Chapter 4 Exploring the Memory Management Mechanism of WINDOWS 2000
Translation: kendiv (fcczj@263.net)
Update:
Tuesday, February 22, 2005
Disclaimer: Please indicate the source and guarantee the integrity of the article, and all rights to the translation.
Segmentation and descriptor of Windows 2000
Another great option for W2K_MEM.EXE is E, which will display and describe the segment register and description table of the processor. Typical outputs are given. The contents of the CS, DS and ES segment registers are very clear prove that Windows 2000 provides a flat 4GB address space for each process: starting at 0x00000000, terminating at 0xfffffffff. The rightmost marker in column 4-13 is used to represent the type of segment, and the type of the segment is given by the TYPE member of its descriptor. The TYPE attribute of the code and data segment can be symbolized to "CRA" and "EWA" separately. The omitted number "-" means that the corresponding attribute is not set. One task status section (TSS) can only have "A" (available) and "B" (busy) two properties. Table 4-5 gives all available properties. TRT 4-13 shows the inconsistency of the CS segment of Windows 2000, the CS segment allows execution and reading, while the properties of the DS, ES, FS, and SS segments are scalable and read / write access. Another unambiguated but very important detail is the DPL of the CS, FS, and SS segments in user mode and kernel mode. DPL is a descriptor privilege level. For code segments (CS), the code in this segment can only be called only when the caller is located in its DPL specified privilege level (refer to Intel 1999C, PP. 4-8F). In user mode, the DPL of the CS segment is 3; in the kernel mode, its DPL is 0. For data segments (DS), the DPL is the lowest privilege level, in user mode, all privileged levels can access it, and in kernel mode, only privileged 0 access is allowed.
Diagram 4-13. Display CPU information
The content of the IDT and GDT registers displays the range of GDTs: 0x8003F000 --- 0x8003F3FF, followed by IDT, its address range is: 0x8003F400 --- 0x8003FBFF. Since each descriptor occupies 64 bits, the GDT and IDT include 128 and 256 items, respectively. Note that GDT can accommodate 8,192 items, but Windows 2000 uses only a small portion of them.
Table 4-5 TYPE attributes for code and data segments
segment
Attributes
Describe
Code C makes the consistency (low privilege code may enter) Code R allows read access (and performs access to access) The Code A can access the Data E Down Down Expansion (typical attributes of the stack segment) Data W allows write access ( And only access to the visits) DATA A segment can access the TSS32 A task status segment available TSS32 B task status paragraph busy
W2K_MEM.EXE also provides two very distinctive options - G and I, which can display more details of GDT and IDT. The 4-14 demonstrates the output of the G option. It is very similar to the "Kernel-Model Segment:" section in 4-13, but lists all available segments in kernel mode, not just those stored in segment registers. . W2K_MEM.EXE obtains all segment selectors by traversing the entire GDT, can indicate the SPY device query segment information via the IOCTL function spy_io_segment. Only valid selection is displayed. The GDT selection in the comparison 4-13 and 4-14 will be very interesting, and the Choice of GDT is defined in NTDDK.H, summarizes Table 4-6. Obviously, they are consistent with the output of W2k_Mem.exe. Diagram 4-14. Display GDT descriptor
Table 4-6. Defined GDT Select Subs in NTDDK.H (Selector)
Symbol
value
Comment
KGDT_NULL 0x0000 Empty Segment Selection Son (Invalid) KGDT_R0_CODE 0x0008 CAS Register KGDT_R0_DATA 0x0010 Core SS Register KGDT_R3_CODE 0X0018 User Mode CS Register KGDT_R3_DATA 0x0020 User Mode DS, ES and SS Register, Kernel Mode DS and ES Registers KGDT_TSS 0x0028 Located in the user and kernel task status section KGDT_R0_PCR 0x0030 kernel mode FS register (processor control area) KGDT_R3_TEB 0x0038 user mode FS register (thread environment block) KGDT_VDM_TILE 0x0040 base address 0x00000FFF (DOS virtual machine) KGDT_LDT 0x0048 Local descriptor table kgdt_df_tss 0x0050 ntoskrnl.exe variable Kidoublefaulttss KGDT_nmi_tss 0x0058 ntoskrnl.exe variable kinmitss
The selection (Selector) in Lay 4-14 is not listed in Table 4-6, where some of the selection can confirm them by looking for familiar base sites or their memory content. Use the kernel debugger to find symbols corresponding to the base address of some of the selectors. Table 4-7 shows the choices I have confirmed.
