Explore Windows 2000 / XP prototype PTE
Webcrazy (http://webcrazy.yeah.net)
Memory management can be said to be the most important link in the implementation of the operating system, and is also the most complicated link. For relatively poor memory resources, memory sharing has also become a very important means of effective means. The implementation of Windows 2000 / XP in this regard is a software mechanism called prototype PTE (PROTOTYPE PTE, PPTE). In the "Small Signal Windows NT / 2000 Page Mechanism" I detailed the Intel X86 hardware PTE mode of work. Let's review this mechanism:
Suppose one of our processes are mapped from the virtual address 0xxxxxxxxx (assuming on the assignment granularity), and the 4M space is currently mapped by the actual physical memory (in view of the advanced idea of Lazy Evaluation, this situation is We are relatively rare in Windows 2000 / XP). We divide this 4M space into 4K (Page_SIZE, X86 processor decision), for the nth 4k (0 <= n <1000), its virtual address (0xxxxxxxx N * 4K), we have a corresponding Hardware PTE indicates that this 4K resides in physical memory. This hardware PTE can be positioned by PDBR (CR3 register) and virtual addresses (see "Small Windows NT / 2000 Paging Mechanism).
Now let's consider such a situation, we have a file whose size is also 4m, we know usually to read it in memory using this file. Imagine that there are two or more processes to read and write this file, which requires solving the problem of memory sharing. In fact, even if there is only one process to access this file, Windows 2000 / XP will consider sharing in advance for this file that is shared by this potential. She implements such a purpose by a kernel object called Section. Think carefully, in this case, the memory is not only the full use of memory resources, even if we can allocate 4M space for each process, this will lead to a certain moment of each process may not have the latest content of this file. . This is very bad. The internal Windows 2000 / XP uses prototype PTE to solve this situation. Based on the same principle of hardware PTE, for such a 4M file, when mapping this file, Windows 2000 / XP also divides this file into 1000 blocks, 4K (Page_Size) size. Then allocate 1000 DWORD from the page swap area, each DWORD value is prototype PTE, which make up the prototype PTE table. For the Nth 4K (0 <= n <1000) of this file, if the current resident in physical memory, its corresponding PPTE Valid bit (bit 0, with hardware PTE) is 1, then this PPTE Page Frame Number (High 20 Bits of PPTE) is used to indicate physical memory. If it is still in the disk, the Valid bit is 0. In response to this situation, through the PPTE's high 20 (PFN Entry), find the Page Frame Datbase, referred to as the Subsection PTE of PFN Entry (called Restore PTE, "Inside Windows 2000" in "Inside Windows 2000" in ORIGINAL PTE Windows XP is called subsection PTE, locating subsection, then passing the file_Object of Control Area by SubSection, offset N of PPTE in the PPTE table, by formula:
PFN Entry Subsection PTE-> Subsection-> Control Area-> fileObject n * 4K Location The file offset to be accessed, so that Windows 2000 / XP reads this page to read this page, update this PPTE of the PPTE table. This series of positioning conversion algorithms, such as Subsection PTE, how to locate SubSecions, I will introduce. The above description solves a very important issue, we do not need to update the hardware PTE of all the processes that reference this page, because the PTE of all processes points to PPTE, we can achieve the purpose of the PPTE. As for the process PTE how to point to PPTE, I will involve this content below. As you have a concept, the PTE of the process is definitely an Invalid PTE, ie Bit 0 is 0, and its bit 10 is 1 (PPTE logo, please see I am "explore Windows NT / 2000 Copy ON Write The Hardware_PTE_x86 structure listed in the mechanism).
For PPTE, since the X86 processor does not provide such a way, like processing hardware PTE, the address translation is performed directly by the CPU. Windows 2000 / XP Memory Manager simulates this implementation through software mechanisms, which can be said to be an essential difference between hardware PTE and PPTE.
It should be advanably proposed that PPTE is stored in a page switching area (starting from MmpageDpoolStart and MmpageDpooled, starting from virtual address 0xE1000000), it is also possible to be Page Out, Windows 2000 / XP to determine if it is Page Out, and page The start address of the switching area 0xE10000000 will be used to transform from invalid PTE into the address of the prototype PTE, which will be introduced.
