of use with the segment (different segments in different address spaces), the current use method, the entire address space is continuous, flat, so it is called flat mode. Regarding segment registers (CS, DS, SS, ES, FS, GS), and the CPU is not possible to take a segment descriptor from memory each time the CPU is taken out from the memory and then do the corresponding processing, and each segment register has a look. The portion where the portion is not stored in the corresponding segment descriptor. The first item in the global description table is not used, set to "NULL DESCRIPTOR". 0010: 80036000 00000000 00000000 Used to initialize the parameters that have not been used,
If you accidentally use a segment register that is not used, the system has adversely affects the system. In Win2K, the segment register GS is not used, and the value is set to 0. CS, DS, ES, SS were analyzed earlier. For GS, we can see that its value is always 0, and Win2k has not used it. For FS, for Win2K using flat mode, it is an exception, and it will be more introduced elsewhere. In NTDDK.H, some of the above analysis is also illustrated. #define KGDT_NULL 0 # define KGDT_R0_CODE 8 # define KGDT_R0_DATA 16 # define KGDT_R3_CODE 24 # define KGDT_R3_DATA 32 # define KGDT_TSS 40 # define KGDT_R0_PCR 48 # define KGDT_R3_TEB 56 # define KGDT_VDM_TILE 64 # define KGDT_LDT 72 # define KGDT_DF_TSS 80 # define KGDT_NMI_TSS 88 linear address (LINEAR Address), seeing 32 bit addressable 4G address spaces to continuous linear address space, the address of the address space is called linear addresses. Logical Address, the logical address consists of a segment selector (16-bit) and one segment (32 bits). It is often called a remote pointer. The x86 CPU always uses the segmentation mechanism (even if the flat model of the minimum segmentation mechanism), the address in the X86 CPU instruction is always a logical address, which is the address relative to a certain segment. In the protection mode, the X86 CPU first converts the logical address into a linear address, and then converts the linear address into a physical address. For Win2k, since the flat model is used, the virtual address xxxxxxx and linear address xxxxxxx refer to the same place. In the flat model, CS, DS, SS segment base address is 0, the segment boundary is 4G, which is the entire address space, so the value of the offset in the segment in the logical address is equal to the logical address. Convert to linearity. The value after the address is added. The x86 CPU in the protection mode has 4 privileges, from 0 to 3. Is called RING0, RING1, RING2, RING3. Ring0 permissions maximum, RING3 permissions are minimal. For Win2K, only Ring0, Ring3 two privilege levels are used. The user application runs in Ring3, and the system kernel runs in Ring0. The address space of the process in Win2K is divided into user address space and system address space. The program in user mode will not access the system address space, which is achieved by the protection mechanism. The bit2, the Owner flag of page items and page items indicates that the privilege level required to access, indicating that the access requires RING0 is required to access the privilege level of RING3. When memory access occurs, the CPU converts the virtual address into a physical address. During the conversion process, simultaneously obtain the physical address from the page directory entry and page entry, check the Owner flag and the current privilege level in the page directory entry and page entry, and if there is not enough privilege level, one will result Page-fault is abnormal. Note that the detection and address of the permission is that the hardware is made by hardware and does not lose extra performance for this. Current privilege level (CPL, Current Privilege Level), the privilege level of the program, indicated by the minimum 2 in the CS and SS segment registers. The x86 CPU in the protection mode provides a lot of protection mechanisms, which is why the protection mode is called, and more can be referred to the Intel manual. In the future, in a sense, I think the future is predictable. Just like the weather forecast, you will know what will happen tomorrow or the day after tomorrow. of course,
