Analysis of WinNDOWS 2000 / XP Physical Memory Management
Webcrazy (http://webcrazy.yeah.net)
Physical memory is a relatively tight resource, reasonable utilization will be the key to the performance of an operating system. Windows 2000 / XP internal uses a structure called a page frame database (Page Frame Database) is used to describe the status of physical memory. This article will be detailed in the organization and management of Windows physical memory from this structure.
Windows Press the physical memory to Page_SIZE (in X86, 0x1000 bytes, 4K), divides it, each unit has a state and use in the page frame database. The page frame database is actually an array that describes each of these cases. The page frame database is specified by the kernel variable mmpfndatabase, and the number of items in the database is specified by mmnumberofphysicalpages, and the number index is called Page Frame Number (PFN). MMNumberOfPheSicalPages is usually below the physical memory page of the system, and the system retains some pages in the initialization phase to allow the operating system itself. It is to be pointed out that the page box database only describes the physical memory on the narrow sense, and does not contain memory of other mapping physical devices.
Windbg! PFN command is used to analyze the status and use of any page memory, as shown below:
KD> DD MMPFNDATABASE L 1
80547438 80C00000
KD>! PFN 143
PFN 00000143 At Address 80C01E48
FLINK 00000500 Blink / Share Count 00000001 Pteaddress E1085174
Reference Count 0001 Cached Color 0
Restore PTE 00B5AC24 Containing Page 0096d8 Active P
Shared
The "Inside Windows 2000" interprets the fields of PFNs are very clear. Here I am just a brief explanation:
flink and blink for specific pages together into a linked list of status, system kernel variables MmZeroedPageListHead, MmFreePageListHead, MmStandbyPageListHead, MmModifiedPageListHead, MmModifiedNoWritePageListHead, MmBadPageListHead page list head for indicating these states. From these variable names, it is easy to understand the page status of each linked list, and there are 8 states in the page box database in Windows, and the other is: Active and Transition status. These 8 status are indicated by the first 3bit: The PFN's Type (Offset: 0xD, Size: Byte) field.
PteadDress is a PTE address pointing to this page. After analysis, there are three cases:
a. PteadDress is 0 or 0xFffffFFFF, depending on the status indicated by the PFN, you can identify ZeroEdPage or FreePage.
b. Pteaddress is 0xc ********, indicating that this page currently has a system or a process exclusive and in progress or system work.
c. pteaddress is 0xe *******, indicating that this is a prototype PTE, that is, this page is shared. Please refer to my "explore Windows 2000 / XP Prototype PTE".
RESTORE PTE, called Original PTE in "Inside Windows 2000". Its role is to indicate the Back-Store location of this page, that is, the data in a disk in a disk or the location in the mapped file. For example, in the case mentioned above, it is generally a SubSection to the mapped file, so it is called the SubSECTION PTE inside, which is defined by the MMPTE_SUBSECTION structure. And another situation may be a PTE pointing to PageFile, defined by the Mmpte_software structure. This is the last time I mentioned the error. The specific BIT of Mmpte_SubSecion is defined as follows: Valid: POS 0, 1 bit
SubsectionAddressionlow: POS 1, 4 BITS
Protection: POS 5, 5 BITS
Prototype: POS 10, 1 Bit
SubsectionAddressHigh: POS 11, 20 BITS
WhichPool: POS 31, 1 Bit
The highest WhichPool is indicating which Pool located in this subsection (NonPAGEDPOOL or PageDPool), Valid is 0, indicating that this is not a PTE that can be identified by the MIDISPATCHFAULT. Algorithm for converting the Subsection PTE to the SubSecion address I gave it in the code provided below.
This description will basically describe the role of the SubSecion PTE, which is used to locate the page specified by the PFN located at the corresponding mapped file. In order to better explain this process, "Inside Windows 2000" uses a block diagram to explain these thousands of contacts inside the memory manager, but each data structure, such as PFN, Segment, etc. Not detailed enough, and between the conversion algorithms are not mentioned. The picture below is a picture of the situation I re-produced according to the situation of Windows XP Professional Build 2600:
Click to Enlarge IT
Windbg provides a! Memusage command to get the memory situation in the system in the system, the code under the system, only the Mapped File used in the system, is not like! Memusage has a detailed statistics. Function, but through this code and I have previously provided the article, it can basically understand the complex relationship between the above.
