JIURL play Win2k memory articles Page Frame Number Database Author: JIURL Home: http://jiurl.yeah.net Date: 2003-7-30
Pillage When the system needs to provide a physical page to the application to meet the application requirements, it will encounter a problem, how to know which physical pages have been used, which physical pages are not used. Page Frame Number (PFN) Database (page frame number database) and its related structure are used to solve this problem. Working Set Introduction A process of Working Set is a collection of pages currently used in physical memory. The program uses these pages that will not trigger Page Fault. Page frame number database (PFN Database) Overview Physical Memory is paised, for 32-bit CPUs, each physical page size is 4K. For each physical page, the system uses a 24-byte length structure to save its related information, such as whether the physical page has been used. For ease of description, we call this structure PFNDatabaseEntry, page frame number database item. The page frame number database is a PFNDATABASEENTRY array, and each item of this array corresponds to a physical page. For example, the PFNDATABASE array 0 items, corresponding physical pages 0, that is, the physical page 0 of the page frame number 0. Article 1, corresponding physical 1, that is, the physical page of the page frame number 1. The system saves the first address of the Pfndatabase in the global variable mmpfndatabase. Now let's analyze the page frame number (PFN) of the physical page, the physical address of the physical page, the relationship between the physical page of the page frame number database item. For physical pages i, its page frame number is i. From the physical address from i * 0x1000 to i * 0x1000 0xFFF, this 4kb physical memory cell consists. The corresponding page frame number database item is the I Item, the virtual address is * MMPFNDATABASE I * 0x18. For example, in the current I am, for physical pages 3, its page frame number is 3, consisting of physical memory cells by physical address 0x3000-0x3FFF this 4k, currently my MMPFNDatabase is 0x81456000, the first PFNDATABASE The address is 0x81456000, so the corresponding PFNDATABASEENTRY virtual address is 0x81456000 3 * 0x18 = 0x81456048. The specific content of PfndatabaseEntry is the following Struct PfndatabaseEntry (24 bytes of size, 0x18 bytes) / * 00 * / uint32 flink / * 04 * / uint32 pteaddress / * 08 * / uint32 blink / share count / * 0c * / byte Flags / * 0d * / byte page state / * 0e * / uint16 Reference Count / * 10 * / uint32 restore PTE / * 14 * / uint32 Containing Page / * 00 * / uint32 Flink Chain on the front of the previous PFNDATABASEENTRY page frame number, If 0xfffffffff is not a previous PFNDATABASEENTRY. / * 08 * / uint32 Blink / Share Count For the physical page that uses the chain chain, indicates the page frame number of the latter PFNDATABASEENTRY, if 0xfffffff is not a latter PFNDATABASEENTRY. For physical pages that do not use the chain chain, the shared count is indicated. / * 0c * / byte flags some flag information. / * 0D * / byte page state points out the status of the physical page, which is determined here that a physical page has been used. There are 8 different states in the physical page.
Active (Valid): This physical page is in a working set in a process, and a high 20bit in a valid page table item of the process is the PFN of this physical page. Transition: The system is reading the content from a file to the physical page, or writes the physical page to a file. STANDBY: This physical page has been in the work setting in a certain process, and the content in the physical page is not changed when used by the process. However, it has now been removed from the work set, but the content in the physical page is still in the process of working set in this process. The high 20bit in the corresponding PTE is still the page frame number of this physical page, just that the PTE is labeled Invalid and Transition. When the process needs to access this page again, you only need to reset the PTE flag and turn the PTE to be valid. The physical page can be changed from the Standby state to the Active (Valid) state. Modified: This physical page has been changed in the Working SET in a process, and the content in the physical page is changed when used by the process. However, it has now been removed from the working set of the process, but the content in the physical page is still being removed. The high 20bit in the corresponding PTE is still the page frame number of this physical page, just that the PTE is labeled Invalid and Transition. When the process needs to access this page again, you only need to reset the PTE flag and turn the PTE to be valid. It is possible to turn the physical page from the Modified state to the Active (Valid) state. Before the physical page is used as other uses, the content in the physical page needs to be written to the corresponding page of the exchange file in the hard disk. Modified NO-WRITE: MODIFIED Page Writer of Memory Manager will not write this physical page to your hard drive, others like the Modified physical page. For example, NTFS uses this state to ensure that the page will not be written to the hard disk before log. Free: The content in the physical page is no longer needed, such as the end of a process, some physical pages used by this process becomes free. (For security reasons, these pages need to be initialized to use zero to use it to use the user process: The page Free and has been initialized by zero. BAD: This page has a hardware error and cannot be used. Among them, PfndatabaseEntry, which is zeroed, free, standby, modified, modifiednowrite, and Bad, using PfndatabaseEntry's FLINK, Blink chain in the PFNDATABASEENTRY chain of this state. The system can find this 6 chains by the global variable MMZEROEDPAGELISTHEAD, MMFreePagelisthead, MMModifiedPagelisthead, MMModifiedNowritePagelisthead, MMBADPAGELISTHEAD. This allows the system to remove the physical page from the corresponding chain when the system needs to use the physical page. The PFNDatabaseEntry of Active (Valid) and Transition is not chained with any chain chains, but we can find through the PTE of each process. The PTE is 20bit is a page number.
