Analysis of WinNDOWS 2000 / XP Physical Memory Management Physical Memory is a relatively tight resource, and reasonable utilization will be the key to the performance of an operating system. Windows 2000 / XP internal uses a structure called a page frame database (Page Frame Database) is used to describe the status of physical memory. This article will be detailed in the organization and management of Windows physical memory from this structure. Windows Press the physical memory to Page_SIZE (in X86, 0x1000 bytes, 4K), divides it, each unit has a state and use in the page frame database. The page frame database is actually an array that describes each of these cases. The page frame database is specified by the kernel variable mmpfndatabase, and the number of items in the database is specified by mmnumberofphysicalpages, and the number index is called Page Frame Number (PFN). MMNumberOfPheSicalPages is usually below the physical memory page of the system, and the system retains some pages in the initialization phase to allow the operating system itself. It is to be pointed out that the page box database only describes the physical memory on the narrow sense, and does not contain memory of other mapping physical devices. Windbg! PFN commands are used to analyze the status and use of any page memory, as follows: KD> DD MMPFNDATABASE L 1 80547438 80C00000 KD>! PFN 143 PFN 00000143 At Address 80C01E48 FLINK 00000500 Blink / Share Count 00000001 Pteaddress E1085174 Reference Count 0001 Cached Color 0 Restore PTE 00B5AC24 Containing Page 0096d8 Active P Shared "Inside Windows 2000" interpretation of PFN's fields is very clear. I will be described only briefly here: flink and blink for specific pages together into a linked list of status, system kernel variables MmZeroedPageListHead, MmFreePageListHead, MmStandbyPageListHead, MmModifiedPageListHead, MmModifiedNoWritePageListHead, MmBadPageListHead page list head for indicating these states. From these variable names, it is easy to understand the page status of each linked list, and there are 8 states in the page box database in Windows, and the other is: Active and Transition status. These 8 status are indicated by the first 3bit: The PFN's Type (Offset: 0xD, Size: Byte) field. PteadDress is a PTE address pointing to this page. After analysis, there are three situations: a. PteadDress is 0 or 0xFffffFFFFFFF, depending on the state indicated by the PFN, you can identify ZeroEdPage or FreePage. B. Pteaddress is 0xc ********, indicating that this page currently has a system or a process exclusive and in progress or system work. C. Pteaddress is 0xe *******, indicating that this is a prototype PTE, that is, this page is shared. Please refer to my "explore Windows 2000 / XP Prototype PTE". RESTORE PTE, called Original PTE in "Inside Windows 2000". Its role is to indicate the Back-Store location of this page, that is, the data in a disk in a disk or the location in the mapped file.
For example, in the case mentioned above, it is generally a SubSection to the mapped file, so it is called the SubSECTION PTE inside, which is defined by the MMPTE_SUBSECTION structure. And another situation may be a PTE pointing to PageFile, defined by the Mmpte_software structure. This is the last time I mentioned the error. The specific BIT SubsectionAddresslow: POS 1, 4 Bits Protection: POS 1, 4 Bits Protection: POS 10, 1 Bit SubsectionAddressHigh: POS 11, 20 BITS WhichPool: POS 11, 20 BITS WhichPool: POS 31, 1 BIT Bit WhichPool is indicating which Pool located in this subsection (NonpagedPool or PageDPool), Valid is 0, indicating that this is not a PTE that can be identified by the MIDISPATCHFAULT. Algorithm for converting the Subsection PTE to the SubSecion address I gave it in the code provided below. This description will basically describe the role of the SubSecion PTE, which is used to locate the page specified by the PFN located at the corresponding mapped file. In order to better explain this process, "Inside Windows 2000" uses a block diagram to explain these thousands of contacts inside the memory manager, but each data structure, such as PFN, Segment, etc. Not detailed enough, and between the conversion algorithms are not mentioned. The picture below is based on the situation of Windows XP Professional Build 2600. The WindBG provides a "Memusage command to get the memory situation of each mapped file in the system, only the code under the code, only the code under the code. What mapped files are used by some pages, and it is not like! Memusage has a detailed statistical function, but through this code, I can basically understand the complicated relationship between the above.
