Chapter 4 Exploring the Memory Management Mechanism of WINDOWS 2000
Translation: kendiv (fcczj@263.net)
Update:
Tuesday, February 22, 2005
Disclaimer: Please indicate the source and guarantee the integrity of the article, and all rights to the translation.
Memory Dump Tool ---- This book example program
Now you have already learned the code of complex and confused memory SPY devices, you may want to see what these functions are running. Therefore, I created a console mode tool named: "SBS Windows 2000 Memory SPY", which loads the SPY driver, which will call multiple IOCTL functions depending on the parameters of the command line. The executable of the program is: W2k_mem.exe, and its source code is located in the / src / w2k_mem directory of this book disc.
Command line format
You can run memory spy tools from the CD: D: /bin/w2k_mem.exe, here D: It should be replaced by your CD-ROM drive. If there is no parameter starting W2K_MEM.exe, the lengthy command information will be listed, as shown in the quaternary 4-1. The basic command system of W2K_Mem.exe is: one command contains one or more data requests, each command provides at least one linear base address, and the memory DUMP will start from that address. If you are willing to specify the size of the memory block, this is optional, the default size of the memory block is 256. The memory size in the command must start with "#". You can change the default behavior of the command by adding multiple options. An option includes a single-character option ID and a " " or "-" prefix. " " Or "-" means allowing or disabling this option. By default, all options are allowed.
// w2k_mem.exe
// SBS Windows 2000 Memory SPY V1.00
//
08-27-2000
Sven B. Schreiber
// sbs@orgon.com
USAGE: W2K_MEM {{[ Option | -Option] [/
Use the x / -x switch to enable / disable its startup code.
IF
Display Address Options (MUTUALLY EXCLUSIVE):
Z -Z Zero-based Display ON / OFF
R -R Physical Ram Addresses On / Off
Display Mode Options (MUTUALLY EXCLUSIVE):
W-Word Data Formatting on / off
D -D DWORD DATA FORMATTING ON / OFF
Q -Q Qword Data Formatting ON / OFF
Addressing Options (MUTUALLY EXCLUSIVE):
T -T TEB-Relative Addressing ON / OFF
f-F FS-Relative Addressing ON / OFF
U -U User-Mode FS: [
H-H Handle / Object Resolution ON / OFF
a -a add bias to last base on / off
S -S Sub Bias from Last Base ON / OFF
P-P-Pointer from Last Block on / off
System Status Options (Cumulative):
O -O Display OS Information ON / OFF
C-C Display CPU Information ON / OFF
g -g Display GDT Information ON / OFF
i-display idt information on / off
B -B Display Contiuous Blocks ON / OFF
Other Options (cumulative):
X -X Execute DLL Startup Code on / Off
Example: The Following Command Displays The First 64 - DISPLAYS THE FIRLOWING COMMAND Displays
BYTES of The Current Process Environment Block (PEB)
In Zero-Based DWORD FORMAT, Assuming That a Pointer To
The peb is located at Offset 0x30 Inside THE CURRENT
Thread Environment Block (TEC):
W2K_MEM T # 0 0 PZD # 64 0x30
NOTE: Specifying # 0After T Causes the teb to be
Addressed without displaying its contents.
Try 4-1. Help Information for Memory Spy Tools
The data requests performed by each command line are not equivalent to the options, paths, or any other command modification ingredients. Each formatted number in the command is assumed to be a linear address, and will start from the address, press 16. Digital default Press in 10 credit format, if there is a prefix "0x" or "x.", Explain it in accordance with the 16-en-format.
If some simple example is provided, it is easy to master the complex command line options used by W2K_Mem.exe, and some are given below:
l W2K_MEM 0x80400000 displays 256 bytes starting from the linear address 0x80400000, and the content that is generated may be similar to the diagram 4-2. By the way, this is NToskrnl.exe's dos stub (Note "MZ" ID).
l W2K_MEM # 0x40 0x80400000 Displays 64 bytes starting from linear addresses 0x80400000, # 0x40 indicates that the block size to display is 64
l W2K_MEM D # 0x40 0x80400000 On the basis of the previous command, the 32-bit DWORD chunk is displayed, which is the role of the D option. In the same command, the first option will always be effective unless the corresponding-option or use it uses its mutual exclusive option. The mutual exclusion option of D is: W, Q.