The page frame number database (PFN DataBase) analysis of global variables MmZeroedPageListHead, MmFreePageListHead, MmStandbyPageListHead, MmModifiedPageListHead, MmModifiedNoWritePageListHead, MmBadPageListHead six stores list information structure for ease of description, we call this structure is called PageListHead, the structure size is 16 words Section, define the following struct pagelisthead (size 16 bytes, 0x10 bytes) / * 00 * / uint32 NumberofpagesinList / * 04 * / uint32 typeoflist / * 08 * / uint32 firstpage / * 0c * / uint32 lastpage / * 00 * / uint32 NumberOfPagesInList the number of items in the list / * 04 * / uint32 typeOfList type (Zeroed, Free, Standby, Modified, ModifiedNoWrite, one of these six kinds of Bad) / * 08 * / uint32 FirstPageflink of PfnDataBaseEntry on this list The first item is a page number. / * 0C * / uint32 LastPageBlink first, is a page frame number. 8 kinds of page state corresponding to a value (page state and TypeOfList PfnDataBaseEntry in the PageListHead) Zeroed 0x00Free 0x01Standby 0x02Modified 0x03Modified no-write 0x04Bad 0x05Active (Valid) 0x06Transition 0x07 there is actually an array MmPageLocationList. This array has a total of 6 items, each 4 bytes. The content of the array 0 item is the value in the global variable mmzeroedPageListhead, and pay attention to the value of the zeroed type. The contents of the array item 1 are values in the global variable MMFreePagelistHead, pay attention to the value of the free type is 1. Push it in this class. The reason for this array is that in some functions, the type of physical page can be used as an index, and the address of the PageListhead structure of the physical page chain is found in this array. For Win2k Build 2195, the use of global variables kd to obtain the address of such kd> MmPfnDatabase MmPfnDatabaseEvaluate expression:?? -2142854772 = 8046a18c 6 PageListHead obtained in this manner address 0x80470a00MmFreePageListHead address 0x80470a10MmStandbyPageListHead 0x80470a20MmModifiedPageListHead 0x80470a30MmModifiedNoWritePageListHead 0x80470a40MmBadPageListHead 0x80470a50MmPageLocationList array is MmZeroedPageListHead MmpageLocationList 0x80470a60 can find them tightly. Let's take a specific example below, the following content is obtained through Softice.
: DD 80470A00 L 8000: 80470A00 00 00090E 00000000 00007F0A 0000009E ......... ... 0010: 80470a10 00000004 00000001 00002987 00006aca .........) ... J .. 0010: 80470a20 0000242B 00000002 000042A6 00003ADB $ ....... b ...: 00000003 0000 000001cb 00000003 fffffff fffffff .................. 0010: 80470A40 00000000 00000004 ffffffffff ffffff ................ 0010: 80470A50 00000000 00000005 fffffff fffffff .............. 0010: 80470A60 80470A00 80470A10 80470A20 80470A30. .G ... g..... .G.0010: 80470a70 80470a40 80470a50 00000000 00000000 @ .gpg ........ // 6 pagelisthead structure, you can see each PagelistHead structure offset The 4 bytes of 4 is the status value of the list // of the physical page // mmpageLocationList array, with a total of 4 bytes, the corresponding physical page status value as the content of the index, is the corresponding // Pagelisthead's address // Let's traverse the FreePage List, you can see a total of 4 items on this chain, and we traverse this list from FirstPage.
