使用WinDBG分析启用PAE后的分页机制
上次通过windbg查看了windos XP内存分页的机制,但在PAE打开的机器上情况又有些不一样了。
PAE就是Physical Address Extension(物理内存扩展)。
PAE就是Physical Address Extension(物理内存扩展)。
如何打开PAE:
修改BOOT.INI,把选项/noexecute改为:/noexecute=optin。(如果/noexecute=alwaysoff则会关闭PAE)。
我的机器如下:
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
控制寄存器CR4的第5位(CR4[5])用来启用PAE。
修改BOOT.INI,把选项/noexecute改为:/noexecute=optin。(如果/noexecute=alwaysoff则会关闭PAE)。
我的机器如下:
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
控制寄存器CR4的第5位(CR4[5])用来启用PAE。
如何确认PAE已经打开:
在"我的电脑"上右键,选择"属性",如果常规选项卡的最下面有“物理地址扩展”,表示PAE已经打开.
在"我的电脑"上右键,选择"属性",如果常规选项卡的最下面有“物理地址扩展”,表示PAE已经打开.
打开PAE有什么用:
打开了PAE,IA-32 CPU的寻址能力就从原来的4GB扩展到64GB。
打开了PAE,IA-32 CPU的寻址能力就从原来的4GB扩展到64GB。
对于我们程序中的一个线性地址,cpu是如何把它转到到物理地址的?
一个32位的线性地址,启用PAE后,分为4部分:
PDIndex : 2位
PDEIndex: 9位
PTEIndex: 9位
OFFSET: 12位
一个32位的线性地址,启用PAE后,分为4部分:
PDIndex : 2位
PDEIndex: 9位
PTEIndex: 9位
OFFSET: 12位
CPU会首先通过CR3寄存器找到PD的基地址PDBase,通过PDIndex找到PDEBase:
PDEBase = PDBase[PDIndex];
然后通过PDEIndex找到PTE的地址:
PTEAddress = PDEBase[PDEIndex];
通过PTEAddress就可以找到某一个内存页的地址:
PAGEAddress = PTEAddress[PTEIndex];
要访问的物理地址就是 PAGEAddress+OFFSET;
PDEBase = PDBase[PDIndex];
然后通过PDEIndex找到PTE的地址:
PTEAddress = PDEBase[PDEIndex];
通过PTEAddress就可以找到某一个内存页的地址:
PAGEAddress = PTEAddress[PTEIndex];
要访问的物理地址就是 PAGEAddress+OFFSET;
还是来看看下面程序:
#include "stdafx.h"
#include "stdafx.h"
char *hello = "ABCDEFG";
int main(int argc, char* argv[])
{
printf("%x - %s\n", &hello, hello);
getchar();
return 0;
}
int main(int argc, char* argv[])
{
printf("%x - %s\n", &hello, hello);
getchar();
return 0;
}
程序编译运行后显示:
422d14 - ABCDEFG
hello指针的地址是:0x422d14.
422d14 - ABCDEFG
hello指针的地址是:0x422d14.
启动windbg,附加到该进程,输入命令:
0:001> dd 422d14
00422d14 0042001c c0000005 0000000b 00000000
00422d24 c000001d 00000004 00000000 c0000096
00422d34 00000004 00000000 c000008d 00000008
00422d44 00000000 c000008e 00000008 00000000
00422d54 c000008f 00000008 00000000 c0000090
00422d64 00000008 00000000 c0000091 00000008
00422d74 00000000 c0000092 00000008 00000000
00422d84 c0000093 00000008 00000000 00000003
字符串”ABCDEFG“的地址是:0x0042001c.
0:001> db 0042001c
0042001c 41 42 43 44 45 46 47 00-00 00 00 00 00 00 00 00 ABCDEFG.........
0042002c 5f 66 69 6c 62 75 66 2e-63 00 00 00 73 74 72 20 _filbuf.c...str
0042003c 21 3d 20 4e 55 4c 4c 00-5f 66 69 6c 65 2e 63 00 != NULL._file.c.