/ * For test purpose, I define the below constant, but no say MmSubsectionBase and MmNonPagedPoolEnd are fixed in Windows 2000 and Windows XP. They are initialized on system boot phase by ntoskrnl and rely on the system physical memory size etc. * / #define WIN2000_2195 #ifdef WINXP_2600 #define MmSubsectionBase 0x80d21000 #define MmNonPagedPoolEnd 0xffbe0000 #endif #ifdef WIN2000_2195 #define MmSubsectionBase 0x0 #define MmNonPagedPoolEnd 0xffb7f000 #endif #define MmPfnDatabase 0xffb7f000 // Please redefine it on your machine. #define MmNumberOfPhysicalPages 0x3f7d // Please redefine it on .! your machine / * Portion of nt MiGetSubsectionAndProtoFromPte Get Subsection from restore pte (original pte) at PFN Database Entry disasm by WebCrazy (tsu00@263.net) athttp: //webcrazy.yeah.net Thanks to wuzq (wuzq @ legend. Com.cn) for light! * / unsigned int MiGETSUBSECTIONANDPROTOFROMPTE (INT PTE) {Unsigned Int subaddr; if (PTE <0) {subaddr = mmsubsectionbase ((PTE & 0x1e) << 2) | (PTE >> 4) & 0x7fff80));} else {subaddr = mmnonPagedPooled - (((PTE & 0x1e) << 2) | ((PTE >> 4) & 0xfffff80));} Return Subaddr;} / * i release mema. Only Mapped File Control Area WERE DUMP. Please See Windbg! Memusage Command. * / void memusage () {unsigned int * pfndatabase = MmPfnDatabase; unsigned int numberphys = MmNumberOfPhysicalPages; unsigned int restorepte, pfn = 0, ppte, subsection; unsigned char flag = 0; static unsigned int flagnum [8];
Static char * flagdesc [8] = {"Zeroed", "Free", "Standby", "Modified", "Modnowrt", "Bad", "Active", "Trans"}; Memset (Flagnum, 0, Sizeof Flagnum); for (; pfn
Netizen: Ksdgfaijgioajogi (rr@dfr.com) Posted: 2004-10-28 16:38:05 My grass !!! Is it a human class ?!! What is your mother b?!!! What is it so difficult to do? !! Fucking your mother! User: SDF (DSFDS) Published in: 2004-1-17 12: 14: 26SDFDSF users: Anonymous Posted: 2004-1-9 14:50:41 Gao A! Netizen: Anonymous Published in: 2003-3-19 20:21:08 Analysis WinNDOWS 2000 / XP Physical Memory Management 2003-3-17 15:44:06 Webcrazy.yeah.Net Webcrazy Reading: 74 Physical Memory is relatively nervous Resources, rational use will be the key to the performance of an operating system. Windows 2000 / XP internal uses a structure called a page frame database (Page Frame Database) is used to describe the status of physical memory. This article will be detailed in the organization and management of Windows physical memory from this structure. Windows Press the physical memory to Page_SIZE (in X86, 0x1000 bytes, 4K), divides it, each unit has a state and use in the page frame database. The page frame database is actually an array that describes each of these cases. The page frame database is specified by the kernel variable mmpfndatabase, and the number of items in the database is specified by mmnumberofphysicalpages, and the number index is called Page Frame Number (PFN). MMNumberOfPheSicalPages is usually below the physical memory page of the system, and the system retains some pages in the initialization phase to allow the operating system itself. It is to be pointed out that the page box database only describes the physical memory on the narrow sense, and does not contain memory of other mapping physical devices. Windbg! PFN commands are used to analyze the status and use of any page memory, as follows: KD> DD MMPFNDATABASE L 1 80547438 80C00000 KD>! PFN 143 PFN 00000143 At Address 80C01E48 FLINK 00000500 Blink / Share Count 00000001 Pteaddress E1085174 Reference Count 0001 Cached Color 0 Restore PTE 00B5AC24 Containing Page 0096d8 Active P Shared "Inside Windows 2000" interpretation of PFN's fields is very clear. I will be described only briefly here: flink and blink for specific pages together into a linked list of status, system kernel variables MmZeroedPageListHead, MmFreePageListHead, MmStandbyPageListHead, MmModifiedPageListHead, MmModifiedNoWritePageListHead, MmBadPageListHead page list head for indicating these states. From these variable names, it is easy to understand the page status of each linked list, and there are 8 states in the page box database in Windows, and the other is: Active and Transition status. These 8 status are indicated by the first 3bit: The PFN's Type (Offset: 0xD, Size: Byte) field. PteadDress is a PTE address pointing to this page. After analysis, there are three situations: a. PteadDress is 0 or 0xFffffFFFFFFF, depending on the state indicated by the PFN, you can identify ZeroEdPage or FreePage.