l W2K_MEM WZ # 0x40 0x10000 D -Z 0x200000 contains two data requests. First, the linear address range: 0x10000 ---- 0x1003F will be displayed in the 16-bit Word format, then the subsequent 0x20000 --- 0x2003f is displayed in 32-bit DWORD format (see the quaternar 4-3). The first request also contains a z option, which will enable the number of the "address" from 0. In the second request, the display model starting from 0 is disabled by the -z option. l W2K_MEM RD # 4096 0xc0300000 Display the system page directory starting with the 0xC0300000 in DWORD format. The R option indicates that the linear address is replaced by the physical memory address in the "Address" column.
Now, you should basically understand how the command line format works. In the next section, some of the more special options and features will be discussed in detail. Most of them will change the explanation of the address that appears before they appear. By default, the specified address is a linear base, and the memory DUMP will start there. Options: t, f, u, k, h, a, s, p, will change this default interpretation in a variety of ways.
Data Request Data
List 4-3. Display data in a specified format
Address related to TEB
Each thread in the process has its own thread environment block (TEB), and the system saves frequently used thread related data in this TEB. In user mode, the TEB of the current thread is located in a separate 4KB segment, which can access this segment via the CPU's FS register. In the kernel mode, FS points to different segments, which will be explained below. All TEBs of a process are stored in a stack, and stored in linear memory from 0x7ffDe000, each 4kb is a complete TEB, but the memory area is expanded down. This means that the address of the TEB of the second thread will be 0x7ffdc000, which is similar to the stack. In Chapter VII, we will discuss the address of TEB content and process environment block (PEB) address 0x7ffdf000 (see List 7-18 and 7-19). Here you know the presence of TEB, and know that its address is given by the FS register.
If the T option appears before an address, W2K_MEM.EXE will automatically add the base address of the FS segment to the address, and the quaternarization 4-4 shows the output of the W2K_MEM DT # 0x38 0 command execution. This time I omitted the title and status information of W2k_Mem.exe output.
Diagram 4-4. Show the first thread environment block (TEB)
Address related to FS
I have mentioned earlier, in user and kernel mode, FS will point to different segments. The T option will select the address pointed to by FS in user mode, and the f option uses the address pointed to by FS in kernel mode. Of course, the Win32 application has no way to obtain this address, so the SPY device needs to be requested again. W2K_MEM.XE calls the IOCTL function spy_io_cpu_info to read the status information of the CPU, which includes the value of all segment registers in kernel mode. From now on, all things are the same as the T option.
The FS of the kernel mode points to another thread-related structure, and Windows 2000 cores often use this structure with name: KERNEL's Processor Control Region, KPCR. This structure has been mentioned when discussing the IOCTL function spy_io_os_info, and we will mention it again in Chapter 7 (see List 7-16). Again again, now you only need to know that the structure exists in the linear address 0xffdff000, you can access it with the F option. In the quaque 4-5, I use the command: W2K_MEM DF # 0x54 0 to demonstrate, in actual situation, using the result of the F option. Troubleshoot 4-5. Displaying the kernel's processor control area (KPCR)
FS: [Base] Addressing method
When you look at the Windows 2000 kernel code, you will often encounter instructions like MOV EAX, FS: [18h]. These instructions are used to remove values of members belonging to TEB or KPCR, or the value belonging to the member of the structure contained in the FS segment. Most of them point to other internal structures. Command line option u and k allow you; u represents the FS segment in user mode; k represents the FS segment in kernel mode. For example, a command: W2K_MEM DU # 0x1e8 0x30 (see Distrack 4-6) In user mode, 488 bytes from memory blocks located at FS: [30H]. Command: W2K_MEM DK # 0x1C 0x20 (see Distrack 4-7) The first 28 bytes of the memory block pointing by the FS: [20h] in the kernel mode, which actually points to a pointer to KPRCB. If you don't know what PEB or KprCB is, don't worry, you will be a good job.