W2K_MEM.EXE's i option can be dump the gate descriptor in the IDT. The segment 4-15 gives the part of the door descriptor of the IDT, and Intel defines the top 20 gate descriptors in the IDT (Intel 1999C, PP. 5-6). Interrupts 0x14 to 0x1f in IDT are reserved by Intel; the remaining 0x20 to 0xFF is used by the operating system.
In Table 4-8, I gave all confirmed special interrupts, traps and task doors. Most user-defined interruptions point to dummy routines - kiunexpectedInterruptnnnnn (), in front of us explains it. For some addresses of some interrupt processing routines, the kernel modulator cannot parse the symbols corresponding to their address.
Table 4-7. More GDT Selection Subside (Selector)
value
Base site
Describe
0x0078 0x80400000 Ntoskrnl.exe code segment of the data segments 0x0080 0x80400000 Ntoskrnl.exe 0x00A0 0x814985A8 TSS (EIP member points HalpMcaExceptionHandlerWrapper) 0x00E0 0xF0430000 ROM BIOS code segments 0x00F0 0x8042DCE8 Ntoskrnl.exe function KiI386CallAbios 0x0100 0xF0440000 ROM BIOS data segments 0x0108 0xF0440000 ROM BIOS data segments 0x0110 0xF0440000 ROM BIOS Data Section List Column 4-15. Display IDT Door Descriptor
Table 4-8. Windows 2000 interrupt, trap and task door
Int
Intel's definition descriptor
owner
Processing routine / TSS
0x00 divisible error (DE) ntoskrnl.exe KiTrap00 0x01 debugger (DB) ntoskrnl.exe KiTrap01 0x02 NMI interrupt ntoskrnl.exe KiNMITSS 0x03 breakpoint (BP) ntoskrnl.exe KiTrap03 0x04 overflow (OF) ntoskrnl.exe KiTrap04 0x05 bounds (BR) Ntoskrnl.exe Kitrap05 0x06 Undefined Operation Code (UD) NTOSKRNL.EXE Kitrap06 0x07 No Mathematical Coordination (NM) Ntoskrnl.exe Kitrap07 0x08 Double Fault (DF) NTOSKRNL.EXE KIDOUBLE 0X09 Coprocessor Segment overflow NTOSKRNL.EXE Kitrap09 0x0a invalid TSS (TS) NTOSKRNL.EXE Kitrap0a 0x0b segment does not exist (NP) NTOSKRNL.EXE Kitrap0B 0x0C Stack Segment Fault (SS) NTOSKRNL.EXE Kitrap0C 0x0D General Protection (GP) NTOSKRNL.EXE Kitrap0D 0x0E Page Failure (PF) Ntoskrnl .exe kitrap0e 0x0f intel preserved Ntoskrnl.exe Kitrap0f 0x10 Math Fault (MF) NTOSKRNL.EXE Kitrap10 0x11 Alignment Check (AC) NTOSKRNL.EXE KITRAP11 0X12 MACHINE CHECK (MC)? 0x13 stream SIMD extension Ntoskrnl.exe Kitrap0f
0x14-0x1F Intel retains ntoskrnl.exe KiTrap0F 0x2A custom ntoskrnl.exe KiGetTickCount 0x2B custom ntoskrnl.exe KiCallbackReturn 0x2C custom ntoskrnl.exe KiSetLowWaitHighThread 0x2D custom ntoskrnl.exe KiDebugSerice 0x2E custom ntoskrnl.exe KiSystemService 0x2F User Custom NTOSKRNL.EXE Kitrap0f 0x30 User Custom Hal.dll HalpClockInterRupt 0x38 User Custom Hal.dll HalpprofileInterRupt
WINDOWS 2000 memory area
The last one of W2K_MEM.EXE's lasting is: B option. This option produces a list of adjacent memory regions in the 4GB address space, which is very large. W2K_MEM.EXE uses the IOCTL function spy_io_page_entry of the SPY device to generate this list throughout the PTE array (at address 0xc0000000). In each SPY_PAGE_ENTRY structure as a result, the address of the next PTE can be obtained by adding their DSize members with its corresponding PTE linear address. Listing 4-30 shows the implementation of this option. DWORD WINAPI DISPLAYMORYBLOCKS (Handle HDevice)
{
SPY_PAGE_ENTRY SPE;
PBYTE PBPAGE, PBBASE
DWORD DBLOCK, DPRESENT, DTOTAL
DWORD N = 0;
PBPAGE = 0;
PBBASE = INVALID_ADDRESS;
DBLOCK = 0;
DPRESENT = 0;
DTotal = 0;
N = _printf (l "/ r / ncontiguous memory blocks:"
L "/ r / n --------------------- / r / n / r / n");
Do {
IF (! ioControl (hdevice, spy_io_page_entry,