0042004c 70 72 69 6e 74 66 2e 63-00 00 00 00 66 6f 72 6d printf.c....form
0042005c 61 74 20 21 3d 20 4e 55-4c 4c 00 00 69 33 38 36 at != NULL..i386
0042006c 5c 63 68 6b 65 73 70 2e-63 00 00 00 00 00 00 00 \chkesp.c.......
0042007c 54 68 65 20 76 61 6c 75-65 20 6f 66 20 45 53 50 The value of ESP
0042008c 20 77 61 73 20 6e 6f 74-20 70 72 6f 70 65 72 6c was not properl
0:001> dd 422d14
00422d14 0042001c c0000005 0000000b 00000000
00422d24 c000001d 00000004 00000000 c0000096
00422d34 00000004 00000000 c000008d 00000008
00422d44 00000000 c000008e 00000008 00000000
00422d54 c000008f 00000008 00000000 c0000090
00422d64 00000008 00000000 c0000091 00000008
00422d74 00000000 c0000092 00000008 00000000
00422d84 c0000093 00000008 00000000 00000003
字符串”ABCDEFG“的地址是:0x0042001c.
0:001> db 0042001c
0042001c 41 42 43 44 45 46 47 00-00 00 00 00 00 00 00 00 ABCDEFG.........
0042002c 5f 66 69 6c 62 75 66 2e-63 00 00 00 73 74 72 20 _filbuf.c...str
0042003c 21 3d 20 4e 55 4c 4c 00-5f 66 69 6c 65 2e 63 00 != NULL._file.c.
0042004c 70 72 69 6e 74 66 2e 63-00 00 00 00 66 6f 72 6d printf.c....form
0042005c 61 74 20 21 3d 20 4e 55-4c 4c 00 00 69 33 38 36 at != NULL..i386
0042006c 5c 63 68 6b 65 73 70 2e-63 00 00 00 00 00 00 00 \chkesp.c.......
0042007c 54 68 65 20 76 61 6c 75-65 20 6f 66 20 45 53 50 The value of ESP
0042008c 20 77 61 73 20 6e 6f 74-20 70 72 6f 70 65 72 6c was not properl
0:001>.formats 0042001c
Evaluate expression:
Hex: 0042001c
Decimal: 4325404
Octal: 00020400034
Binary: 00000000 01000010 00000000 00011100
Chars: .B..
Time: Fri Feb 20 09:30:04 1970
Float: low 6.06118e-039 high 0
Double: 2.13703e-317
Evaluate expression:
Hex: 0042001c
Decimal: 4325404
Octal: 00020400034
Binary: 00000000 01000010 00000000 00011100
Chars: .B..
Time: Fri Feb 20 09:30:04 1970
Float: low 6.06118e-039 high 0
Double: 2.13703e-317
对于地址0x0042001c (00 000000010 000100000 000000011100),其
PDBaseIndex = 0;
PDEIndex = 2;
PTEIndex = 0x20;
OFFSET = 0x1C;
用windbg启动一个本地的内核调试:
lkd> !process 0 0 testpte.exe
PROCESS 857df020 SessionId: 0 Cid: 0730 Peb: 7ffd5000 ParentCid: 06d0
DirBase: 06fc0540 ObjectTable: e3728948 HandleCount: 7.
Image: TestPTE.exe
lkd> !process 0 0 testpte.exe
PROCESS 857df020 SessionId: 0 Cid: 0730 Peb: 7ffd5000 ParentCid: 06d0
DirBase: 06fc0540 ObjectTable: e3728948 HandleCount: 7.