Distracks 4-6. Display Process Environment Blocks (PEB)
Diagram 4-7. Displaying the kernel's processor control area (KPRCB)
Handle / object resolution
Suppose you have an object handle, and you want to see what objects corresponding to the handle look like. If you use the h option, you will find that this task is too simple, this option will call the SPY_IO_HANDE_INFO function of the SPY device (see List 4-26) to find the object body (Object body) of the given handle. The Windows 2000 Object The World is an amazing topic that I will analyze it in the seventh chapter. So, now you will lose it.
Relatively address
Sometimes using this addressing method can easily display a series of memory blocks, which interval the same size bytes. This is very likely, such as a Array structure, a Teb stack like a moving process. A and S options are addressed by interpreting a given address as an offset. The difference between these two options is: A (Add Bias) will generate a positive offset, S (Subtract Bias) produces a negative offset. The output results of the command: W2K_MEM D # 32 0XC0000000 A 4096 4096 output. It will take out the first 32 bytes of three consecutive 4KB pages, and the start address is: 0xC0000000, the system's page table is located here. Note that the a option is close to the end of the command. It will make the subsequent "4096" will be interpreted as an offset, which will be added to the base address. List 4-8. Page Sample
The diagram 4-8 also shows what happens if it is incoming an invalid linear address. Obviously, the first pair of 4MB addresses covered: 0x00000000 ---- 0x003F0000 and 0x00400000 ----- 0x007F0000 are valid. The third pair of sheets is invalid. W2K_MEM.EXE will reflect this reality by displaying a blank list. The program knows that address range is valid because the spy_io_memory_data function of the SPY device puts this information into the resulting spy_memory_data structure (see List 4-25).
Indirect addressing
One of the command options I love is: p, because when I prepare this book, it saves me a lot of typing time for me. This option is similar to U and K, but does not use the FS segment, but use the previously displayed data block. This is a great feature, if you want to find an object on the list, for example, read the next member's address, use the command, type a new command, etc., add P in the command Options and a range of offset, you can specify the location of the next object to the previous 16 enrollment DUMP table.
In the Quatern 4-9, I use this option to spread the list of current active processes. First, I tell the address of the internal variable PSACTIVEPROCESSHEAD, which is a list_entry structure for identifying the beginning of the process linked list. A FLINK member and a BLINK member are included in the List_ENTRY structure. FLINK members are located at the offset 0, and the BLINK member is located at the offset 4 (see List 2-7). Command: w2k_mem # 8 d 0x8046a180 p 0 0 0 0 First dump PSACTIVEPROCESSHEAD (this is a list_entry structure), then start from P option to switch to indirect addressing. The four 0 after the option is used to tell W2K_MEM.EXE to extract the value of the offset of 0 in the previous data block, which is where FLINK is located. Note that the BLINK member in the Quatern 4-9 is in the position of the offset 4, it refers to the forward LSITRY, as we expect.
Translation:
For W2K_MEM # 8 D 0x8046A180 P 0 0 0 0 command
0x8046A180 needs to be replaced by the address of the PSActiveProcesshead in your own system.
You can find the address of the PSACTIVEPROCESSHEAD, I use the livekd, command to: ln psactiveprocesshead If the command is added to: ln psactiveprocesshead If the command is added to the parameters, the 16-based dump will eventually return to PSACTIVEPROCESSHEAD, which is used To identify the start and end of the process linked list. As explained in the second chapter, the two-way linked table of Windows 2000 maintained is actually a ring; that is, the last member of the list will point to the first member in the list, and the first member in the list. Blink points to the last member.
Diagram 4-9. Down to traverse the activity process linked list
Loading module
Sometimes you may want DUMP a module in memory, but the module has not been mapped to the linear address space of the W2k_Mem.exe process. This issue can be resolved by using the /
Loading and displaying a module typically requires two operational steps, as shown in the quadrants 4-10. First, you should load the module without displaying any data to find the base address assigned to the module. Fortunately, as long as there is during this, there is no other module to join the process, the module's loading address will be unique, and therefore, the next attempt to load the module by the same base site. In the Quatern 4-10, I loaded the device driver NWrDr.sys of the kernel mode, which is Microsoft's NetWare redirector. There is no IPX / SPX in my system, so the driver is not loaded by default.
Listing 4-10. Load and display a module image (Module Image)
In particular, you can use the /
……………to be continued………….
