首页 > WinDriver > WD-Windows系统内存管理(WRK)
2015四月11

WD-Windows系统内存管理(WRK)

[隐藏]

在Intel x86处理器的Windows系统中, 0x80000000~0xffffffff是所有进程共享的系统地址空间。在这段地址空间中,其布局结构是在内核初始化阶段完成的。

在内核获得控制以前,Windows的加载程序(即 ntldr)已经打开了 Intel x86 处理器的分页机制,并且预先建立了足够的页表以便 16 MB 以下的低地址可以通过页表来访问其物理内存,也就是说,16 MB以下的虚拟地址将直接映射到相同地址的物理内存上。

  

1.CS/SS/DS/ES/FS在GDT中的位置转换

GDT的设置是在ntldr中完成的,虽然WRK中没有这部分代码,但是,通过在调试器中跟踪WRK的启动代码,我们可以看到,在 KiSystemStartup 函数获得控制时,段寄存器CS、DS、ES、SS 和FS,寄存器gdtr的值为:

kd> r cs;r ss; r ds; r es; r fs; r  gdtr
cs=00000008
ss=00000010
ds=00000023
es=00000023
fs=00000030
gdtr=8003f000

结合段选择符格式图

段选择符 16进制值 2进制值 段索引(后13位) GDT中段的索引
cs 0x8 0y1000 0y1 = 0n1 1
ss 0x10 0y10000 0y10 = On2 2
ds/es 0x23 0y100011 0y100 =0n4 4
fs 0x30 0y110000 0y110=0n6 6

根据gdtr的值,我们检查这些段的段描述符,如下所示。CS、DS、ES和SS段指向整个地址空间,从地址0一直到32位最大地址(差最后一个页面)。FS指向一个特殊的页面,后面我们还会讲到,此页面包含了当前处理器的控制区(KPCR)信息。正因为如此,我们在系统代码中常常可以看到通过FS来获得当前处理器的全局信息,比如当前线程。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
kd> db 0x8003f008 L8
8003f008  ff ff 00 00 00 9b cf 00                          ........
kd> db 0x8003f010 L8
8003f010  ff ff 00 00 00 93 cf 00                          ........
kd> db  0x8003f020 L8
8003f020  ff ff 00 00 00 f3 cf 00                          ........
kd> db  0x8003f030 L8
8003f030  01 00 00 f0 df 93 c0 ff 
kd> dg cs;dg ss;dg ds;dg es;dg fs
                                  P Si Gr Pr Lo
Sel    Base     Limit     Type    l ze an es ng Flags
---- -------- -------- ---------- - -- -- -- -- --------
0008 00000000 ffffffff Code RE Ac 0 Bg Pg P  Nl 00000c9b
                                  P Si Gr Pr Lo
Sel    Base     Limit     Type    l ze an es ng Flags
---- -------- -------- ---------- - -- -- -- -- --------
0010 00000000 ffffffff Data RW Ac 0 Bg Pg P  Nl 00000c93
                                  P Si Gr Pr Lo
Sel    Base     Limit     Type    l ze an es ng Flags
---- -------- -------- ---------- - -- -- -- -- --------
0023 00000000 ffffffff Data RW Ac 3 Bg Pg P  Nl 00000cf3
                                  P Si Gr Pr Lo
Sel    Base     Limit     Type    l ze an es ng Flags
---- -------- -------- ---------- - -- -- -- -- --------
0023 00000000 ffffffff Data RW Ac 3 Bg Pg P  Nl 00000cf3
                                  P Si Gr Pr Lo
Sel    Base     Limit     Type    l ze an es ng Flags
---- -------- -------- ---------- - -- -- -- -- --------
0030 ffdff000 00001fff Data RW Ac 0 Bg Pg P  Nl 00000c93

信息如下表

段选择符 GDT段描述符地址 GDT段描述符内容(8字节) 段基地址(2,3,4,7字节)

段最大偏移(0,1字节+6字节低4位

,再右移12位,段内偏移为4K=12位)

cs 0x8003f008

ff ff 00 00 00 9b cf 00 

0x00000000 0xfffff000
ss 0x8003f010

ff ff 00 00 00 93 cf 00 

0x00000000 0xfffff000
ds/es 0x8003f020

ff ff 00 00 00 f3 cf 00

0x00000000 0xfffff000
fs 0x8003f030

01 00 00 f0 df 93 c0 ff 

0xffdf0000 0x00001000

由于CS、DS、ES 和 SS段的这种设置方式,相当于段机制被屏蔽了,“段+偏移”形式的逻辑地址直接被映射成线性地址,这种做法也称为地址空间的平面化。因此,在Windows中,所有的内存访问都是线性地址空间中的内存地址。段的设置无须特别考虑。  

   

