PAE就是Physical Address Extension(物理內存擴展)。
修改BOOT.INI,把選項/noexecute改爲:/noexecute=optin。(如果/noexecute=alwaysoff則會關閉PAE)。
我的機器如下:
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
控制寄存器CR4的第5位(CR4[5])用來啓用PAE。
在"我的電腦"上右鍵,選擇"屬性",如果常規選項卡的最下面有“物理地址擴展”,表示PAE已經打開.
打開了PAE,IA-32 CPU的尋址能力就從原來的4GB擴展到64GB。
一個32位的線性地址,啓用PAE後,分爲4部分:
PDIndex : 2位
PDEIndex: 9位
PTEIndex: 9位
OFFSET: 12位
PDEBase = PDBase[PDIndex];
然後通過PDEIndex找到PTE的地址:
PTEAddress = PDEBase[PDEIndex];
通過PTEAddress就可以找到某一個內存頁的地址:
PAGEAddress = PTEAddress[PTEIndex];
要訪問的物理地址就是 PAGEAddress+OFFSET;
#include "stdafx.h"
int main(int argc, char* argv[])
{
printf("%x - %s\n", &hello, hello);
getchar();
return 0;
}
422d14 - ABCDEFG
hello指針的地址是:0x422d14.
0:001> dd 422d14
00422d14 0042001c c0000005 0000000b 00000000
00422d24 c000001d 00000004 00000000 c0000096
00422d34 00000004 00000000 c000008d 00000008
00422d44 00000000 c000008e 00000008 00000000
00422d54 c000008f 00000008 00000000 c0000090
00422d64 00000008 00000000 c0000091 00000008
00422d74 00000000 c0000092 00000008 00000000
00422d84 c0000093 00000008 00000000 00000003
字符串”ABCDEFG“的地址是:0x0042001c.
0:001> db 0042001c
0042001c 41 42 43 44 45 46 47 00-00 00 00 00 00 00 00 00 ABCDEFG.........
0042002c 5f 66 69 6c 62 75 66 2e-63 00 00 00 73 74 72 20 _filbuf.c...str
0042003c 21 3d 20 4e 55 4c 4c 00-5f 66 69 6c 65 2e 63 00 != NULL._file.c.
0042004c 70 72 69 6e 74 66 2e 63-00 00 00 00 66 6f 72 6d printf.c....form
0042005c 61 74 20 21 3d 20 4e 55-4c 4c 00 00 69 33 38 36 at != NULL..i386
0042006c 5c 63 68 6b 65 73 70 2e-63 00 00 00 00 00 00 00 \chkesp.c.......
0042007c 54 68 65 20 76 61 6c 75-65 20 6f 66 20 45 53 50 The value of ESP
0042008c 20 77 61 73 20 6e 6f 74-20 70 72 6f 70 65 72 6c was not properl
Evaluate expression:
Hex: 0042001c
Decimal: 4325404
Octal: 00020400034
Binary: 00000000 01000010 00000000 00011100
Chars: .B..
Time: Fri Feb 20 09:30:04 1970
Float: low 6.06118e-039 high 0
Double: 2.13703e-317
對於地址0x0042001c (00 000000010 000100000 000000011100),其
PDBaseIndex = 0;
PDEIndex = 2;
PTEIndex = 0x20;
OFFSET = 0x1C;
lkd> !process 0 0 testpte.exe
PROCESS 857df020 SessionId: 0 Cid: 0730 Peb: 7ffd5000 ParentCid: 06d0
DirBase: 06fc0540 ObjectTable: e3728948 HandleCount: 7.
Image: TestPTE.exe
lkd> !dd 06fc0540
# 6fc0540 135a8801 00000000 31fa9801 00000000
# 6fc0550 1432a801 00000000 06ca7801 00000000
# 6fc0560 29438801 00000000 293f9801 00000000
# 6fc0570 292ba801 00000000 29437801 00000000
# 6fc0580 2d857801 00000000 2d9d8801 00000000
# 6fc0590 2d799801 00000000 2dc96801 00000000
# 6fc05a0 3d0dd801 00000000 38170801 00000000
# 6fc05b0 28fb5801 00000000 37b2c801 00000000
#135a8000 17fb7867 00000000 100c2867 00000000
#135a8010 0a176867 00000000 00000000 00000000
#135a8020 00000000 00000000 00000000 00000000
#135a8030 00000000 00000000 00000000 00000000
#135a8040 00000000 00000000 00000000 00000000
#135a8050 00000000 00000000 00000000 00000000
#135a8060 00000000 00000000 00000000 00000000
#135a8070 00000000 00000000 00000000 00000000
# a176100 23593025 80000000 00000000 00000000
# a176110 09adc886 00000000 08a4e886 00000000
# a176120 135df886 00000000 1034d884 00000000
# a176130 00000000 00000000 00000000 00000000
# a176140 00000000 00000000 00000000 00000000
# a176150 00000000 00000000 00000000 00000000
# a176160 00000000 00000000 00000000 00000000
# a176170 00000000 00000000 00000000 00000000
由於PTEIndex = 0x20;內存頁的基地址爲:23593000
加上0x1c的偏移,物理地址0x2359301c處的內容就是虛擬地址0x0042001c處的內容。
#2359301c 41 42 43 44 45 46 47 00-00 00 00 00 00 00 00 00 ABCDEFG.........
#2359302c 5f 66 69 6c 62 75 66 2e-63 00 00 00 73 74 72 20 _filbuf.c...str
#2359303c 21 3d 20 4e 55 4c 4c 00-5f 66 69 6c 65 2e 63 00 != NULL._file.c.
#2359304c 70 72 69 6e 74 66 2e 63-00 00 00 00 66 6f 72 6d printf.c....form
#2359305c 61 74 20 21 3d 20 4e 55-4c 4c 00 00 69 33 38 36 at != NULL..i386
#2359306c 5c 63 68 6b 65 73 70 2e-63 00 00 00 00 00 00 00 \chkesp.c.......
#2359307c 54 68 65 20 76 61 6c 75-65 20 6f 66 20 45 53 50 The value of ESP
#2359308c 20 77 61 73 20 6e 6f 74-20 70 72 6f 70 65 72 6c was not properl