Small WINDOWS NT / 2000 paging mechanism
Webcrazy
TSU00@263.net)
Memory management is the most important part of the operating system that determines the performance of the operating system. Intel X86 uses segmented, paging memory mechanisms, and Windows NT / 2000 takes full advantage of this advanced mechanism. Segment IA-32 System Using Page Directory and Page Table (Page Table, the page command can display the page table or the page table, etc.) forms addressing the 4G address. There is no special explanation in the text, and the Windows NT / 2000 of the operating platform is the Intel 32-bit processor, and Windows mentioned only Windows NT / 2000. No matter the code segment of the user state and the core state in Windows, the data segment and the stack segment base address are 0, and the logical address (consisting of the segment base address and the offset) is equal to the logical address. Since the linear address is visible for the user, if I don't specifically point to physical addresses, the address is only linearly addressed.
Page Catalog (PDE) consists of 1024 items, each pointing to a page (PTE), each page table is composed of 1024 pages, the IA-32 system is 4K per page, so the addressable range is 4G ( 1024 * 1024 * 4K). Each process in Windows has its own process address space, which has its own page directory and page table. Each process uses a linear address C0300000H to point to the address of its specific page directory, and each item in the page directory is arranged in linear address C0000000H, each page table occupies 4K (1024 * 4) Bytes, such as the first page table is located at C0000000H, and the second page table is located in C0000000 1000H (4K), that is, in the C0001000, the calculation formula is the C0000000H page directory offset value (linear address is 10 Bit) * 1000h, I will take this formula. Of course, the premise of the above is that each page table is located in physical memory (specified by the P bit in each item in the page directory), which is why IA-32 uses the two-level page table, otherwise, each process is eliminated 4M (4 * 1024 * 1024) memory is added additional to data.
The above mechanism enables physical address addressing, and implements mutual conversion of physical addresses and linear addresses in Windows NT / 2000 (although the CPU only requires only linear addresses to be converted into physical addresses, we are analyzing The program code, etc. still requires a physical address to convert to a linear address). Let's take a look at the Softice analysis first:
The // addr expensive manner will followed by the private process space of the process Explorer
: AddR Explorer
// Display the physical address of the Explorer process page, that is, the process switches to the value of the PDBR (CR3) after Explorer
: addr
CR3 LDT BASE: LIMIT KPEB AddR Pid Name
.
.
.
00c10000 FF9FC920 036C Explorer
.
.
.
/ *
Linear address format: 0-11 position corresponding to 1 page (4096 bytes) offset
12-21 位 位 10 1024 in the current page table
22-31 位 位 目 页 目 目
20 digits (12-31) are also known as
According to the formula mentioned above, the value of the physical address is 20 bits can be obtained, and the linear address page is offset (as physics)
The lower 12 digits of the address is realized, that is, the linear address is transformed into a physical address, and the formula is expressed as:
@ (C0000000H PDE * 1000H PTE * 4) & 0FFFFF000H PO
= @ (C0000000H 4 * (PDE * 400H PTE)) & 0fffff000H PO
= @ (C0000000H (PDE >> 10D PTE) << 2D) & 0FFFFF000H PO = @ (C0000000H (La >> 12D) << 2D) & 0FFFFFFFF000H PO
= @ (C0000000H (la & 0xffff000) >> 10D) & 0FFFFFFFFFFFF000H PO
The PDE and PTE represent the offset value of PDE and PTE in the above formula, representing a given linearity with LA
Address, use the PO represents the low 12 bits of LA, represents 16/10 enrollment by H and D, and @ means the content in the post-add address pointer.
After this analysis, the linear address C0300000 corresponding to the page directory is 300h, the page table is 300h, the offset is 0
Then C0000000H PD * 1000H PT * 4 PO = C0000000 300H * 1000H 300H * 4 0
* /
: DD C0000000 300 * 1000 300 * 4 L 4
0010: C0300C00 00C10063 01A31063 00000000 0141F163 C ... c ....... C.A.
|
| _ Low 12 bits (0-11) 063 is attribute bit, Intel reserved bit and system (OS) use bit
/ / Show the physical address of C0300000 (00C10000)
:? DWORD (@ (@ (C0000000 300 * 1000 300 * 4)) & fffff000 C0300000 & 00000FFF
00c10000
// Verify with Softice
: Phys DWORD (@ (C0000000 300 * 1000 300 * 4)) & fffff000 C0300000 & 00000FFF
C0300000
: Page C0300000
Linear Physical Attributes
C0300000 00C10000 P D A S RW
In fact, the last command can implement all other instructions, and I will list the code segment implemented:
// Linear Address -> Physical Address
// SOFTICE PAGE command can implement this function
// A linear address corresponds to a unique physical address
// If this function returns 0, this linear address does not correspond to the physical address.