2.系统空间的初始化

系统空间的主要初始化工作是在MmInitSystem函数中完成的,它包括三部分代码逻辑,分别对应于阶段0、阶段1和阶段2的初始化,这里阶段1与阶段2初始化都是在Phase1InitializationDiscard函数中被调用的。

  

2.1.系统空间和用户空间的划分

MmInitSystem函数在阶段0所做的初始化工作(434~2208行代码)主要是完成数据结构的初始化以及一些全局变量的设置。在 466~468 行,我们看到三个全局变量MmHighestUserAddress、MmUserProbeAddress和 MmSystemRangeStart的设置如下: 

1
2
3
4
5
6
7
8
9
10
11
12
#if defined(_WIN64)
 
        MmHighestUserAddress = MI_HIGHEST_USER_ADDRESS;
        MmUserProbeAddress = MI_USER_PROBE_ADDRESS;
        MmSystemRangeStart = MI_SYSTEM_RANGE_START;
 
#else
 
        MmHighestUserAddress = (PVOID)(KSEG0_BASE - 0x10000 - 1);
        MmUserProbeAddress = KSEG0_BASE - 0x10000;
        MmSystemRangeStart = (PVOID)KSEG0_BASE;
#endif

这里KSEG0_BASE为

#define KSEG0_BASE 0x80000000

所以用户地址空间(也称为进程地址空间)最高地址为0x7ffeffff(0x80000000-0x10000-1),而系统地址空间从0x80000000开始.

  

2.2.PTE和PDT的计算公式

继续看472~473行

1
2
  MiHighestUserPte = MiGetPteAddress (MmHighestUserAddress);
  MiHighestUserPde = MiGetPdeAddress (MmHighestUserAddress);
#define PTE_BASE 0xc0000000
#define MiGetPteAddress(va) ((PMMPTE)(((((ULONG)(va)) >> 12) << 2) + PTE_BASE))
//
#define PDE_BASE_X86    0xc0300000
#define PDE_BASE_X86PAE 0xc0600000
#if !defined (_X86PAE_)
#define PDE_BASE PDE_BASE_X86
#else
#define PDE_BASE PDE_BASE_X86PAE
#endif
define MiGetPdeAddress(va)  ((PMMPTE)(((((ULONG)(va)) >> 22) << 2) + PDE_BASE))

MiGetPteAddress的含义是,给定一个虚拟地址,计算出其对应的PTE的地址,即虚拟地址所在页面的页表项的地址。从该定义也可以看出,所有的页表项都按顺序存放在以0xc0000000起始的内存处.

MiGetPdeAddress是和PAE扩展是否打开相关的,给定一个虚拟地址,计算出其对应的PDE的地址,即虚拟地址所在页面的页目录项的地址,如果不考虑PAE的情形,则页目录项位于0xc0300000处.

在1201~1219行计算系统PTE的数目

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
            if (NumberOfPages < MM_MEDIUM_SYSTEM) {
                MmNumberOfSystemPtes = MM_MINIMUM_SYSTEM_PTES;
            }
            else {
                MmNumberOfSystemPtes = MM_DEFAULT_SYSTEM_PTES;
                if (NumberOfPages > 8192) {
                    MmNumberOfSystemPtes += MmNumberOfSystemPtes;
 
                    //
                    // Any reasonable Hydra machine gets the maximum.
                    //
 
                    if (ExpMultiUserTS == TRUE) {
                        MmNumberOfSystemPtes = MM_MAXIMUM_SYSTEM_PTES;
                    }
                }
            }

根据PDE或PTE的虚拟地址来导出它所指的物理页面的虚拟地址的宏为MiGetVirtualAddressMappedByPte、MiGetVirtualAddressMappedByPde

   

2.3.用于系统空间管理的全局变量

全局变量名  典型取值  全局变量名  典型取值
MmHighestUserAddress 0x7ffeffff MiSessionImageStart 0xbf800000
MmUserProbeAddress 0x7fff0000 MiSessionImageEnd 0xc0000000
MmSystemRangeStart 0x80000000 MmSystemPteBase 0xc0000000
MmPfnDatabase 0x81000000 MmWorkingSetList 0xc0502000
MmNonPagedPoolStart 0x81301000 MmHyperSpaceEnd 0xc0bfffff
MmNonPagedPoolEnd0 0x82000000 MmSystemCacheWorkingSetList 0xc0c00000
MiSystemCacheStartExtra 0x82000000 MmSystemCacheStart 0xc1000000
MiMaximumSystemCacheSizeExtra 0x2f800 MmPagedPoolStart 0xe1000000
MiSystemViewStart 0xbb000000 MmPagedPoolEnd 0xf0bfffff
MmSessionBase 0xbc000000 MmNonPagedSystemStart 0xf0c00000
MiSessionPoolStart 0xbc000000 MmNonPagedPoolExpansionStart 0xf8ba0000
MiSessionViewStart 0xbc400000 MmNonPagedPoolEnd 0xffbe0000
MiSessionSpaceWs 0xbf400000 MmNumberOfPhysicalPages 0x0001ff7a

文章作者:hgy413
本文地址:http://hgy413.com/2960.html
版权所有 © 转载时必须以链接形式注明作者和原始出处!