/ *
For Test Purpose, I Define The Below Constant, But No Say
MMSUBSECTIONBASE AND MMNONPAGEDPOOLEND ARE FIXED IN
Windows 2000 and Windows XP. They Are Initialized on System
Boot Phase by Ntoskrnl And Rely on The System Physical Memory Size ETC.
* /
#define Win2000_2195
#ifdef WinXP_2600
#define mmsubsectionBase 0x80d21000
#define mmnonpagedpoolend 0xffbe0000
#ENDIF
#ifdef Win2000_2195
#define mmsubsectionBase 0x0
#define mmnonpagedpoolend 0xffb7f000
#ENDIF
#define mmpfndatabase 0xffb7f000 // please redine it on your machine. # define mmnumberofphysicalpages 0x3f7d // please redine it on your machine.
/ *
Portion of nt! MiGETSUBSECTIONANDPROTOFROMPTE
Get Subsection from Restore PTE (Original PTE) AT PFN Database Entry
Disasm by Webcrazy (Tsu00@263.net) at http://webcrazy.yeah.net
Thanks to wuzq (wuzq@LesEnd.com.cn) for light!
* /
Unsigned int MiGETSECTIONANDPROTOFROMPTE (INT PTE)
{
UNSIGNED INT SUBADDR;
IF (PTE <0) {
Subaddr = mmsubsectionBase ((PTE & 0x1e) << 2) | ((PTE >> 4) & 0x7fff80));
} else {
Subaddr = mmnonPagedPooled - (((PTE & 0x1e) << 2) | (PTE >> 4) & 0xfffff80));
}
Return Subaddr;
}
/ *
I Release memage () To Dump Control Area.
Only Mapped File Control Area WERE DUMP.
Please see windbg! Memusage Command.
* /
void memusage ()
{
Unsigned int * pfndatabase = mmpfndatabase;
Unsigned int numberphys = mmnumberofphysicalpages;
Unsigned int rev.Pte, SubSection
UNSIGNED CHAR flag = 0;
Static unsigned int flagnum [8];
Static char * flagdesc [8] =
{"Zeroed", "Free", "Standby", "Modified", "MODNOWRT", "Bad", "Active", "TRANS"}
MEMSET (Flagnum, 0, Sizeof (Flagnum);
For (; PFN Flag = * (char *) ((char *) PFNDATABASE 0xD); FLAG & = 0x07; Flagnum [Flag] ; Pfndatabase = 0x18 / 0x04; } DBGPRINT ("/ NMemusage: / N"); FOR (Flag = 0; Flag <8; FLAG ) DBGPRINT ("% 10s:% 04D (% 08DK) / N", FlagDesc [flag], flagnum [flag], flagnum [flag] * 4); PfnDatabase = mmpfndatabase; FOR (PFN = 0; PFN PPTE = * (PFNDatabase 0x1); restorePte = * ((unsigned int *) (PFNDatabase 0x4); Flag = * (char *) ((char *) PFNDATABASE 0xD); FLAG & = 0x07; IF (PPTE> = 0xE1000000 && PPTE <0xF0000000) { Subsection = MiGETSubsectionandProtofromPte (Restorepte); DBGPRINT ("PFN:% 04x, PPTE: 08X, Restorepte:% 08X, SubSection:% 08X, CA:% 08X, Flag:% 10S / N ", PFN, PPTE, RESTOREPTE, SUBSECTION, MMisaddressValid ((void *) subsection)? * (Unsigned int *) SubSecion: 0x11111111, FlagDesc [flag]); } Pfndatabase = 0x18 / 0x04; } } This article only basically explains the organization management management of Windows 2000 / XP. For Restore PTE, it is actually introduced earlier, but he also points to Pagefile, not described, because this part is still still, see my own learning process I will introduce it. Thanks to Wuzq (wuzq@legend.com.cn) give me the idea, it may have some of my thick understanding of this, thank him again.