& pbpage, PVOID_,
& Spe, SPY_PAGE_ENTRY_))))
{
n = _printf (l "!!! Device I / O Error !!! / r / n");
Break;
}
IF (Spe.FPresent)
{
Dpresent = Spe.dsize;
}
IF (Spe.PE.DVALUE)
{
DTOTAL = Spe.dsize;
IF (PBBase == Invalid_Address)
{
N = _Printf (L "% 5lu: 0x% 08lx ->",
dblock, pbpage);
PBBASE = PBPAGE;
}
}
Else
{
IF (PBBase! = INVALID_ADDRESS)
{
N = _Printf (L "0x% 08LX (0x% 08LX bytes) / r / n",
PBPAGE-1, PBPAGE-PBBASE
PBBASE = INVALID_ADDRESS;
}
}
}
While (PBPAGE = SPE.DSIZE);
IF (PBBase! = INVALID_ADDRESS)
{
N = _Printf (l "0x% 08LX / R / N", PBPage-1);
}
n = _printf (l "/ r / n"
L "present bytes: 0x% 08LX / R / N"
L "Total Bytes: 0x% 08LX / R / N",
DPRESENT, DTOTAL);
Return n;
}
Listing 4-30. Find neighboring linear memory blocks
The list 4-16 excerpts the output list of B options on my machine, you can see that the few areas are very interesting. Some very obvious addresses are: 0x00400000, this is the start address of the W2k_Mem.exe memory image (No. 13 block), and one is 0x10000000, here is the base address of W2k_lib.dll (No. 23 block). The TEB and PEB pages are also readily recognized (block 104), Hal.dll (No. 105 block), Ntoskrnl.exe (No. 105 block), Win32k.sys (No. 106 block). The 340-350 block is a small segment of the system PTE array, and block 347 is part of the page directory. Block 2122 includes a SharedUserData area, which consists of KPCR, KPRCB, and a Context structure including thread and process status information. Diagram 4-16. Adjacent memory block column
It also needs to be added, and the W2K_MEM.EXE's B option reports a lot of memory is used, which may exceed a reasonable value (for example, the number of physical memory on your machine). Please note the summary information given by the bottom 4-16. I really use 700MB of memory now? The Task Manager of Windows 2000 is 150MB, then what is it? This strange effect is generated by memory blocks No. 105, the range of memory blocks: 0x80000000 ---- 0xA01A5FFF takes up 0x201A6000 bytes, which means 538, 599, 424 bytes. This is obviously impossible. The problem is the entire linear address space: 0x80000000 ---- 0x9fffffff is mapped to physical memory: 0x00000000 ---- 0x1fffffff, in front, I have mentioned this. All 4MB pages in this area correspond to a valid PDE in the page directory at the address 0xc0300000, we can use the W2K_MEM D # 0x200 0xc0300800 command to prove this (4-17). Because all PDEs in the result list are odd (translation: If PDE is odd, it proves that its P bit is definitely 1), so their corresponding pages must exist; however, they do not need to really take up physical memory. In fact, most of this memory area is "Hole", if you copy it into the buffer, you can find that they are populated by 0xFF. Therefore, you don't need too serious for the memory usage of W2k_Mem.exe.
List 4-17. The address range is: 0x80000000 --- 0x9fffffff PDE
The last part of the Windows 2000 memory layout will give it to the overall layout of the 4GB linear address space in a Windows 2000 process. Table 4-9 shows the memory range of multiple basic data structures. "Big Hole" has different purposes, such as the loading area of the process module and the device driver, memory pool, work set list, etc. Note that some memory addresses and memory blocks have great differences between different systems, depending on the physical memory and hardware configuration, the properties of the process, and some other system variables. Therefore, it is only a sketch here, is not a precise layout.
