WD-Windows系统内存管理(WRK)
在Intel x86处理器的Windows系统中, 0x80000000~0xffffffff是所有进程共享的系统地址空间。在这段地址空间中,其布局结构是在内核初始化阶段完成的。
在内核获得控制以前,Windows的加载程序(即 ntldr)已经打开了 Intel x86 处理器的分页机制,并且预先建立了足够的页表以便 16 MB 以下的低地址可以通过页表来访问其物理内存,也就是说,16 MB以下的虚拟地址将直接映射到相同地址的物理内存上。
1.CS/SS/DS/ES/FS在GDT中的位置转换
GDT的设置是在ntldr中完成的,虽然WRK中没有这部分代码,但是,通过在调试器中跟踪WRK的启动代码,我们可以看到,在 KiSystemStartup 函数获得控制时,段寄存器CS、DS、ES、SS 和FS,寄存器gdtr的值为:
kd> r cs;r ss; r ds; r es; r fs; r gdtr cs=00000008 ss=00000010 ds=00000023 es=00000023 fs=00000030 gdtr=8003f000
结合段选择符格式图
| 段选择符 | 16进制值 | 2进制值 | 段索引(后13位) | GDT中段的索引 |
| cs | 0x8 | 0y1000 | 0y1 = 0n1 | 1 |
| ss | 0x10 | 0y10000 | 0y10 = On2 | 2 |
| ds/es | 0x23 | 0y100011 | 0y100 =0n4 | 4 |
| fs | 0x30 | 0y110000 | 0y110=0n6 | 6 |
根据gdtr的值,我们检查这些段的段描述符,如下所示。CS、DS、ES和SS段指向整个地址空间,从地址0一直到32位最大地址(差最后一个页面)。FS指向一个特殊的页面,后面我们还会讲到,此页面包含了当前处理器的控制区(KPCR)信息。正因为如此,我们在系统代码中常常可以看到通过FS来获得当前处理器的全局信息,比如当前线程。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | kd> db 0x8003f008 L8 8003f008 ff ff 00 00 00 9b cf 00 ........ kd> db 0x8003f010 L8 8003f010 ff ff 00 00 00 93 cf 00 ........ kd> db 0x8003f020 L8 8003f020 ff ff 00 00 00 f3 cf 00 ........ kd> db 0x8003f030 L8 8003f030 01 00 00 f0 df 93 c0 ff kd> dg cs;dg ss;dg ds;dg es;dg fs P Si Gr Pr Lo Sel Base Limit Type l ze an es ng Flags ---- -------- -------- ---------- - -- -- -- -- -------- 0008 00000000 ffffffff Code RE Ac 0 Bg Pg P Nl 00000c9b P Si Gr Pr Lo Sel Base Limit Type l ze an es ng Flags ---- -------- -------- ---------- - -- -- -- -- -------- 0010 00000000 ffffffff Data RW Ac 0 Bg Pg P Nl 00000c93 P Si Gr Pr Lo Sel Base Limit Type l ze an es ng Flags ---- -------- -------- ---------- - -- -- -- -- -------- 0023 00000000 ffffffff Data RW Ac 3 Bg Pg P Nl 00000cf3 P Si Gr Pr Lo Sel Base Limit Type l ze an es ng Flags ---- -------- -------- ---------- - -- -- -- -- -------- 0023 00000000 ffffffff Data RW Ac 3 Bg Pg P Nl 00000cf3 P Si Gr Pr Lo Sel Base Limit Type l ze an es ng Flags ---- -------- -------- ---------- - -- -- -- -- -------- 0030 ffdff000 00001fff Data RW Ac 0 Bg Pg P Nl 00000c93 |
信息如下表
| 段选择符 | GDT段描述符地址 | GDT段描述符内容(8字节) | 段基地址(2,3,4,7字节) |
段最大偏移(0,1字节+6字节低4位 ,再右移12位,段内偏移为4K=12位) |
| cs | 0x8003f008 |
ff ff 00 00 00 9b cf 00 |
0x00000000 | 0xfffff000 |
| ss | 0x8003f010 |
ff ff 00 00 00 93 cf 00 |
0x00000000 | 0xfffff000 |
| ds/es | 0x8003f020 |
ff ff 00 00 00 f3 cf 00 |
0x00000000 | 0xfffff000 |
| fs | 0x8003f030 |
01 00 00 f0 df 93 c0 ff |
0xffdf0000 | 0x00001000 |
由于CS、DS、ES 和 SS段的这种设置方式,相当于段机制被屏蔽了,“段+偏移”形式的逻辑地址直接被映射成线性地址,这种做法也称为地址空间的平面化。因此,在Windows中,所有的内存访问都是线性地址空间中的内存地址。段的设置无须特别考虑。
2.系统空间的初始化
系统空间的主要初始化工作是在MmInitSystem函数中完成的,它包括三部分代码逻辑,分别对应于阶段0、阶段1和阶段2的初始化,这里阶段1与阶段2初始化都是在Phase1InitializationDiscard函数中被调用的。
2.1.系统空间和用户空间的划分
MmInitSystem函数在阶段0所做的初始化工作(434~2208行代码)主要是完成数据结构的初始化以及一些全局变量的设置。在 466~468 行,我们看到三个全局变量MmHighestUserAddress、MmUserProbeAddress和 MmSystemRangeStart的设置如下:
