Chapter 4 Exploring the Memory Management Mechanism of WINDOWS 2000
Translation: kendiv (fcczj@263.net)
Update:
Tuesday, February 22, 2005
Disclaimer: Please indicate the source and guarantee the integrity of the article, and all rights to the translation.
Request paging action
When discussing the Spy_IO_MEMORY_DATA function of the SPY device, I mentioned that the function can read the memory page that has been replaced into the page file. To prove this, first, you must let the system are in a low memory state to force it to replace the data that is not immediately used to the page file. The way I like to use is as follows:
1. Use PrintKey to copy the desktop of Windows 2000 to the clipboard.
2. Paste the picture into a graphics handler.
3. Put the size of the picture to the maximum.
Now, execute command: w2k_mem d # 16 0xc02800000 0xa0000000 0xA0001000 0xA0002000 0xc0280000, look at the output on the screen. You may be surprised. It takes these PTE snapshots before touching the pages referenced by some PTE. The four PTEs found at address 0xc0280000 are associated with address range: 0xA0000000 --- 0xA0003FFF, which is part of the kernel module Win32k.sys. As shown in FIG. 4-11, the address range has been replaced because four DWORDs at address 0xc0280000 are even, which means they have the lowest position (ie, P- of PTE) is zero, this means no Pages exist in physical memory. The next three 16 credit DUMP information belongs to 0xA0000000, 0XA0001000, 0XA0002000, W2K_MEM can access these pages without problems (the system is resented again to memory again).
Diagram 4-11 Observing the status of PTE
Before starting the next section, study again in the first column in 4-11. Four PTEs located at address 0xc0280000 look very similar. But in fact, they only have the lowest three digits. If you check all PNPEs in the page file, you will find that their 10th bit is 1. That's why I am in list 4-3, take the name of the name as PageFile. If this bit is 1, all bits except the P bits will be used to represent the location in the page file.
More command options
Some command options given by the column 4-1 have not been explained yet. For example, system status options: O, C, g, i and b, I will introduce them in the last section of this chapter, where we will discover the secrets of several Windows 2000 memory systems.
SPY device interface
Now you already know how to use W2K_MEM, which is how it works. Now let's take a look at how this program communicates with the Spy device in w2k_spy.sys.
Review ----- Device I / O Control (DEVICE I / O Control)
The kernel mode end of the IOCTL communication has been given by the list 4-6 and list 4-7. The SPY device is just a simple wait for IRP and handles some IRPs, especially identifying IPR_MJ_DEVICE_CONTROL, some of which are disabled in user mode. Call the WIN32 API function DeviceIocontrol (), list 4-27 gives the prototype of the function. Maybe you are familiar with DWIOControlcode, LPINBUFFER, NINBUFFERSIZE, LPOUTBUFFER, NOUTBUFFERSIZE, and LPBYTESRETURNED parameters. In fact, they correspond to: SpyDispatcher () DCODE, PINPUT, DINPUT, POUTPUT, DOUTPUT, and PDINFO parameters, SpyDispatcher is defined in List 4-7. The remaining parameters will soon explain. HDevice is a handle of the SPY device, and LPoverLapped is directed to an overlapped structure that requires that the archive IOCTL needs this structure. We don't need to send asynchronous requests, so this parameter is always NULL. Listing 4-28 lists all outsourcing functions that perform basic IOCTL operations. The most basic one is: IOCONTROL (), which calls DeviceControl () and tests the size of the returned output data. Since W2K_MEM.EXE provides the size of the output buffer, the number of bytes output should always be equal to the size of the buffer. Readbinary () is a simple version of IOControl (), which does not need to enter data. Readcpuinfo (), ReadSegment (), and Readphysical () dedicated to Spy function spy_io_cpu_info, spy_io_segemnt and spy_io_physical because they are often used. Packing them is a C function, readability is better.