// From PagelistHead, we can see the first address of 00002987 // PFNDatabase. Save in the global variable mmpfndatabase // I have seen the win2k build 2195 MMPFNDATABASE address of 8046A18c, // For the current system, The value of 81456000, // is the first address of the current PFNDATABASE 81456000 //, the virtual address of PFNDatabaseEntry is 81456000 18 * 2987, which is 0x18: DD 81456000 18 * 2987 L 180010: 81494A8 00006b68 ffffffffff fffffff1010101 hk ............ 0010: 814944B8 fffffff 0000064C 00002EB1 ffffffff .... l .......... // can see this The latter is ffffffffff, which is indeed first firstPage // Article 6B68 items: DD 81456000 18 * 6B68 L 180010: 814F71C0 00000169 fffffff 10002987 00000101 i ........) ...... 0010: 814f71d0 fffffff 1000064C 0000268D C038CA6C .... L .... & .. L.8.//1 169 item: DD 81456000 18 * 169 L 180010: 814581D8 00006ACA fffffff 00006b68 00000101 .j ..... .hk ... 000042E6 E17BE324 .... L .... b .. $. {.//6aca item: DD 81456000 18 * 6aca L 180010: 814f62f0 ffffffff ffffffffff 00000169 00000101 ........ i ....... 0010: 814f6300 fffffff 1000064c 00004EC4 E35E0BE0 .... L .... n .... ^. // The value of its FLINK item is fffffffffF , Indicating F Link is over. It also indicates that it is lastpage, from the Pagelisthead structure // We also see that lastpage is indeed 00006ACA Note that we traversed the freepage list, we check each typeOflist field (one byte of the offset D), the value is 01. It is indeed free type. Just follow the MmpageLocationList array after 6 PageListhead structures, and only 6 of the MmpageLocationList array, you can see that there is only the physical page of this six state types in the system exists in a linked list. The physical page of the other two state types is not chained chain. For these 6 PagelistHead structures, after a certain period of observation, the two chains of MMModifiedNowritepageListhead, MmbAdpageListhead are always empty. There is no hardware corrupted unit in my memory, so MmbAdpagelisthead should be empty. I didn't see the list item (I have no NTFS partition in my hard drive). I can see that Zeroed, Free, Standby, Modified These 4 chains are zeroed, free, standby. It should be noted that the change in these four chains is very frequent.
Be sure to pay attention to this, if you read a free chain in this second, then it is likely no longer in the free chain, some threads of the system may have made some of the page. Operation, and make the PFNDATABASEENTRY corresponding to the page corresponding to the corresponding modification. But this problem is not existed for Softice. This change can be observed using the Softice command BPMD, and the function that causes this change. BPMD is a down point on the DWORD size of the specified address, any access (read and write) DWORD instruction will be disconnected by the Softice. Add the parameter W, only interrupt the DWORD write instruction. For example, use BPMD 80470A00 W to observe the changes of Zeroed Page List, because 80470A00 is the entry count of the MMZEROEDPAGELISTHEAD structure (number of chain items), and the chain is changed, and this value must be changed accordingly. Use DEX 0 80470A00 to enable data window 0 to always observe the memory at 80470A00, or Data 1 open a new data window, then DEX 1 80470A00 uses data window 1 to always observe the memory at 80470A00. It is convenient for our observation. The same method observes the additional 3 chains, or when several chains are observed. You will see how frequent changes in these chains. We can also notice that the number of items on this chain is always there, several, more than a dozen, or zero. This is because when the number of items on the free chain reaches a certain amount, Zero-Page Thread will be executed if the system is idle, it will turn zero, put the physical page on the free chain Go to the zeroed chain. About physical page status changes, more contents of chains can refer to Mark Russinovich article "Inside Memory Management", this article can be found online. For each physical page, there is a corresponding PFNDATABASEENTRY in the page frame database, so that each physical page itself needs to use certain physical memory. One page size is 4KB, requiring a size of 24 bytes of PFNDatabaseEntry. That is, 4KB physical memory requires 24B memory to save information, 24/4096 = 0.005859375, that is, the 0.005859375 of the entire physical memory needs to be used by PFNDATABASE. For 128M physical memory, it takes 0.75M memory to save information in PFNDatabase. 128M physical memory will be divided into (128 * 1024 * 1024) / (4 * 1024) = (32 * 1024) page. So the number of pages needed by Pfndatabase is (32 * 1024) * 24/4096 = 192 pages. For 128MB of physical memory, the largest page frame number will not exceed (128 * 1024 * 1024) / (4 * 1024) = 0x8000, that is, in the contents of PFNDATABASE, FLINK, BLINK, PFNDATABASEENTRY In addition to 0xfffffffff, no more than 0x8000. 0xfffffffFF often appears in PfndatabaseEntry. Based on this, we can feel whether it is the content in PFNDatabaseEntry for a period of memory. We observe the contents of PFNDATABASE after Pfndatabase, you can feel the contents of PFNDATABASE. The content in page 193 is obviously not the content of PFNDATABASE.
