Explore Windows NT / 2000 Copy ON WRITE Mechanism
Webcrazy
http://wecrazy.yeah.net)
The Copy ON Write mechanism is a typical Lazy Evaluation implementation, and modern operating systems such as Windows NT / 2000, and UNIX / Linux's memory management part use this mechanism. This article uses a deep analysis of the Copy ON Write mechanism in Windows NT / 2000, which is designed to explore several important data structures of the Windows NT / 2000-core memory manager. Before you continue the following discussion, you must understand PDE / PTE, VAD and other terms (see me previous "
Small discussion Windows NT / 2000 paging mechanism "and"
Analyze Windows NT / 2000 Heap Instructions and Virtual Memory Organizations "), and in addition to several terms related to memory subsystem, such as Control Area, SubSecion, Working Set List, Page Frame Database. The following is listed below for the code used to analyze the Copy ON WRITE mechanism, and all the narratives in the text are based on this code.
// cow.c
// writed by chenchengqin
TSU00@263.net)
#include
#include
#define buffsize 10
#pragma data_seg (". seg_cow")
Char data [bufsize] = {'a', 'a', 'a', 'a', 'a', 'a', 'a', 'a', 'A', '/ 0'};
#pragma data_seg ()
#pragma comment (Linker, "/SECTION :.SEG_COW ,RWC")
Void main (int Argc, char * argv [])
{
INT I;
IF (argc> 1) {
// Memset (Data, 'B', BUFSIZE);
__ASM INT 3;
For (i = 0; i DATA [I] = 'b'; Data [buffsize-1] = '/ 0'; } Printf ("% s", DATA); GetChar (); } A very simple piece of code, compile the following instructions: CL / Zi / Fa Cow.c Run an example (don't quit): C:> COW Aaaaaaaaaaaaa Use Softice to see the distribution of COW.EXE images in memory: : Addr COW : Map32 COW Owner obj name obj # address size type Cow .text 0001 001B: 00401000 00006BB8 CODE RO Cow .rdata 0002 004002002005C8 Idata RO Cow .data 0003 0023: 00409000 00002EC4 IDATA RW Cow .idata 0004 0023: iDATA RW Cow .seg_cow 0005 0023: 0040d000 0000010C IDATA RW Cow .reloc 0006 0023: 0040E000 000006B2 Idata RO / / View. SEG_COW Section (Virtual Address 0x40D000) PTE, see " Small WINDOWS NT / 2000 Page Mechanism : DD C0000000 1 * 1000 D * 4 L 10 0023: C0001034 003F9225 00000000 000000000c3c067%.? ......... g ... ------------ | | _cow.exe process. The PTE of the SEG_COW section address Softice's PAGE command can dump out this PTE property, as shown below: : Page 40D000 Linear Physical Attributes 0040d000 003F9000 P A U r However, the attributes listed here did not point out. SEG_COW's Copy ON WRITE attribute, because the low 12 digits of the X86 PTE (0-11), that is, the property bits did not point out this property, but Microsoft (of course not only Microsoft) is used. The 12-bit reserved system (OS) bit, below is the specific format of this DWORD value in Windows 2000: Struct_hardware_pte_x86 (SIZEOF = 4) 0 bits0-0 Valid 0 BITS1-1 WRITE 0 bits2-2 Owner 0 Bits3-3 WritethroughRough 0 Bits4-4 CacheDisable 0 bits5-5 accessed 0 bits6-6 dirty 0 BITS7-7 LARGEPAGE 0 Bits8-8 Global 0 Bits9-9 CopyonWrite 0 BITS10-10 prototype 0 bits11-11 reserved 0 bits12-31 Pageframenumber From the value of the PTE of the PTE 003F9225, you can see the read-only of the 0x40d000, the CopyonWrite property. The read-only attribute is a guarantee of CopyonWrite, so x86 can try to write. SEG_COW segment when another COW instance is a 0EH (Page Fault) interrupt (trap), let Windows processes this Copy ON Write action. Based on this principle, I will run another example of COW, track the Copy ON WRITE mechanism: C:> COW 1 (set a parameter, let Cow try to update. SEG_COW segment) I set the INT 3 instruction in the code to let Softice activate when i3here is set to ON. Then use the BPINT E instruction to let the Softice capture a 0EH interrupt. The