Some physical memory blocks have two or more times in linear address space. For example, the SharedUserData area is located in linear addresses 0xffdf0000, and mirrors to 0x7ffe0000. Both of these addresses points to the same page in physical memory, which means that if one byte is written to 0xFFDF0000 N, the value of 0x7ffe0000 n will change. This is a virtual memory world ---- a physical address can be mapped to anywhere in the linear address space, even if a physical address is mapped to multiple linear addresses at the same time. Recalling Figure 4-3 and Figure 4-4, which clearly show this "false behavior" of linear addresses. Their directory and epitope domain are correctly directed to the structure of the actual location of the data. If the PFN of the two PTEs is exactly the same, then their corresponding linear addresses will point to the same location as the physical memory. Table 4-9. Conflammable memory area in the process address space
starting address
End address
Hexadecimal size
Type / description
10000 0x00000000 0x0000FFFF protected block bottom (Lower guard block) 0x00010000 0x0001FFFF 10000 WCHAR [] / environment strings, 0x00020000 0x0002FFFF 10000 PROCESS_PARAMETERS distribution in a 4KB page / dispensing 0x00030000 0x0012FFFF 1000000 DWORD [4000] / process a 4KB page stack (default; 1MB) 0x7FFDD000 0x7FFDDFFF SharedUserData 0x7FFF0000 0x7FFFFFFF in thread environment block the thread environment block 1000 TEB / 1 # thread 0x7FFDE000 0x7FFDEFFF 1000 TEB / 2 # threads 0x7FFDF000 0x7FFDFFFF 1000 PEB / process environment block 0x7FFE0000 0x7FFE02D7 2D8 KUSER_SHARED_DATA / user mode protected block 10000 the top (Upper guard block) 0x80000000 0x800003FF 400 IVT / interrupt vector 0x80036000 0x800363FF 400 KGDTENTRY [80] / global descriptor table 0x80036400 0x80036BFF 800 KIDTENTRY [100] / interrupt descriptor table 0x800C0000 0x800FFFFF 40000 VGA / ROM BIOS 0x80244000 0x802460AA 20AB KTSS / kernel task state segment (busy) 0x8046AB80 0x8046ABBF 40 KeServiceDescriptorTable 0x8046AB 0x8046ABFF 40 KeServiceDescriptorTableShadow 0x80470040 0x804700A7 68 KTSS / KiDoubleFaultTSS 0x804700A8 0x8047010F 68 KTSS / KiNMITSS 0x804704D8 0x804708B7 3E0 PROC [F8] / KiServiceTable 0x804708B8 0x804708BB 4 DWORD / KiServiceLimit 0x804708BC 0x804709B3 F8 Byte [F8] / KIA rgumentTable 0x814C6000 0x82CC5FFF 1800000 PFN [100000] / MmPfnDatabase (up to 4GB) 0xA01859F0 0xA01863EB 9FC PROC [27F] / W32pServiceTable 0xA0186670 0x A01863EE 27F BYTE [27F] W32pArgumentTable 0xC0000000 0xC03FFFFF 400000 X86_PE [100000] / page directory and page tables 0xC1000000 0xE0FFFFFF 20000000 System SharedUserData 0xFFDFF000 0xFFDFF053 54 KPCR the cache (MmSystemCacheStart, MmSystemCacheEnd) 0xE1000000 0xE77FFFFF 6800000 page pool (Paged pool) (MmPagedPoolStart, MmPagedPoolEnd) 0xF0430000 0xF043FFFF 0xF0440000 0xF044FFFF 0xFFDF0000 0xFFDF02D7 2D8 KUSER_SHARED_DATA / kernel mode 10000 ROM BIOS data segments 10000 ROM BIOS code segment / processing Device control area (kernel mode FS)
0xffdff120 0xffdff13b 1C KPRCB / processor control block 0xffdff13c 0xffdff407 2cc context / thread context (CPU status) 0xffdff620 0xffdff71f 100 backup chain table directory .................. this chapter is over ................
