JIURL play Win2k memory paging articles (C) Author: JIURL Home: http://jiurl.yeah.net Date: 2003-7-30
8 conversions Since the page table is mapped to the 4MB address space starting with 0xC0000000. So we can also complete the virtual address to the transformation of the virtual address as the CPU. The system is mapped in the 4MB address space of the 0xC0000000 in the 4MB address space starting at the 0xC0000000 in the 4MB address space starting at the 0xC0000000 in the 4MB address space starting at the 0xC0300000 in accordance with the corresponding virtual space. So we can do mutual conversion of the following addresses. 1 Virtual Address -> Virtual Address PDE Address PDE_Address = (VirtualAddress >> 22) * 4 0XC0300000 2 Virtual Address -> Virtual Address PTE Address PTE Address PTE Address PTE Address PTE Address PTE_Address = (VirtualAddress >> 12) * 4 0xC0000000 3 Virtual Address - > Physical address If the virtual address is greater than or equal to 0x80000000 and less than 0xA0000000 (in the Large Page section), the physical address is obtained directly with the virtual address. Other conditions obtain PDE of the virtual address, and determine if it is valid. If it is effective, the PTE of the virtual address is obtained, and it is determined whether it is valid. If it is effective, the low 12 digits of the PTE is added to 12 digits of the virtual address is obtained. Due to the page table and page directory in the system address space, access requires the program to run in Ring0, so you want to write the driver. unsigned int PDE; unsigned int PTE; if (VirtualAddress> = 0x80000000 && VirtualAddress <0xa0000000) {PhysicalAddress = VirtualAddress-0x80000000;} else {PDE = * (unsigned int *) ((VirtualAddress >> 22) * 4 0xC0300000); if (PDE & 0x00000001) {PTE = * (unsigned int *) ((VirtualAddress >> 12) * 4 0xC0000000); if (PTE & 0x00000001) {PhysicalAddress = ((PTE & 0xFFFFF000) (VirtualAddress & 0x00000FFF));}}} 4 a of PDE address -> virtual address range corresponding VirtualAddressStart = ((PDE_Address-0xC0300000) / 4) << 22VirtualAddressEnd = VirtualAddressStart 0x003FFFFF5 a PTE address -> virtual address range corresponding VirtualAddressStart = ((PTE_Address-0xC0000000) / 4) << 12VirtualAddressend = VirtualAddressStart 0x00000FFF6 Physical Address -> Virtual Address A physical address often corresponds to multiple virtual addresses. The conversion method is to traverse all page tables and page directories. If it is effective to compare the high 20bit of the item equal to the high 20bit of our physical address, if it is equal, it will find one. For example, the item is the i-th PDE, then the virtual address is equal to the low 12 bit of the i * 4m j * 4k physical address. Traverse all pages and page directory find each one.
7 A PTE address -> Address of the PDE A PTE address can find the corresponding virtual address range, you can find the PDE address PDE address PDE_address = (VirtualAddress >> 22) * 4 0xc0300000 PDE_ADDRESS = ((((((((((((((((( PTE_ADDRESS-0XC0000000) / 4) << 12) >> 22) * 4 0xc0300000 8 A PDE address -> The address range of the corresponding PTE A PDE can find the start address of the corresponding virtual address range, you can find it A PTE address corresponding to the virtual address, a PDE corresponds to 1024 PTE, 4K size. PTE_AddressStart = (VirtualAddress >> 12) * 4 0xC0000000PTE_AddressStart = ((((PDE_Address-0xC0300000) / 4) << 22) >> 12) * 4 0xC0000000 PTE_AddressEnd = PTE_AddressStart 0x00000FFF Invalid Page Fault virtual address of the page and access When the page is in physical memory, the virtual address is on page corresponding PDE, PTE is valid, the CPU automatically converts the virtual address into a physical address according to the corresponding PDE, PTE to complete the access. When a virtual address is not in physical memory, for example, in a swap file on the hard disk, the virtual address is in the page corresponding to the PDE, PTE is invalid, and the VOC will cause the virtual address to cause the Page-Fault anomalous (Exception). This allows the CPU to perform an exception handler, and the exception handler will process it. For the page where the page where the visited virtual address is located on the switch file on the hard disk, read the page from the exchange file to physical memory, re-enable the PTE, and points to the correct physical page. Finally, the CPU re-executed instructions caused by anomalies. At this time, the virtual address accessed accessed is already in physical memory, and the PTE of the virtual address is also valid, so that it can be performed smoothly. Let's do more detailed descriptions for the X86 CPU. When an instruction is accessed, the CPU will automatically convert the virtual address invaladdress into a physical address, during the address translation process, CPU during address translation, CPU When the form is a physical page address, the page protection check is performed, for example, if it is valid, whether it is only readable. An exception is triggered when the page table item of the address in the CPU discovery instruction is invalid. Exception is also achieved by the CPU. What caused here is a Page Fault anomaly, its interrupt number is 0xe (decimal 14), you need to pay attention to the interrupt number of Page Fault is 0xe is defined by the CPU (x86 CPU from 0 - 31 this 32 interrupts are The CPU will work according to this definition by the CPU). When an exception occurs, the CPU automatically presses some registers into the stack, and then finds the corresponding interrupt descriptor in the interrupt descriptor according to the interrupt descriptor, according to the interrupt descriptor table, according to the interrupt descriptor, according to the interrupt descriptor table according to the interrupt descriptor. Go to an exception handler. The interrupt descriptor is set by Win2K, and the exception handler is also determined by Win2k. For Win2K Build 2195, the interrupt 0xe's handler is NTOSKRNL! Kitrap0E address at 804648A4.
