Foreword: This article is intended to strengthen understanding, this is not the case. This is a simplified version.
1. Basic Concept Virtual Address = Logical Address = [Segment Selection Sub]: [Line Address], the descriptor is found using the segment selection, the descriptor has the base address of the segment (0 in Win32, so the line address is Real address) There is also a field representation segment attribute, actually contributing to the protection. In fact, in WIN32, other addresses are not important. The key is still a linear address. We use line-shaped addresses in the program, we can forget the concept of virtual memory, think that each process does have 4G physical memory, OS, and CPUs to block this detail. Don't consider it, it will not affect the writing of the virus. When the program is executed, the CPU will convert our address (possibly hardcodes or registers) to physical addresses.
2. Virtual memory principle but, people who like to explore the essence still want to understand the details, the following image explanation: 1) Hardware clock interrupt, turn the interrupt handler, after some need to work, remove the scheduler PCB (Process Control Block ), Set the register value, the scheduling process is run, and one process P is executed according to the algorithm. The CPU switches to the environment of P. The most closely of the addressing relationship is EIP and CR3. The content of CR3 is a physical address, which is very special in the addressing process, because Win32 is in protective mode, but if it is true It is a virtual address, but it really doesn't have a way to locate the physical memory. The CPU does not know anything above, just according to the value of the EIP. At this time, the address accessed is the 4G space of P, and the instructions are executed in P. How to implement it? The key is the page table. 2) The essential memory of the map is connected to the CPU through the motherboard, there is a MMU component (MMU component, the CPU is executed, and the EIP high is 20 digits as an index, and [INDEX CR3] is 20 bits, The low 12 digits of EIP are combined with a low 12-bit, forming a new 32-bit address. This is the physical address. Imagine the page table as an array, the number is 2 ^ 20 (1M), the size is 4m, the page table is of course Stored in physical memory, CR3 is the first address of the population. Each of the arrays is a DWORD, the first 20 digits of the double word represents a physical page. Image: Page (0 ~ 19) ... page Properties Reserved (30) Submit (31) CR3 -> 00100 RW 1 101001 R 1 001010 0 0 000111 0 0 0 ... 10011 0 0 0 This indicates that The fourth physical page of physical memory is submitted, and the 9th reservation is, each process contains such a page table, where the page number may be, the same physical page, such as a memory map file. At this point, the data modified, and other process access will also change. Every process has 4G memory available, just a lot of pages have not been submitted, this is the principle of 4G every process. I will imagine when we use the VirtualAlloc request 4K memory. Virtualalloc (0, 4 * 1024, Page_Readwrite, MEM_RESERVE or MEM_COMMIT) function Internal Search page list, find the first idle page, here is 01010h, set the corresponding item according to the parameter, if there is no MEM_COMMIT, 'Keep' Set to 1, ' Submit 'is 0, that is, this principle. So, VirtualFree is not a way. In viewing MapViewOffile, you read the file from the hard disk into the physical memory page m, such as M = 00111h, this index in the page table is equal to 3, plus the offset 000h, return 00003000H (PMApping = 00003000H ), After using this value to access this memory, how to access, will access the physical page of 00111h, which has already been said, you can analyze it. Then the role of UNMapViewOffile is the opposite. The so-called mapping, simply, is to set the reservation and submission of the page entry to 1. The release of the mapping is 0. After the release, use the PMApping to access the memory, find the page table corresponding item, and find that this page does not have retained, the memory error will occur.