Ulong LineradDressTophysicalAddress (Ulong Laddress)
{
Unsigned int * Paddr;
Unsigned int * pagedirectoryEntry = (unsigned int *) 0xc0300000;
Unsigned int * PageTableEntry = (unsigned int *) 0xc0000000;
/ / The judge is valid if the page directory is valid, and the 0th bit (P) is presented, see the relevant books.
IF (((PageDirectoryEntry [Laddress >> 22] & 0xfffff000)))
&& (! ((((! ")))))
Return 0;
@ (C0000000H (la & 0xfffff000) >> 10D) & 0FFFFF000H PO See the narrative
PADDR = (int *) ((int) PageTableEntry (Laddress & 0xfffff000) >> 10));
IF ((* PADDR) & 1)
Return ((* paddr) & 0xfffff000) | (laddress & 0x00000FFF); Return 0;
}
So how do you reverse the physical address to convert to a linear address? Although there is no relationship, because the specific location of the page directory and the page table can be used, you can use the method directly in this range. Theoretically, this range is 1024 * 1024 * 4 (4m), but because many page directory items are currently existing in physical memory, actually search is much smaller. This also leads to a problem, it is possible to cause a blue screen (the address that does not exist within the kernel). So the code given below I check the P bit of each item in the page directory.
// Physical Address -> Linear Address
// Equivalent to the physical phys command
/ / Search all valid page tables to find the specified physical address
// There may be multiple linear addresses to point to the same physical address
// This function does not output any result indicates that there is currently no linear address map to this physical address.
Void PhysicalAddresStolineradDress (Ulong Paddress)
{
Unsigned int * Paddr;
Unsigned int * pagedirectoryEntry = (unsigned int *) 0xc0300000;
Unsigned int * PageTableEntry = (unsigned int *) 0xc0000000;
INT I, J;
DBGPRINT ("/ n");
For (i = 0; i <1024; i )
IF ((PageDirectoryEntry [i] & 0xfffff000) && (PageDirectoryEntry [i] & 0x00000001)))
For (j = 0; j <1024; j ) {
PADDR = (int *) ((int) PageTableEntry i * 4096 j * 4);
IF ((* paddr) & 0x00000001)
IF ((* paddr) & 0xffff000) == (paddress & 0xffff000))
DBGPRINT ("% 08x / n",
((i * 4 * 1024 * 1024 j * 4 * 1024) & 0xffff000) | (Paddress & 0x00000FFF));
}
}
The above two program segments involve memory access of 2G-4G range (linear address C0000000), and ordinary user states cannot be implemented. In Windows, use the device driver to make it correctly executed in the core state.
Then Windows uses the paging mechanism to efficiently, reasonably use good physical memory? Jeffrey Richter's classic book << Programming Applications for Microsoft Windows, Four Edition >> fully elaborates Windows memory management mechanism, please Refer to this book! Below I list the linear addresses of the two run instances of the same program (MSPaint.exe) to describe the correspondence of the physical address to illustrate the memory paging mechanism of Windows.
/ / The following is the address of each segment after mspaint.exe (two MSPaint.exe processes for both simultaneous run)
: Map32 MspAint
Owner obj name obj # address size type
Mspaint .text 0001 001B: 01001000 0003A500 CODE RO
Mspaint .data 0002 0023: 0103C000 00002670 Idata RW
Mspaint .rsrc 0003 0023: 0103f000 000116C8 Idata RO
-------------
|
| _ Logical address
// mspaint.exe's linear address and physical address of the first running instance LINEAR Address Range Physical Address Range Attributes
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -
00010000 - 00010FFF 03A8B000 - 03A8BFFF 047
00020000 - 00020FFF 03BCC000 - 03BCCFFF 047
0006d000 - 0006DFFF 018BC000 - 018BCFFF 047
.