b. Pteaddress is 0xc ********, indicating that this page currently has a system or a process exclusive and in progress or system work. C. Pteaddress is 0xe *******, indicating that this is a prototype PTE, that is, this page is shared. Please refer to my "explore Windows 2000 / XP Prototype PTE". RESTORE PTE, called Original PTE in "Inside Windows 2000". Its role is to indicate the Back-Store location of this page, that is, the data in a disk in a disk or the location in the mapped file. For example, in the case mentioned above, it is generally a SubSection to the mapped file, so it is called the SubSECTION PTE inside, which is defined by the MMPTE_SUBSECTION structure. And another situation may be a PTE pointing to PageFile, defined by the Mmpte_software structure. This is the last time I mentioned the error. The specific BIT SubsectionAddresslow: POS 1, 4 Bits Protection: POS 1, 4 Bits Protection: POS 10, 1 Bit SubsectionAddressHigh: POS 11, 20 BITS WhichPool: POS 11, 20 BITS WhichPool: POS 31, 1 BIT Bit WhichPool is indicating which Pool located in this subsection (NonpagedPool or PageDPool), Valid is 0, indicating that this is not a PTE that can be identified by the MIDISPATCHFAULT. Algorithm for converting the Subsection PTE to the SubSecion address I gave it in the code provided below. This description will basically describe the role of the SubSecion PTE, which is used to locate the page specified by the PFN located at the corresponding mapped file. In order to better explain this process, "Inside Windows 2000" uses a block diagram to explain these thousands of contacts inside the memory manager, but each data structure, such as PFN, Segment, etc. Not detailed enough, and between the conversion algorithms are not mentioned. The picture below is based on the situation of Windows XP Professional Build 2600. The WindBG provides a "Memusage command to get the memory situation of each mapped file in the system, only the code under the code, only the code under the code. What mapped files are used by some pages, and it is not like! Memusage has a detailed statistical function, but through this code, I can basically understand the complicated relationship between the above.
/ * For test purpose, I define the below constant, but no say MmSubsectionBase and MmNonPagedPoolEnd are fixed in Windows 2000 and Windows XP. They are initialized on system boot phase by ntoskrnl and rely on the system physical memory size etc. * / #define WIN2000_2195 #ifdef WINXP_2600 #define MmSubsectionBase 0x80d21000 #define MmNonPagedPoolEnd 0xffbe0000 #endif #ifdef WIN2000_2195 #define MmSubsectionBase 0x0 #define MmNonPagedPoolEnd 0xffb7f000 #endif #define MmPfnDatabase 0xffb7f000 // Please redefine it on your machine. #define MmNumberOfPhysicalPages 0x3f7d // Please redefine it on .! your machine / * Portion of nt MiGetSubsectionAndProtoFromPte Get Subsection from restore pte (original pte) at PFN Database Entry disasm by WebCrazy (tsu00@263.net) athttp: //webcrazy.yeah.net Thanks to wuzq (wuzq @ legend. Com.cn) for light! * / unsigned int MiGETSUBSECTIONANDPROTOFROMPTE (INT PTE) {Unsigned Int subaddr; if (PTE <0) {subaddr = mmsubsectionbase ((PTE & 0x1e) << 2) | (PTE >> 4) & 0x7fff80));} else {subaddr = mmnonPagedPooled - (((PTE & 0x1e) << 2) | ((PTE >> 4) & 0xfffff80));} Return Subaddr;} / * i release mema. Only Mapped File Control Area WERE DUMP. Please See Windbg! Memusage Command. * / void memusage () {unsigned int * pfndatabase = MmPfnDatabase; unsigned int numberphys = MmNumberOfPhysicalPages; unsigned int restorepte, pfn = 0, ppte, subsection; unsigned char flag = 0; static unsigned int flagnum [8];