As usual, we use Softice to verify our previous description:
: BPINT E
As long as we intercepted this hardware interrupt, we know that it will certainly happen, but we can't determine that this is caused by the invalid PTE pointing to PPTE. In fact, other mechanisms such as Copy ON Write will occur in detail in the Page Fault ("Explore the Windows NT / 2000 Copy On Write Mechanism). However, as the PPTE 10 mentioned earlier is 1, we are still very easy to determine whether a Page Fault is caused by the invalid PTE to PPTE. Since the virtual address of the Page Fault is specified by the CR2 register, after several attempts, we continue to discuss the following:
Break Due to BPINT 0E (ET = 2.23 Seconds)
: CPU
Processor 00 Registers
----------------------
CS: EIP = 0008: 801648A4 SS: ESP = 0010: fcbeadc8
EAX = C002100B EBX = 77E74A02 ECX = 00000102 EDX = 00000000
ESI = 00085108 EDI = 000493E0 EBP = 0140ff74 EFL = 00000006
DS = 0023 ES = 0023 fs = 0038 GS = 0000
CR0 = 8000003B PE MP TS ET NE PG
CR2 = 77d3bb26 // The virtual address of the Page Fault occurs.
.
.
.
: Page 77D3BB26
Linear Physical Attributes77D3BB26 NP 01A714F6
Bit 10 from the PTE value 01A714F6 is 1. We know this is an invalid PTE pointing to PPTE. With the query command we can find the address specified by the CR2, located in the module RPCRT4.DLL. As you can see below:
: query 77d30000
Context Address Range Flags MMCI PTE Name
Explorer 77D20000-77D8E000 07100001 FF8D1328 E169C580 RPCRT4.DLL
Combined with the introduction of my article, by the following calculations:
:? (77D3BB26-77D20000) / 1000 * 4 E169C580
Unsigned long = 0xe169c5ec, -513161748, "xe1i / xc5 / XEC"
We can get in fact PTE 01A714F6 should point to the 0xE169C5EC position. At this time, the Control Area pointed to by MMCI, according to the calculation formula I mentioned above, you can read the RPCRT4.DLL offset (0xE169C5EC-0XE169C580) / 4 * 1000, that is, 4K bytes at 0x1B000, read the virtual address 77D3B000 ((0xE169C5EC-0XE169C580) / 4 * 1000 77d20000), and the address 77D3BB26 specified by CR2 is certainly in these 4k.
In fact, we have described MMAccessFault processing to point to a typical process of invalid PTE to PPTE. Here is only the case where prototype PTE points pointing to, if we are already in physical memory, do we need to take time to find VAD? This should involve the invalid PTE how to locate prototype PTE, so I have been using an invalid PTE of PPTE. "Inside Windows 2000" points to the specific format of the invalid PTE to PPTE, but I found that it is not correct, I have been convinced that people who can touch the Windows 2000 code like the author will definitely have any problems, so I am understanding Card is here. Later, the position of the PPTE was calculated by the following manner when it was discovered by disassembly:
(PTE >> 2) & 0x3ffffe00 (PTE & 0x000000FF) << 1 0xE1000000
Where PTE is an invalid PTE pointing to PPTE, 0xE10000000 is the start address of the page swap area. Also we use the above example to demonstrate this algorithm:
The above invalid PTE is 01A714F6, with this value, we can get:
PPTE address = (0x01a714f6 >> 2) & 0x3ffffe00 (0x01A714F6 & 0x000000FF) << 1 0xe1000000
= 0x0069c53d & 0x3fffe00 0xF6 << 1 0xe1000000
= 0x69c400 0x1ec 0xe1000000
= 0xE169C5EC5EC
The PPTE location 0xE169C5EC is consistent with the PPTE location found by VAD.
For better understanding of PPTE, let's take another example. We know that NTDLL.dll in Windows 2000 / XP is a very important DLL, as long as the operating system is started normally, NTDLL will definitely be shared by multiple processes. We use Softice as follows:
: Query -x 77f50000Context Address Range Flags MMCI Pte Name
SMSS 77F50000-77FF8000 07100005 80E6FA50 E131F9E8 NTDLL.DLL
.
.
.