.
.
//mspaint.exe's first instance of the .TEXT segment
01001000 - 01001FFF 00596000 - 00596FFF 005
01002000 - 01002FFF 03F97000 - 03F97FFF 005
01003000 - 01003FFF 03D58000 - 03D58FFF 005
.
.
.
//mspaint.exe's first instance of the .data section
0103C000 - 0103CFFF 0225F000 - 0225FFFF 047
0103D000 - 0103DFFF 03620000 - 03620FFF 047
0103E000 - 0103EFFF 03C1E000 - 03C1EFFF 047
.
.
.
//mspaint.exe's first instance of the .RSRC segment
0103F000 - 0103FFFF 01652000 - 01652FFF 025
01040000 - 01040FFF 02653000 - 02653FFF 005
01041000 - 01041FFF 003D4000 - 003D4FFF 005
.
.
.
//mspaint.exe's page directory of the first instance
C0300000 - C0300FFF 030FD000 - 030FDFFF 063
C0301000 - C0301FFF 017FE000 - 017Fefff 063
C0303000 - C0303FFF 0141F000 - 0141FFFFFFFF 163
.
.
.
FFD0F000 - FFD0FFFFFFF 000FF000 - 000ffff 023
FFDF0000 - FFDF0FFF 0026A000 - 0026AFFF 163
FFDFF000 - fffffff 00269000 - 00269FFF 163
// mspaint.exe's linear address and physical address of the second run instance
Linear Address Range Physical Address Range Attributes ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------
00010000 - 00010FFF 03A6A000 - 03A6AFFF 047
00020000 - 00020FFF 0352B000 - 0352BFFF 067
0006d000 - 0006DFFF 03413000 - 03413FFF 047
.
.
.
//mspaint.exe second instance .Text paragraph
01001000 - 01001FFF 00596000 - 00596FFF 005
01002000 - 01002FFF 03F97000 - 03F97FFF 005
01003000 - 01003FFF 03D58000 - 03D58FFF 005
.
.
.
//mspaint.exe second instance of .data paragraph
0103C000 - 0103CFFF 030DF000 - 030DFFFF 047
0103D000 - 0103DFFF 009A0000 - 009A0FFF 047
0103E000 - 0103EFFF 02089000 - 02089FFF 047
.
.
.
//mspaint.exe second instance of .RSRC segment
0103F000 - 0103FFFF 01652000 - 01652FFF 005
01040000 - 01040FFF 02653000 - 02653FFF 005
01041000 - 01041FFF 003D4000 - 003D4FFF 005
.
.
.
Table of the page directory of the second instance of //mspaint.exe
C0300000 - C0300FFF 037C9000 - 037C9FFF 063
C0301000 - C0301FFF 02F8A000 - 02F8AFFF 063
C0303000 - C0303FFF 0141F000 - 0141FFFFFFFF 163
.
.
.
FFD0F000 - FFD0FFFFFFF 000FF000 - 000ffff 023
FFDF0000 - FFDF0FFF 0026A000 - 0026AFFF 163
FFDFF000 - fffffff 00269000 - 00269FFF 163
The above list acquires the page table of the two simultaneous runs of MSPaint.exe. In fact, you only need to understand the mutual conversion of the physical address and the linear address, slightly modify the two code segments given above to get the above information (32-bit X86 platform Windows 2000 Server Build 2195 takes a moment, mine The physical memory of the machine is 64M, namely 040000000H bytes). Each process in Windows has its own linear address. In the first 2G (user space, Windows 2000 Server Ntoskrnl.exe's ntoskrnl.exe's ntoskrnl.exe's ntoskrnl.exe's mmhig ", two instances listed in the above example The .Text segment of the running mspaint.exe points to the same physical address space, while the .DATA segment points to different physical spaces. This is due to the decision of different sections and nature, it is not difficult to understand. In the latter 2g (Nuclear space, the MMSystemRangeStart of Ntoskrnl.exe of Windows 2000 Server points out the start position of its linear address), most physical space is shared by two instances, in fact, all routines of different programs running this 2G, Of course, the page directory (C0300000H) is except for other relatively special operations such as the page table (C0000000H), and this rule can be seen in the above example. Of course, the page directory and page table also have a project to point to the same physical area, so that the process-sharing physical memory, such as two instances of the two instances of MSPaint.exe, the linear address mapped in C0303000-c0303FFF, the linear address 00800000-00 bfffffFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF (4M) Point to the same physical area.