1 2 3 4 5 6 7 8 9 10 11 12 | #if defined(_WIN64) MmHighestUserAddress = MI_HIGHEST_USER_ADDRESS; MmUserProbeAddress = MI_USER_PROBE_ADDRESS; MmSystemRangeStart = MI_SYSTEM_RANGE_START; #else MmHighestUserAddress = (PVOID)(KSEG0_BASE - 0x10000 - 1); MmUserProbeAddress = KSEG0_BASE - 0x10000; MmSystemRangeStart = (PVOID)KSEG0_BASE; #endif |
这里KSEG0_BASE为
#define KSEG0_BASE 0x80000000
所以用户地址空间(也称为进程地址空间)最高地址为0x7ffeffff(0x80000000-0x10000-1),而系统地址空间从0x80000000开始.
2.2.PTE和PDT的计算公式
继续看472~473行
1 2 | MiHighestUserPte = MiGetPteAddress (MmHighestUserAddress); MiHighestUserPde = MiGetPdeAddress (MmHighestUserAddress); |
#define PTE_BASE 0xc0000000 #define MiGetPteAddress(va) ((PMMPTE)(((((ULONG)(va)) >> 12) << 2) + PTE_BASE)) // #define PDE_BASE_X86 0xc0300000 #define PDE_BASE_X86PAE 0xc0600000 #if !defined (_X86PAE_) #define PDE_BASE PDE_BASE_X86 #else #define PDE_BASE PDE_BASE_X86PAE #endif define MiGetPdeAddress(va) ((PMMPTE)(((((ULONG)(va)) >> 22) << 2) + PDE_BASE))
MiGetPteAddress的含义是,给定一个虚拟地址,计算出其对应的PTE的地址,即虚拟地址所在页面的页表项的地址。从该定义也可以看出,所有的页表项都按顺序存放在以0xc0000000起始的内存处.
MiGetPdeAddress是和PAE扩展是否打开相关的,给定一个虚拟地址,计算出其对应的PDE的地址,即虚拟地址所在页面的页目录项的地址,如果不考虑PAE的情形,则页目录项位于0xc0300000处.
在1201~1219行计算系统PTE的数目
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | if (NumberOfPages < MM_MEDIUM_SYSTEM) { MmNumberOfSystemPtes = MM_MINIMUM_SYSTEM_PTES; } else { MmNumberOfSystemPtes = MM_DEFAULT_SYSTEM_PTES; if (NumberOfPages > 8192) { MmNumberOfSystemPtes += MmNumberOfSystemPtes; // // Any reasonable Hydra machine gets the maximum. // if (ExpMultiUserTS == TRUE) { MmNumberOfSystemPtes = MM_MAXIMUM_SYSTEM_PTES; } } } |
根据PDE或PTE的虚拟地址来导出它所指的物理页面的虚拟地址的宏为MiGetVirtualAddressMappedByPte、MiGetVirtualAddressMappedByPde
2.3.用于系统空间管理的全局变量
| 全局变量名 | 典型取值 | 全局变量名 | 典型取值 |
| MmHighestUserAddress | 0x7ffeffff | MiSessionImageStart | 0xbf800000 |
| MmUserProbeAddress | 0x7fff0000 | MiSessionImageEnd | 0xc0000000 |
| MmSystemRangeStart | 0x80000000 | MmSystemPteBase | 0xc0000000 |
| MmPfnDatabase | 0x81000000 | MmWorkingSetList | 0xc0502000 |
| MmNonPagedPoolStart | 0x81301000 | MmHyperSpaceEnd | 0xc0bfffff |
| MmNonPagedPoolEnd0 | 0x82000000 | MmSystemCacheWorkingSetList | 0xc0c00000 |
| MiSystemCacheStartExtra | 0x82000000 | MmSystemCacheStart | 0xc1000000 |
| MiMaximumSystemCacheSizeExtra | 0x2f800 | MmPagedPoolStart | 0xe1000000 |
| MiSystemViewStart | 0xbb000000 | MmPagedPoolEnd | 0xf0bfffff |
| MmSessionBase | 0xbc000000 | MmNonPagedSystemStart | 0xf0c00000 |
| MiSessionPoolStart | 0xbc000000 | MmNonPagedPoolExpansionStart | 0xf8ba0000 |
| MiSessionViewStart | 0xbc400000 | MmNonPagedPoolEnd | 0xffbe0000 |
| MiSessionSpaceWs | 0xbf400000 | MmNumberOfPhysicalPages | 0x0001ff7a |
文章作者:hgy413
本文地址:https://hgy413.com/2960.html
版权所有 © 转载时必须以链接形式注明作者和原始出处!
