[原]线性地址到物理地址转换

参考

 

[转]Part1: Understanding !PTE , Part 1: Let’s get physical

[转]Part2: Understanding !PTE, Part2: Flags and Large Pages

[转]Part 3: Understanding !PTE - Non-PAE and X64

 

cr4第5位（从0开始）判断是否开启PAE(Physical Address Extension)

kd> .formats cr4

Evaluate expression:

  Hex:     000406f9

  Decimal: 263929

  Octal:   00001003371

  Binary:  00000000 00000100 00000110 11111001

  Chars:   ....

  Time:    Sun Jan 04 09:18:49 1970

  Float:   low 3.69843e-040 high 0

  Double:  1.30398e-318

 

第5位是1，故开启了PAE. 如果第5位是0，我们还要查看cr4的第4位，第4位表示是否开启大页面PSE(Page Size Extentions)

 

 

要查找的线性地址

kd> .formats 0x34f8ec

Evaluate expression:

  Hex:     0034f8ec

  Decimal: 3471596

  Octal:   00015174354

  Binary:  00000000 00110100 11111000 11101100

  Chars:   .4..

  Time:    Tue Feb 10 12:19:56 1970

  Float:   low 4.86474e-039 high 0

  Double:  1.7152e-317

 

 

按2 9 9 12分

2位：（30—31）页目录指针表的索引（PDPD）

9位：（21—29）页目录表索引

9位：（12—20）页表索引

12位：（0—11）页内偏移

 

Page Directory Pointer Index(PDPI)       00                 0x0,   Index into 1st table(Page Directory Pointer Table)

Page Directory Index(PDI)                000000001          0x1,   Index into 2nd table(Page Directory Table)

Page Table Index(PTI)                    101001111          0x14f, Index into 3rd table(Page Table)

Byte Index                               100011101100       0x8ec, the offset into the physical memory page

 

查找页目录基地址

kd> r cr3

cr3=3edd3480

 

找到对应的PDE

kd> !dq (@cr3 & 0xffffffe0)+(0y00*@@(sizeof(nt!_MMPTE))) L1

#3edd3480 00000000`281d8801

 

找到对应的PTE

kd> !dq (0x281d8801 & 0xFFFFFF000) +( 0y000000001*@@(sizeof(nt! _MMPTE))) L1

#281d8008 00000000`281ce867

 

 

找到对应的PT

kd> !dq (0x281ce867&0xFFFFFF000)+(0y101001111*@@(sizeof(nt! _MMPTE))) L1

#281cea78 80000000`27756867

 

kd> ?? (0x80000000`27756867 & 0xFFFFFFFF`FFFFFFF000)

unsigned int64 0x80000000`27756000

 

0x80000000`27756000就是我们要找的页表基址

虚拟地址0x34f8ec对应的物理地址则是0x80000000`277568ec

 

我们来验证下

kd> db 0x34f8ec

0034f8ec  61 61 61 61 00 cc cc cc-cc cc cc cc 44 f9 34 00  aaaa........D.4.

0034f8fc  3a c7 0f 00 01 00 00 00-20 fd 3a 00 80 fd 3a 00  :....... .:...:.

0034f90c  3f 03 b0 56 00 00 00 00-00 00 00 00 00 f0 fd 7f  ?..V............

0034f91c  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................

0034f92c  0c f9 34 00 bc 7a 2d f8-88 f9 34 00 bf a4 0f 00  ..4..z-...4.....

0034f93c  5b e3 92 56 00 00 00 00-4c f9 34 00 1d c9 0f 00  [..V....L.4.....

0034f94c  58 f9 34 00 45 3c 46 77-00 f0 fd 7f 98 f9 34 00  X.4.E<Fw......4.

0034f95c  f5 37 89 77 00 f0 fd 7f-7b 96 bf 77 00 00 00 00  .7.w....{..w....

kd> !db 0x80000000`277568ec

#80000000277568ec 61 61 61 61 00 cc cc cc-cc cc cc cc 44 f9 34 00 aaaa........D.4.

#80000000277568fc 3a c7 0f 00 01 00 00 00-20 fd 3a 00 80 fd 3a 00 :....... .:...:.

#800000002775690c 3f 03 b0 56 00 00 00 00-00 00 00 00 00 f0 fd 7f ?..V............

#800000002775691c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................

#800000002775692c 0c f9 34 00 bc 7a 2d f8-88 f9 34 00 bf a4 0f 00 ..4..z-...4.....

#800000002775693c 5b e3 92 56 00 00 00 00-4c f9 34 00 1d c9 0f 00 [..V....L.4.....

#800000002775694c 58 f9 34 00 45 3c 46 77-00 f0 fd 7f 98 f9 34 00 X.4.E<Fw......4.

#800000002775695c f5 37 89 77 00 f0 fd 7f-7b 96 bf 77 00 00 00 00 .7.w....{..w....

 

正是我们的字符串aaaa

 

 

或者我们可以更简单的用!pte命令来取得物理地址

 

kd> !pte 0x34f8ec

                    VA 0034f8ec

PDE at C0600008            PTE at C0001A78

contains 00000000281CE867  contains 8000000027756867

pfn 281ce     ---DA--UWEV  pfn 27756     ---DA--UW-V

 

8000000027756867低12位清零后就是页表基址。和我们手动算出来的一样。

 

=======================================================

后记：之前用用内核调试，.process /p eprocess切换进程后， 

cr3的值和切换的进程的PDBR的值总是不一样。导致手动推导出来的物理地址不对。

后来突然想起来，cr3的值是操作系统在切换进程的时候才会切换的，所以用/process /p切换后值会不一样。

具体参考笔记：

[原]线性地址到物理地址转换后记

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

来自为知笔记(Wiz)