This is just to discuss usually how Windows is efficiently used in the program. It is actually Windows gives a lot of mechanisms, such as Copy ON Write, etc., allows .Text segment, etc., you can point to different physical addresses, typically use users. State debugger (Ide debugging environment attached to the Microsoft Visual C ) debugging the application. Of course, Windows also provides methods that allow data to share the same physical memory area, even if the Microsoft Connector (LINK) is used to give specific segment sharing (s) attributes.
In <<
Analysis of Windows NT / 2000 Environment Switch >>
NSFOCUS MAGAZINE 12) I have introduced the Windows NT / 2000 environment to switch code, then how Windows NT / 2000 is allocated to the application from header page directory and page table? Because only is built The new process involves the assignment of the page directory and page table, so let's take a look at the CreateProcessW code in kernel32.dll (CreateProcessa indirectly calls CreateProcessW).
It can be easily displayed as follows:
Kernel32! CREATEPROCESSW
.
(Some error routines such as process files exist, kernel object security check, etc.)
.
;open a file
001b: 77e7ddd2 Call [NTDLL! NTOPENFILE]
.
Mainly some parameters of stack code)
.
Assign virtual addresses for executables
001b: 77E7DE0A CALL [NTDLL! NTCREATESEC]
.
.
.
Close the file
001b: 77e7de1e call [NTDLL! NTCLOSE]
.
.
.
; Call NTCReateProcess creation process
001b: 77E7DF83 Call [NTDLL! NTCREATEPROCESS]
.
.
.
In fact, the four processes of NTDLL.DLL in Windows 2000 Server Build 2195 are SERVICE IDs 64H, 2BH, 18H and 29H SYSTEM Service. See << for System Service
Talk about Windows NT / 2000 internal data structure >>
NSFOCUS Magazine 11). We continue to see the NTCReateProcess process:
: u NTDLL! NTCREATEPROCESS // User-State, is often said to Native API
NTDLL! NTCREATEPROCESS
001b: 77f92d2c MOV Eax, 00000029
001b: 77f92d31 Lea EDX, [ESP 04]
001b: 77f92d35 INT 2E // Using interrupt door into the core state
001b: 77f92d37 return 0020
: ntcall
Service Table Address: 804704d8 Number of Services: 000000F8
.
.
.
0029 0008: 804AD948 params = 08 ntoskrnl! SeunlocksubjectContext 0514
|
| _ID is the entrance address of 29h SYSTEM Service (NTCReateProcess)
.
.
.
: u 8: 804AD948
0008: 804AD948 55 PUSH EBP
0008: 804AD949 8BEC MOV EBP, ESP
0008: 804AD94B 6AFF PUSH FF
0008: 804AD94D 6890354080 Push 80403590
0008: 804AD952 682ccc4580 push ntoskrnl! _Except_handler3
0008: 804AD957 64A100000000 MOV EAX, FS: [00000000]
0008: 804AD95D 50 Push EAX
0008: 804AD95E 64892500000000 MOV FS: [00000000] ESP
.
.
.
The KPEB of the new process is stored in EBP-30. The following sentences implement 0A2H * 4 (648) bytes after KPEB clear zero
0008: 804ADAF5 B9A2000000 MOV ECX, 000000A2
0008: 804adafa 33c0 xor Eax, EAX
0008: 804ADAFC 8B7DD0 MOV EDI, [EBP-30]
0008: 804ADAFF F3AB REPZ Stosd
.
.
.