Bool WinApi DeviceioControl (Handle HDevice,
DWORD DWIOCONTROLCODE,
PVOID LPINBUFFER,
DWORD NINBUFFERSIZE,
PVOID LPOUTBUFFER,
DWORD NOUTBUFFERSIZE,
PDWORD LPBYTESRETURNED,
Poverlapped lpoverlapped;
Listing 4-27. Prototype of Deviceiocontrol function
Bool WinApi IoControl (Handle Hdevice,
DWORD DCODE,
PVOID PINPUT,
DWORD DINPUT,
Pvoid Poutput,
DWORD DOUTPUT)
{
DWORD DDATA = 0;
Return DeviceioControl (HDevice, Dcode,
Pinput, DINPUT,
Poutput, Doutput,
& DDATA, NULL)
&&&&
(DDATA == Doutput);
}
/ / -------------------------------------------------------------------------------------------- -----------------
Bool WinApi Readbinary (Handle Hdevice,
DWORD DCODE,
Pvoid Poutput,
DWORD DOUTPUT)
{
Return Iocontrol (HDevice, Dcode, Null, 0, Poutput, Doutput);
}
/ / -------------------------------------------------------------------------------------------- -----------------
Bool Winapi Readcpuinfo (Handle HDevice, PSPY_CPU_INFO PSCI)
{
Return IoControl (hdevice, spy_io_cpu_info,
NULL, 0,
PSCI, SPY_CPU_INFO_);
}
/ / -------------------------------------------------------------------------------------------- -----------------
Bool WinAPI Readsegment (Handle Hdevice,
DWORD DSELECTOR,
PSPY_SEGMENT PSS)
{
Return IoControl (hdevice, spy_io_segment,
& DSELECTOR, DWORD_,
PSS, SPY_SEGMENT_);
}
/ / -------------------------------------------------------------------------------------------- -----------------
Bool WinApi Readphysical (Handle HDevice,
Pvoid PLINEAR,
PPHYSICAL_ADDRESS PPA)
{
Return IoControl (hdevice, spy_io_physical,
& pliner, PVOID_,
PPA, Physical_Address_)
&&&&
(PPA-> LowPart || PPA-> HIGHPART);
}
List 4-28 Countries with several IOCTLs
So far, all functions listed in this section require a handle of the SPY device. Now, I will introduce how to get the handle. This is actually a very simple Win32 operation, and similar to the open file. Listing 4-29 shows the implementation details of the command processing routine of W2K_MEM.EXE. This code uses the API function w2kfilepath (), w2kserviceLoad () and W2KServiceUnLoad (), which are exported by W2k_lib.dll. If you have read the introduction of the Windows 2000 Service Control Manager, you should have learned W2KServiceLoad () and W2KServiceunload (). These powerful functions can be loaded or unloading the device driver of the kernel mode, and can handle some benign errors, such as proper processing, load a driver that has been loaded into the memory. W2kfilepath () is a help function. W2K_MEM.EXE calls it to get the full path to the SPY driver.
Word aWSPYFILE [] = SW (DRV_FILENAME);
Word awspyDevice [] = sw (drv_module);
Word awspydisplay [] = sw (DRV_NAME);
Word awspypath [] = SW (DRV_PATH);
/ / -------------------------------------------------------------------------------------------- -----------------
Void WinAPI EXECUTE (PPWORD PPWARGUMENTS,
DWORD DARGUMENTS)
{
SPY_VERSION_INFO SVI;
DWORD DOPTIONS, DREQUEST, DRECEIVE
Word awpath [max_path] = L "?"
SC_HANDLE HCONTROL = NULL;
Handle HDevice = INVALID_HANDLE_VALUE; _PRINTF (L "/ R / NLOADING /"% s / "(% s) ... / r / n",
AWSPYDISPLAY, AWSPYDEVICE;
IF (w2kfilepath (null, awspyfile, awpath, max_path))
{
_Printf (L "driver: /"% s / "/ r / n",
AWPATH);
HControl = W2KServiceLoad (awspyDevice, awspydisplay,
AWPATH, TRUE;
}
IF (hcontrol! = null)
{
_Printf (l "opening /"% s / "... / r / n",
AWSPYPATH);
HDevice = Createfile (awspypath, generic_read,
File_share_read | file_share_write,
NULL, OPEN_EXISTING,
File_attribute_normal, null;
}
Else
{
_Printf (l "unable to load the spy device driver./r/N");
}
IF (HDevice! = INVALID_HANDLE_VALUE)
{
IF (readbinary, spy_io_version_info,
& SVI, SPY_VERSION_INFO_))
{
_Printf (L "/ R / N% S V% Lu.% 02lu Ready / R / N",
svi.awname,
Svi.dversion / 100, svi.dversion% 100);
}
DOPTIONS = Command_Option_none;
DREQUEST = CommandParse (HDevice, Ppwarguments, Darguments,
TRUE, & DOPTIONS;
DOPTIONS = Command_Option_none;
DRECEIVE = CommandParse (HDevice, Ppwarguments, Darguments,
False, & DOPTIONS;
IF (DREQUEST)
{
_printf (AWSummary,
DREQUEST, (DREQUEST == 1? Awbyte: awbytes),
DRECEIVE, (DRECEIVE == 1? Awbyte: awbytes);
}
_Printf (l "/ r / nclosing the spy device ... / r / n");
CloseHandle (HDEvice);
}
Else
{
_Printf (l "unable to open the spy device./r/n");
}
IF ((hcontrol! = null) && gfspyunload)
{
_Printf (l "unloading the spy device ... / r / n");
W2KServiceunload (awspyDevice, hcontrol);
}
Return;
}
Listing 4-29. Control SPY device
