2. it
  3. [原]线性地址到物理地址转换

[原]线性地址到物理地址转换

mac2025-01-08  14
参考   [转]Part1: Understanding !PTE , Part 1: Let’s get physical [转]Part2: Understanding !PTE, Part2: Flags and Large Pages [转]Part 3: Understanding !PTE - Non-PAE and X64   cr4第5位(从0开始)判断是否开启PAE(Physical Address Extension) kd> .formats cr4 Evaluate expression:   Hex:     000406f9   Decimal: 263929   Octal:   00001003371   Binary:  00000000 00000100 00000110 11 111001   Chars:   ....   Time:    Sun Jan 04 09:18:49 1970   Float:   low 3.69843e-040 high 0   Double:  1.30398e-318   第5位是1,故开启了PAE. 如果第5位是0,我们还要查看cr4的第4位,第4位表示是否开启大页面PSE(Page Size Extentions)     要查找的线性地址 kd> .formats 0x34f8ec Evaluate expression:   Hex:     0034f8ec   Decimal: 3471596   Octal:   00015174354   Binary:   00 000000 001 10100 11111000 11101100   Chars:   .4..   Time:    Tue Feb 10 12:19:56 1970   Float:   low 4.86474e-039 high 0   Double:  1.7152e-317     按2 9 9 12分 2位:(30—31)页目录指针表的索引(PDPD) 9位:(21—29)页目录表索引 9位:(12—20)页表索引 12位:(0—11)页内偏移   Page Directory Pointer Index(PDPI)       00                 0x0,   Index into 1st table(Page Directory Pointer Table) Page Directory Index(PDI)                000000001          0x1,   Index into 2nd table(Page Directory Table) Page Table Index(PTI)                    101001111          0x14f, Index into 3rd table(Page Table) Byte Index                               100011101100       0x8ec, the offset into the physical memory page   查找页目录基地址 kd> r cr3 cr3=3edd3480   找到对应的PDE kd> !dq (@cr3 & 0xffffffe0)+(0y00*@@(sizeof(nt!_MMPTE))) L1 #3edd3480 00000000`281d8801   找到对应的PTE kd> !dq (0x281d8801 & 0xFFFFFF000) +( 0y000000001*@@(sizeof(nt! _MMPTE))) L1 #281d8008 00000000`281ce867     找到对应的PT kd> !dq (0x281ce867&0xFFFFFF000)+(0y101001111*@@(sizeof(nt! _MMPTE))) L1 #281cea78 80000000`27756867   kd> ?? (0x80000000`27756867 & 0xFFFFFFFF`FFFFFFF000) unsigned int64 0x80000000`27756000   0x80000000`27756000就是我们要找的页表基址 虚拟地址0x34f8ec对应的物理地址则是0x80000000`277568ec   我们来验证下 kd> db 0x34f8ec 0034f8ec  61 61 61 61 00 cc cc cc-cc cc cc cc 44 f9 34 00  aaaa........D.4. 0034f8fc  3a c7 0f 00 01 00 00 00-20 fd 3a 00 80 fd 3a 00  :....... .:...:. 0034f90c  3f 03 b0 56 00 00 00 00-00 00 00 00 00 f0 fd 7f  ?..V............ 0034f91c  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................ 0034f92c  0c f9 34 00 bc 7a 2d f8-88 f9 34 00 bf a4 0f 00  ..4..z-...4..... 0034f93c  5b e3 92 56 00 00 00 00-4c f9 34 00 1d c9 0f 00  [..V....L.4..... 0034f94c  58 f9 34 00 45 3c 46 77-00 f0 fd 7f 98 f9 34 00  X.4.E<Fw......4. 0034f95c  f5 37 89 77 00 f0 fd 7f-7b 96 bf 77 00 00 00 00  .7.w....{..w.... kd> !db 0x80000000`277568ec #80000000277568ec 61 61 61 61 00 cc cc cc-cc cc cc cc 44 f9 34 00 aaaa........D.4. #80000000277568fc 3a c7 0f 00 01 00 00 00-20 fd 3a 00 80 fd 3a 00 :....... .:...:. #800000002775690c 3f 03 b0 56 00 00 00 00-00 00 00 00 00 f0 fd 7f ?..V............ #800000002775691c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ #800000002775692c 0c f9 34 00 bc 7a 2d f8-88 f9 34 00 bf a4 0f 00 ..4..z-...4..... #800000002775693c 5b e3 92 56 00 00 00 00-4c f9 34 00 1d c9 0f 00 [..V....L.4..... #800000002775694c 58 f9 34 00 45 3c 46 77-00 f0 fd 7f 98 f9 34 00 X.4.E<Fw......4. #800000002775695c f5 37 89 77 00 f0 fd 7f-7b 96 bf 77 00 00 00 00 .7.w....{..w....   正是我们的字符串aaaa     或者我们可以更简单的用!pte命令来取得物理地址   kd> !pte 0x34f8ec                     VA 0034f8ec PDE at C0600008            PTE at C0001A78 contains 00000000281CE867  contains 8000000027756867 pfn 281ce     ---DA--UWEV  pfn 27756     ---DA--UW-V   8000000027756867低12位清零后就是页表基址。和我们手动算出来的一样。   ======================================================= 后记:之前用用内核调试,.process /p eprocess切换进程后,  cr3的值和切换的进程的PDBR的值总是不一样。导致手动推导出来的物理地址不对。 后来突然想起来,cr3的值是操作系统在切换进程的时候才会切换的,所以用/process /p切换后值会不一样。 具体参考笔记: [原]线性地址到物理地址转换后记                              

来自为知笔记(Wiz)

最新回复(0)