0008: 804AD5E7 55 Push EBP
0008: 804AD5E8 8BEC MOV EBP, ESP
KPEB and process Context is incorporated into the first and fourth parameters of this process (EBP 8 and EBP 14H)
0008: 804AD5EA 8B4508 MOV EAX, [EBP 08]
0008: 804AD5ED 8D4808 Lea ECX, [EAX 08]
0008: 804AD5F0 C60003 MOV BYTE PTR [EAX], 03
0008: 804AD5F3 89480C MOV [EAX 0C], ECX
0008: 804AD5F6 C640021B MOV BYTE PTR [EAX 02], 1B
0008: 804AD5FA 8909 MOV [ECX], ECX
0008: 804AD5FC 8A4D0C MOV CL, [EBP 0C]
0008: 804AD5FF 884862 MOV [EAX 62], CL
0008: 804AD602 8B4D10 MOV ECX, [EBP 10]
0008: 804AD605 89485C MOV [EAX 5C], ECX
0008: 804AD608 8A4D18 MOV CL, [EBP 18] 0008: 804AD60B 884864 MOV [EAX 64], CL
0008: 804AD60E 8B4D14 MOV ECX, [EBP 14]
0008: 804AD611 8B11 MOV EDX, [ECX]
; EDX storage process context (ie the physical address of the page directory)
As for the process Context algorithm, because not only related to several variables in ntoskrnl.exe, it is also closely related to the execution environment, interested in using Softice
; Put the process context into the newly built KPEB
0008: 804AD613 895018 MOV [EAX 18], EDX; 18H is the offset of process context relative to KPEB
.
.
.
The following implementation of the newly built KPEB insertion system KPEB's two-way linked list
0008: 804ADD22 A184A14680 MOV EAX, [8046A184]
/ *
8046a180 can be easily understood by outputting the following two Softice commands
:? (@ 8046a180) -a0
Fe4E1D60 4266532192 (-28435104) "﨨` "
:? @ @PsinitialsystemProcess / / Show KPEB for System Process
Fe4E1D60 4266532192 (-28435104) "﨨` "
That is, implement the new KPEB chain into the already chain tail
After inserting KPEB, the system can schedule the process according to the page directory provided above (ie the new process has a new private process space)
* /
0008: 804ADD27 8B4DD0 MOV ECX, [EBP-30]
0008: 804ADD2A C781A000000080A14680 MOV DWORD PTR [ECX 000000A0], 8046A180
0008: 804ADD34 8B4DD0 MOV ECX, [EBP-30]
0008: 804ADD37 8981A4000000 MOV [ECX 000000A4], EAX
0008: 804ADD3D 8B4DD0 MOV ECX, [EBP-30]
0008: 804ADD40 81C1A0000000 Add ECX, 000000A0; Is it possible to find out the offset of the chain structure relative to KPEB?
0008: 804ADD46 8908 MOV [EAX], ECX
0008: 804ADD48 8B45D0 MOV EAX, [EBP-30]
0008: 804ADD4B 05A0000000 Add Eax, 000000A0
0008: 804ADD50 A384A14680 MOV [8046A184], EAX
For more intuitive, the above code I just listed in accordance with the system execution process (relative to the actual disk storage order). In fact, the system is in the beginning of the process, first establish the section kernel object with ObcreateObject (the section object does not assign physical memory, Windows 2000 Detailed introduction in DDK Documentation), then there is a page table, you should pay special attention when you analyze the code, and you can use IDA to analyze the NTOSKRNL.EXE process analysis, after all, the IDA is more clear. As for the processes mentioned above, the system KPEB two-way lin list, please refer to << Analysis Windows NT / 2000 Environment Switch >>, where I have already conducted a more detailed description.
After analyzing the API of Windows, such as VirtualAllalk, CreateFilemApping, HeapAlloc, etc., you can also find many other important information. If you follow the NTOSKRNL! NTCREATeSection (Windows finally call this function with CreateFilemapping, etc.) can find how Copy ON Write is implemented. These are left yourself to find it. Windows 2000 supports multiple page files (named PageFile.sys), which involves a lot of mechanisms such as prototype PTE (Sofice uses protopte), PTE, etc., to analyze, and points to Windows 2000 FSD in the layer driver has a good understanding. Simplely said that only the P bit in the PTE is 1 in the article. Ok, or that sentence, the above analysis, if there is a mistake, I also hope to point (tsu00@263.net)!
Reference:
1.jeffrey richter
<< Programming Applications for Microsoft Windows, Fourth Edition >>
2.INTEL CORP << Intel Architecture Software Developer's Manual, Volume 3 >>
3. << undocumented windows NT >> supplied source code
4.Windows 2000 DDK Documentation