When transferred to Kitrap0E, the CPU has embraced the following content in the stack | ------------- | | EFLAGS || ------------- | | CS || ------------- || Eip || ------------- || Error Code || --------- ---- | <---- [ESP] Page-fault unusual (#PF) Error Code definition is as follows (CPU definition) | 3 | 2 | 1 | 0 | ---------- ----------------------------------------- | RESERVED | RSVD | U / S | R / W | P | ------------------------------------------ --------- P 0 Error By invalid page 1 error 1 error By violating page protection caused W / R 0 caused error memory access is reading 1 caused error memory is written when writing U / S 0 access error The processor is in the management mode 1 Access error When the processor is in the user mode, it is necessary to explain that the embedded EIP in the stack is an instruction address that causes an exception, and will re-execute the instruction according to this address in the future. The register CR2 is an address that is accessed when an exception is thrown. #PF exception handler Kitrap0e (provided by Win2K) will call ntoskrnl! Mmaccessfault, mmaccessfault calculated the corresponding PDE, PTE address, by analyzing the content in the PTE, by analyzing the content in the PTE, by analyzing the contents of the PTE through the CR2. Abnormal, and processed according to the situation. When an exception occurs, the CPU presses some registers into the stack to transfer to the corresponding exception handler (provided by Win2K), Win2K will press some registers in the exception handler, and finally form a KTRAME in the stack. structure. This ktrap_frame is one of the parameters of ntoskrnl! MmaccessFault.
! Strct KTRAP_FRAMEstruct _KTRAP_FRAME (sizeof = 140) 00 uint32 DbgEbp 04 uint32 DbgEip 08 uint32 DbgArgMark 0c uint32 DbgArgPointer 10 uint32 TempSegCs 14 uint32 TempEsp 18 uint32 Dr0 1c uint32 Dr1 20 uint32 Dr2 24 uint32 Dr3 28 uint32 Dr6 2c uint32 Dr7 30 uint32 SegGs 34 uint32 SegEs 38 uint32 SegDs 3c uint32 Edx 40 uint32 Ecx 44 uint32 Eax 48 uint32 PreviousPreviousMode 4c struct _EXCEPTION_REGISTRATION_RECORD * ExceptionList 50 uint32 SegFs 54 uint32 Edi 58 uint32 Esi 5c uint32 Ebx 60 uint32 Ebp 64 uint32 ErrCode 68 uint32 Eip 6c uint32 SegCs 70 uint32 EFlags 74 uint32 HardwareEsp 78 uint32 HardwareSegSs 7c uint32 V86Es 80 uint32 V86Ds 84 uint32 V86Fs 88 uint32 The V86GS system, the CPU and the page directory, the page entry is related to the PDE of the process, and the PTE (page entry) is maintained by the system. Address conversion is automatically completed by the CPU. Access the invalid address CPU will generate an exception and perform an exception handler. The exception handler is the system. For effective PDE, PTE, most of their formats are defined by the CPU, and the CPU will follow this format, according to the value of each bit, determine the corresponding processing mode. The CPU uses the part of the physical page physical address of the physical page in this format to perform address translation, some of your own flags to implement page protection. The system must be defined in this format to maintain PDE and PTE. Valid page table entry of the x86 CPU, CPU is defined as follows struct _HARDWARE_PTE_X86 (sizeof = 4) bits0-0 Validbits1-1 Writebits2-2 Ownerbits3-3 WriteThroughbits4-4 CacheDisablebits5-5 Accessedbits6-6 Dirtybits7-7 LargePagebits8-8 Globalbits9-11 reservedbits12- 31 PageFramenumber Which is the 3 digits of Bits9-11 Reserved, the CPU is not defined, and leaves the operating system. For invalid PDE, PTE, most of their format is defined by the system. When the CPU discovers the PDE, PTE is invalid, turn the exception handler. The exception handler is provided by the system. The system will decide the corresponding processing mode according to the value defined by each bit, according to the value of each bit.