Image: TestPTE.exe
我们可以看到cr3寄存器的地址为:06fc0540。
lkd> !dd 06fc0540
# 6fc0540 135a8801 00000000 31fa9801 00000000
# 6fc0550 1432a801 00000000 06ca7801 00000000
# 6fc0560 29438801 00000000 293f9801 00000000
# 6fc0570 292ba801 00000000 29437801 00000000
# 6fc0580 2d857801 00000000 2d9d8801 00000000
# 6fc0590 2d799801 00000000 2dc96801 00000000
# 6fc05a0 3d0dd801 00000000 38170801 00000000
# 6fc05b0 28fb5801 00000000 37b2c801 00000000
由于PDBaseIndex = 0;页目录基地址为:135a8000
lkd> !dd 135a8000
#135a8000 17fb7867 00000000 100c2867 00000000
#135a8010 0a176867 00000000 00000000 00000000
#135a8020 00000000 00000000 00000000 00000000
#135a8030 00000000 00000000 00000000 00000000
#135a8040 00000000 00000000 00000000 00000000
#135a8050 00000000 00000000 00000000 00000000
#135a8060 00000000 00000000 00000000 00000000
#135a8070 00000000 00000000 00000000 00000000
#135a8000 17fb7867 00000000 100c2867 00000000
#135a8010 0a176867 00000000 00000000 00000000
#135a8020 00000000 00000000 00000000 00000000
#135a8030 00000000 00000000 00000000 00000000
#135a8040 00000000 00000000 00000000 00000000
#135a8050 00000000 00000000 00000000 00000000
#135a8060 00000000 00000000 00000000 00000000
#135a8070 00000000 00000000 00000000 00000000
由于PDEIndex = 2;页表的基地址为:0a176000
lkd> !dd 0a176000+0x20*8
# a176100 23593025 80000000 00000000 00000000
# a176110 09adc886 00000000 08a4e886 00000000
# a176120 135df886 00000000 1034d884 00000000
# a176130 00000000 00000000 00000000 00000000
# a176140 00000000 00000000 00000000 00000000
# a176150 00000000 00000000 00000000 00000000
# a176160 00000000 00000000 00000000 00000000
# a176170 00000000 00000000 00000000 00000000
# a176100 23593025 80000000 00000000 00000000
# a176110 09adc886 00000000 08a4e886 00000000
# a176120 135df886 00000000 1034d884 00000000
# a176130 00000000 00000000 00000000 00000000
# a176140 00000000 00000000 00000000 00000000
# a176150 00000000 00000000 00000000 00000000
# a176160 00000000 00000000 00000000 00000000
# a176170 00000000 00000000 00000000 00000000
由于PTEIndex = 0x20;内存页的基地址为:23593000
加上0x1c的偏移,物理地址0x2359301c处的内容就是虚拟地址0x0042001c处的内容。
lkd> !db 2359301c
#2359301c 41 42 43 44 45 46 47 00-00 00 00 00 00 00 00 00 ABCDEFG.........
#2359302c 5f 66 69 6c 62 75 66 2e-63 00 00 00 73 74 72 20 _filbuf.c...str
#2359303c 21 3d 20 4e 55 4c 4c 00-5f 66 69 6c 65 2e 63 00 != NULL._file.c.
#2359304c 70 72 69 6e 74 66 2e 63-00 00 00 00 66 6f 72 6d printf.c....form
#2359305c 61 74 20 21 3d 20 4e 55-4c 4c 00 00 69 33 38 36 at != NULL..i386
#2359306c 5c 63 68 6b 65 73 70 2e-63 00 00 00 00 00 00 00 \chkesp.c.......
#2359307c 54 68 65 20 76 61 6c 75-65 20 6f 66 20 45 53 50 The value of ESP
#2359308c 20 77 61 73 20 6e 6f 74-20 70 72 6f 70 65 72 6c was not properl
#2359301c 41 42 43 44 45 46 47 00-00 00 00 00 00 00 00 00 ABCDEFG.........
#2359302c 5f 66 69 6c 62 75 66 2e-63 00 00 00 73 74 72 20 _filbuf.c...str
#2359303c 21 3d 20 4e 55 4c 4c 00-5f 66 69 6c 65 2e 63 00 != NULL._file.c.
#2359304c 70 72 69 6e 74 66 2e 63-00 00 00 00 66 6f 72 6d printf.c....form
#2359305c 61 74 20 21 3d 20 4e 55-4c 4c 00 00 69 33 38 36 at != NULL..i386
#2359306c 5c 63 68 6b 65 73 70 2e-63 00 00 00 00 00 00 00 \chkesp.c.......
#2359307c 54 68 65 20 76 61 6c 75-65 20 6f 66 20 45 53 50 The value of ESP
#2359308c 20 77 61 73 20 6e 6f 74-20 70 72 6f 70 65 72 6c was not properl