I386 is saved in the CR2 register when the RAISE 0E is interrupted. Windows 2000 Fault Handle Kitrap0E is based on this address. SEG_COW copy, and replaces the original page of the second COW instance work set (Working List, this only refers to the process work set, unforeseen system work set). The purpose of CopyonWrite. I am not ready to list the Kitrap0E's assembly code, just talk about the steps of Windows looking for the attribute of the address specified by CR2, and Windows 2000 is implemented by the MiQueryAddressState process. Kitrap0e is of course also calling MiQueryAddressState. 1. First check the PDE of 0x40D000 (specified by CR2). Implemented by Midoespdeexistandmakevalid. 2, check the PTE. 3, check the page database database (PFN, Page Frame Database, specified by the kernel structure array variable MMPFNDATABASE) 4 Differentiated by the kernel routine MiLocateWsle. 5, then find the MMProtectTOVALUE array based on the attributes of WSLE (the first 12) to get the format that the user-state can understand. That is, Page_WriteCopy, Page_Readwrite, etc., which are defined in Winnt.h. Steps 3 to 5 have also realized the conversion of physical addresses to linear addresses, of course, this is the presection of this address. This is why Windows 2000 uses such complex and cumbersome structures to manage memory subsystems. Specifically, I didn't talk about PFN's Pteaddress members (I can see below i386kd output), which all use paging files (PageFile.sys, implementation through Protopte, ie, prototype PTE implementation), shared memory blocks, etc. David Solomon's book "Inside Windows NT, 2nd Edition" has four PFN form specific structures, etc. Other more detailed descriptions. The following is an analysis of i386kd, in fact, according to some of the kernel variables I give, I can see something. However, there is no easy I386kd. // cow.exe process ID (clientID) = 4ac KD>! Process 4ac Process 4ac Searching for process with CID == 4ac Process FF605D60 Sessionid: 0 CID: 04ac PEB: 7FFDF000 Parentcid: 04a0 Dirbase: 017bc000 ObjectTable: FF610F88 TABLESIZE: 12. Image: cow.exe Vadroot FF624168 Clone 0 private 37. Modified 0. Locked 0. . . . / / Convert 40D000 to the physical address to obtain PFN. // Softice uses the PAGE command KD>! vtop 017bc000 40d000 ------------ | _DIRBASE (see! Process output) VTOP 017BC000 40D000 PDI 1 PTI D / / Output PDE and PTE 0040d000 00a6e000 PFN (00A6E) // Output PFN // Check PFNDATABASE // Softice: // DD @ mmpfndatabase a6e * 18 (each PFN item occupies 0x18 bytes) KD>! PFN A6E PFN A6E PFN 00000A6E At Address Ffb8EA50 FLINK 00000097 Blink / Share Count 00000001 Pteaddress E151E1B4 Reference Count 0001 Color 0 Restore Pte 056B04B0 Containing Page 002af3 Active P Shared / * Check MMWSLE Softice: : DD @ mmwsle 97 * 4 L 10 0023: C05028FC 0040DF29 000006A0 00510C09 000009B0). @ ....... q ..... ------------ | _0040D000 is the Virtual Address * / of the PFN for a 16e KD>! WSLE 4AC WSLE 4ac // kpeb's VMworkingSetList member (0.0F0 in Windows 2000 Server Build 2195, the value is C0502000) Pointing Working Set List // see " Windows 2000 Core KPEB / KTEB Detailed Structure " Working set @ c0502000 Quota: 2F firstfree: 22 FirstdyNAMIC: 4 Lastentry Ad NextSlot: 16 Lastinitialized 257 Nondirect 1e Hashtable: C06F3000 Hashtables: 200 . . . These i386kd instructions have been clearly indicated by the above five steps. But to understand that Copy ON WRITE must have a basic understanding of the Section object. WINDOWS 2000 generally inserts a node in the VAD's self-balanced binary tree when using ntcreateesection / ntopensection (CreateFileMapping / OpenFileMapp Indirect). (I'm here" Analyze the Windows NT / 2000 Pile Insurance and Virtual Memory Organization "VAD in detail). Softice has a member mmci (memory management structure) when using the Query command dump Vad tree, and she points to Control Area. As follows: // Softice output : query COW Address Range Flags MMCI PTE Name 00010000-00010000 C4000001 . . . 