Please note the definitions of the four global strings given at the top of the list 4-29. Constant DRV_FILENAME, DRV_MODULE, DRV_NAME and DRV_PATH come from SPY-driven header file W2k_spy.h. Table 4-4 lists their current values. You won't find the device-related definition in the source code of W2K_Mem.exe, W2k_spy.h provides everything you need to client program. This is very important: If you change any device-related definition, you don't need to update any program files. Just need to compile, link programs in new header files. Listing 4-29 W2KFilePath () can be guaranteed by W2K_SPy.sys specified by global variables AWSPYFILE (see Table 4-4) always loaded from W2K_MEM.EXE. Next, the code in Listing 4-29 passes global strings AWSPYDEVICE and AWSPYDISPLAY () to W2KServiceLoad () to load the SPY device driver. If the driver is not loaded, these strings will be saved in the list of driven properties, can be taken out by other programs; otherwise, the current attribute setting will be retained. Although W2KServiceLoad () calls in Listing 4-29 can return a handle, this is not a handle that can be used for any IOCTL function. To get the handle of the SPY device, you must use Win32 multi-purpose functions createfile (). This function opens or creates almost all Windows 2000 things that can be opened and created. If the symbolic link name of the kernel device is provided, the LPFileName parameters for the creteFile (), such as //./
Table 4-4. Device-related string definition
W2K_SPY constant
W2K_MEM variable
value
DRV_FILENAME AWSPYFILE W2K_SPY.SYS DRV_MODULE AWSPYDEVICE W2K_SPY DRV_NAME AWSPYDISPLAY SBS Windows 2000 Spy Device DRV_PATH AWSPYPATH / // W2K_SPY
If CREATEFILE () is successful, it will return a handle of a device that can be passed to Deviceiocontrol (). Listing 4-29 The execute () function uses the handle to query the version information of the Spy device, if the IOCTL call is successful, the information will be displayed on the screen. Next, the CommandParser () function will be called twice, and the first call is just a simple check command line whether there is an invalid parameter and displays any possible errors. The second call will perform all commands. I don't want to discuss the details of the function. The remaining code in Listing 4-29 is for cleaning, such as closing the handle and unloading the SPY driver (this function is optional). There is still some interesting code snippet in the source code of W2K_MEM.EXE, but I am not discussing them here. Please refer to W2K_MEM.C and W2k_Mem.h under the CD / SRC / W2K_MEM directory.
The only thing you need to pay now is the GFSPYUNLOAD flag, which decides whether to uninstall SPY driver. I have set this global sign for false, so it is not automatically uninstalled. This increases the performance of any client of W2K_MEM.EXE or W2K_SPY.SYS because it takes a certain amount of time to load a driver. Only the first client will generate loading overhead. This setting can also avoid competition between multiple clients, such as a customer attempt to uninstall the driver, and the other is still using this driver. Of course, Windows 2000 does not uninstall a driver unless all handles of the driver are turned off, but the system will be placed in a stop_pending state, so the new client will not access this device. However, if you don't run W2K_SPY.sys in a multi-client environment, and you need to update the driver of the device, you should set the GFSPYUNLOAD flag to True. In-depth Windows 2000 memory
The independent 4GB address space introduced into the user mode and kernel mode is again divided into multiple smaller blocks. As you may guess, most of them contain unnamed structures, and serve unknown. Some things are real gold mines for any developing system diagnose or debug software.
Basic operating system information
If you pay attention to the help information of the 4-1 lower half, you will send the title of this section is: System Status Options. Now try the "Show Operating System Information" option: O. The list 4-12 gives the output result of using this option on my machine. The information displayed here is the content of the SPY_OS_INFO structure, which defines the list 4-13, which is actually created by the SPY device function spyoutputosinfo (), which is also included in the list 4-13. In the Quatern 4-12, you can see some typical addresses in the process in the 4GB address space. For example, a valid user address range is: 0x00010000 ---- 0x7ffffFFF. You may read other programming books for Windows NT or 2000, the first and last 64KB linear memory area of user mode is "unable to access the area", access to this area will trigger an error (see Chapter 5, Solomon) 1998), W2K_MEM.EXE output proved this.
Diagram 4-12. Display Operating System Information
The last three lines contained in 4-12 is very interesting, and they are all relevant systems. Most of this information is taken from the SharedUserData area at address 0xffdf0000. The system maintains a structure called kuser_shared_data, which is defined in the DDK header file NTDDK.H.
……………………to be continued………………….