19 Responses to “WD-Windows系统内存管理(WRK)”

  1. #1 minecraft 回复 | 引用 Post:2018-10-05 00:46

    Do you have a spam problem on this site; I also
    am a blogger, and I was curious about your situation; we have developed some
    nice methods and we are looking to swap techniques with other folks, be sure to shoot me an email if
    interested.

  2. #2 minecraft 回复 | 引用 Post:2018-10-05 11:39

    I know this site presents quality depending articles and other data, is there any other web page which presents these
    kinds of data in quality?

  3. #3 minecraft 回复 | 引用 Post:2018-10-06 09:32

    Appreciation to my father who stated to me concerning this website, this weblog is really amazing.

  4. #4 minecraft 回复 | 引用 Post:2018-10-07 10:28

    It’s an amazing article in support of all the internet visitors; they will take benefit from it I am sure.

  5. If you are going for most excellent contents like I do, only pay a quick visit this website everyday since it offers quality contents, thanks

  6. It’s difficult to find well-informed people for this subject, but you sound like you know what you’re talking about!
    Thanks

  7. Hey great blog! Does running a blog similar
    to this take a lot of work? I’ve no understanding of
    coding however I had been hoping to start my own blog soon. Anyway,
    should you have any ideas or techniques for new blog owners please share.
    I understand this is off subject but I just needed to ask.
    Thanks!

  8. Great work! This is the type of info that are supposed to be shared around the web.
    Disgrace on the search engines for not positioning this
    post upper! Come on over and discuss with my
    website . Thank you =)

  9. #9 Coconut Oil 回复 | 引用 Post:2018-10-24 18:22

    After checking out a number of the blog posts on your web site, I seriously like your
    way of blogging. I saved it to my bookmark website list and will be checking back in the near future.
    Please visit my web site as well and tell me what you think.

  10. #10 Coconut Oil 回复 | 引用 Post:2018-10-25 07:25

    I am really thankful to the holder of this web site who
    has shared this enormous post at here.

  11. #11 Benefits of Coconut Oil 回复 | 引用 Post:2018-10-30 00:13

    Undeniably believe that which you stated. Your
    favorite reason appeared to be at the web the simplest factor to consider of.
    I say to you, I definitely get annoyed at the same
    time as people think about issues that they just don’t recognise about.
    You managed to hit the nail upon the highest and defined out
    the entire thing without having side-effects , folks could take a
    signal. Will probably be again to get more.
    Thank you

  12. #12 quest bars cheap 回复 | 引用 Post:2018-11-03 08:41

    It’s genuinely very complex in this busy life to listen news on TV, thus I simply use internet for that reason, and obtain the newest information.

  13. #13 quest bars cheap 回复 | 引用 Post:2018-11-03 23:31

    Hey There. I found your blog using msn. This is an extremely well written article.
    I will make sure to bookmark it and return to read more of your useful information. Thanks for the post.

    I will definitely return.

  14. #14 quest bars 回复 | 引用 Post:2018-11-06 06:28

    Very quickly this site will be famous amid all blog
    visitors, due to it’s fastidious articles

  15. #15 Quest Bars Cheap 回复 | 引用 Post:2018-11-06 21:30

    Hiya! I know this is kinda off topic however , I’d figured I’d ask.
    Would you be interested in exchanging links or
    maybe guest writing a blog post or vice-versa? My site addresses a lot of the same
    subjects as yours and I feel we could greatly benefit from each other.
    If you happen to be interested feel free to send
    me an e-mail. I look forward to hearing from you!
    Great blog by the way!

  16. #16 Quest Bars Cheap 回复 | 引用 Post:2018-11-08 20:10

    certainly like your web-site but you have to take a look at the spelling on quite
    a few of your posts. A number of them are rife with spelling problems and I to find it very
    troublesome to inform the truth on the other hand I will surely come back again.

  17. I do not even understand how I finished up right
    here, but I assumed this post was great. I do not realize who you might be but certainly you’re going to a famous blogger in the event you
    aren’t already. Cheers!

  18. Sling tv coupons and promo codes for november 2018
    If some one wants to be updated with most up-to-date technologies therefore he must be
    go to see this site and be up to date every day. Sling tv coupons and promo codes for november 2018

  19. May I simply just say what a comfort to find someone that actually understands
    what they’re talking about online. You certainly understand how to bring
    an issue to light and make it important. More and more people should read this and understand this side of the story.
    I was surprised that you are not more popular given that you
    definitely possess the gift.

发表评论