Explorer 77F50000-77FF8000 07100005 80E6FA50 E131F9E8 NTDLL.DLL
.
.
.
: AddR SMSS
: MOD NTDLL
HMOD Base Peheader Module Name File Name
77F50000 77F500E8 NTDLL /WINDOWS/SYSTEM32/NTDLL.DLL
According to NTDLL's base site 77F50000, we view its hardware PTE:
: DD 1DF * 1000 350 * 4 C0000000 L 4 // For details, please refer to "Small Windows NT / 2000 Page Mechanism"
0010: c01dfd40 02267027 02f2e005 02f2f005 00c7e4fa 'p & .............
From these pages of the SMSS process, we can easily know that NTDLL.DLLs 1 to 3 4K have reside in physical memory addresses because they are all effective hardware PTEs, while the fourth PTE (00C7E4FA), although it Is an invalid PTE (bit 0 is 0), but because it is a PTE pointing to PPTE (Bit 10 is 1), we can't use this PTE to be an invalid PTE, it will determine the 4K of NTDLL.DLL. 4K is not Physical memory. We must further analyze this PTE to find out that the fourth 4K is really in the disk. OK, through the algorithm mentioned above, we are easy to calculate PPTE Address as E131F9F4, let's take a look at this PPTE value:
: DD E131F9F4 L 4
0010: E131F9F4 02F30121 02F31121 02F32121 02F33121! ...! ... !! ..! 1 ..
From the value of 02f30121, we can determine that the fourth 4k is also present in the physical address in the physical address, and the remaining is checked by PFN Database, in the physical memory of the Page Frame Number 02F30.
We can also view the NTDLL.DLL mapping of the Explorer process to verify this situation:
: AddR Explorer
: DD 1DF * 1000 350 * 4 C0000000 L 4
0010: C01DFD40 02267025 02F2E025 02F2F025 02F30025% P &.% ...% ...% ...
This is clear. The opening of the article is mentioned: "We don't need to update the hardware PTE of all the processes that reference this page, because all the PTEs of all processes points to PPTE, and we can update the PPTE to achieve the purpose." From China, we can also see the 4K of NTDLL.DLL actually in physical memory, but Windows 2000 / XP does not update the PTE of each reference to this page, just like the SMSS process. And PPTE has pointed to its actual address. When the SMSS process accesses this area for the first time, the memory manager will use the 02F30025 (assuming the property with the Explorer process as the properties of this page and to consider accessing bit flags) this valid hardware PTE update above 00C7E4FA, now everything is clear. .
Although this article focuses on introducing PPTE, it is actually very clear that the internal mechanism of the section object is very clear. This is also I originally set the title of the article as an analysis. Regarding PPTE, my understanding has also experienced more time, mainly this part of the information is really no, only "inside windows 2000" did not explicitly pointed out that it did not explicitly point to PPTE while not introducing it. (Especially Plus 0xE1000000, this makes me exhausted), this format introduced in this article I have tested on Windows 2000 and XP, in fact, the two examples of this article are in Windows 2000 Server Build 2195, another in XP professional The BUILD 2600 is present. After introducing PPTE this time, we review several thousands of contacts inside the memory manager:
MMCI member FILEOBJECT of SECTION_OBJECT_POINTERS-> DataSectionObject or SECTION_OBJECT_POINTERS-> ImageSectionObject (determined by the Section object map file is opened) point to Control Area, while the virtual address VAD process described in this document mapped (SoftICE is called) also points to the Control AREA, CONTROL Area There is one to multiple subsections, SubSection points to PPTE, PPTE TABLE is generally located at the bottom of the Segment structure pointed to by Control Area. The Section object points to the segment; the process Page Table points to PPTE; all this has been clearly described. There is also a major connection, that is, PFN Entry's RESTORE PTE (Original PTE) pointing to SubSecions, which I will introduce next time.
From the "small discussion Windows NT / 2000 paging mechanism" to today's introduction PPTE, I have a more in-depth understanding of the memory management section of Windows 2000 / XP, and it is also very important to the concept of un mentioned. . I have experienced a lot of fuzzy, and I have a little concept for memory manager. All discussions are based on their own understanding, and more advice (TSU00@263.net).