00400000-0040E000 07100005 FF62FD48 E11EBF80 COW.EXE ------------ | _CONTROL AREA . . . In fact, we use i386kd! Memusage can dump all Control Area in the system: KD>! Memusage Loading PFN Database Loading (99% Complete) Zeroed: 15 (60 kB) Free: 0 (0 KB) Standby: 1274 (5096 KB) Modified: 686 (2744 KB) ModifiedNowrite: 1 (4 KB) Active / Valid: 14380 (57520 KB) Transition: 11 (44 kB) Unknown: 0 (0 kB) Total: 16367 (65468 KB) Building kernel map Finished building kernel map Control Valid Standby Dirty Shared Locked PageTables Name . . . FF62FD48 32 0 0 0 0 Mapped_file (cow.exe) ------------ | _Control Area consistent with the MMCI of Softice above . . . I386kd's CA command can see a Control Area structure: KD>! CA FF62FD48 Controlarea @ ff62fd48 Segment: E11EBF48 FLINK 0 Blink: 0section Ref 1 PFN Ref 8 mapped views: 1 User Ref 2 Subsections 7 Flush Count: 0 File Object ff684288 modwritecount 0 System Views: 0 Waitfordel 0 Paged Usage A0 Nonpaged Usage 120 Flags (10000A0) Image File HaduserReference File: /desktop/hack/cow.exe Segment @ E11EBF48: Base Address 0 Total Ptes f Nonextendes: f Imagess 5 ControlAr ff62fd48 sizeofsegment: f000 Image base 0 committed 0 PTE Template: 54f1c30 Based Addr 400000 Protoptes E11EBF80 Image Info: E11EBFC0 Subsection 1. @ ff62fd80 Controlarea: FF62FD48 Starting Sector 0 Number of Sectors 8 Base PTE E11EBF80 Ptes in Subsect 1 Unused Ptes 0 Flags 15 Sector Offset 0 Protection 1 Readonly CopyonWrite . . . The output of the CA command can be seen that this Control Area has 7 sub-areas (Subsection), which is limited to the partial output result, you can compare all the results with Softice's Map32 command output. All SubSecion structures in Control Area are all use of linear structures, each of which occupies 0x20 bytes in Windows 2000 Server Build 2195. So Softice can easily analyze all of these. It is to be pointed out that not only the section object is used in Windows 2000, it is also used in Windows 2000: Typedef struct _section_object_pointers { PVOID DATASECTIONObject; // Control Area Pvoid SharedCacheMap; PVOID imageSECTIONObject; // Control Area } Section_object_pointers; Each file_object has a section_object_pointers member (see NTDDK.H). This mechanism is the key to the Windows 2000 load executable, file IO operation (see DAVATIONOBJECT and IMAGESECTIONOBJECT?). Only by familiar with these structures can be truly understood. There is only a lot of research in the rest of you. About cow.exe, I have two points to explain: 1. Cow.c Use #pragma Comment (Linker, "/SECTION :.SEG_COWD") Explicitly pointed out the Copy on Write property of the .cow_seg segment, in fact, this shared property in Windows NT / 2000 is default of. Map of executable files, readable writable data is set by default to a Copy ON Write property, and you can use Jeffrey Richter VMMAP to verify this statement. 2, Windows NT / 2000 Using the Executable File Name (ImageName) Used to identify multiple instances of this program to share memory, this mechanism is completely consistent with different file names, even if its content is completely consistent It doesn't work, and the section object is mapped separately. All the above discussion did not find Microsoft's Full Documented, all the above discussion is only obtained after I am initially analyzing Windows 2000, what is technical issues need to communicate, welcome to enlighten me (TSU00@263.net)! Reference: 1.David solomb "inside windows nt, 2nd edition"