Do you have a spam problem on this site; I also
am a blogger, and I was curious about your situation; we have developed some
nice methods and we are looking to swap techniques with other folks, be sure to shoot me an email if
interested.
I know this site presents quality depending articles and other data, is there any other web page which presents these
kinds of data in quality?
Appreciation to my father who stated to me concerning this website, this weblog is really amazing.
It’s an amazing article in support of all the internet visitors; they will take benefit from it I am sure.
If you are going for most excellent contents like I do, only pay a quick visit this website everyday since it offers quality contents, thanks
It’s difficult to find well-informed people for this subject, but you sound like you know what you’re talking about!
Thanks
Hey great blog! Does running a blog similar
to this take a lot of work? I’ve no understanding of
coding however I had been hoping to start my own blog soon. Anyway,
should you have any ideas or techniques for new blog owners please share.
I understand this is off subject but I just needed to ask.
Thanks!
Great work! This is the type of info that are supposed to be shared around the web.
Disgrace on the search engines for not positioning this
post upper! Come on over and discuss with my
website . Thank you =)
After checking out a number of the blog posts on your web site, I seriously like your
way of blogging. I saved it to my bookmark website list and will be checking back in the near future.
Please visit my web site as well and tell me what you think.
I am really thankful to the holder of this web site who
has shared this enormous post at here.
Undeniably believe that which you stated. Your
favorite reason appeared to be at the web the simplest factor to consider of.
I say to you, I definitely get annoyed at the same
time as people think about issues that they just don’t recognise about.
You managed to hit the nail upon the highest and defined out
the entire thing without having side-effects , folks could take a
signal. Will probably be again to get more.
Thank you
It’s genuinely very complex in this busy life to listen news on TV, thus I simply use internet for that reason, and obtain the newest information.
Hey There. I found your blog using msn. This is an extremely well written article.
I will make sure to bookmark it and return to read more of your useful information. Thanks for the post.
I will definitely return.
Very quickly this site will be famous amid all blog
visitors, due to it’s fastidious articles
Hiya! I know this is kinda off topic however , I’d figured I’d ask.
Would you be interested in exchanging links or
maybe guest writing a blog post or vice-versa? My site addresses a lot of the same
subjects as yours and I feel we could greatly benefit from each other.
If you happen to be interested feel free to send
me an e-mail. I look forward to hearing from you!
Great blog by the way!
certainly like your web-site but you have to take a look at the spelling on quite
a few of your posts. A number of them are rife with spelling problems and I to find it very
troublesome to inform the truth on the other hand I will surely come back again.
I do not even understand how I finished up right
here, but I assumed this post was great. I do not realize who you might be but certainly you’re going to a famous blogger in the event you
aren’t already. Cheers!
Sling tv coupons and promo codes for november 2018
If some one wants to be updated with most up-to-date technologies therefore he must be
go to see this site and be up to date every day. Sling tv coupons and promo codes for november 2018
May I simply just say what a comfort to find someone that actually understands
what they’re talking about online. You certainly understand how to bring
an issue to light and make it important. More and more people should read this and understand this side of the story.
I was surprised that you are not more popular given that you
definitely possess the gift.
Hi there to all, how is all, I think every one is getting more from this
web site, and your views are fastidious in favor of new visitors.
I’m really enjoying the theme/design of your web site.
Do you ever run into any web browser compatibility problems?
A handful of my blog audience have complained about my blog not operating correctly in Explorer but looks great in Firefox.
Do you have any tips to help fix this issue?
This site was… how do you say it? Relevant!! Finally I’ve found something that helped me.
Appreciate it!
There is certainly a great deal to know about
this issue. I like all the points you have made.
Hi, I do believe this is an excellent blog. I stumbledupon it 😉 I am going
to come back yet again since i have saved
as a favorite it. Money and freedom is the greatest way to change, may
you be rich and continue to guide other people.
I could not resist commenting. Perfectly written!