Hello. It’s Ryan Mangipano again (Ryanman). Today’s blog will be the first in a multi-part post designed to help you understand the output of the !PTE debuger comand along with the basics of hardware Virtual Addressing. To better understand Virtual Addressing, we will use the debugger to manually translate a 4-KByte Page Table PAE virtual address into the actual physical addresses in order to understand what !PTE is displaying. I’ll provide relevant information about Virtual Addresses and Virtual Memory along the way. We’ll start by translating a non-prototype valid hardware VA from an x86 PAE systemThe actual process of manually decoding a virtual addresses is going to vary according to the architecture (x86, x64), size of the page, whether or not the virtual address is a large page, whether the page is marked as valid, whether it’s a hardware or software PTE, and whether PAE is enabled. For simplicity, we will not be going over the table entry (PTE/PDE) flags until part two of the blog. For my first example, I am going to demonstrate how to use the information in the processor manuals together with the debugger to decode a valid non-prototype virtual address into the physical memory that it references. You can then try this on your own using windbg and the !pte command to validate your findings. Finding an address to translateTo start, we'll need to locate a virtual address that maps to a valid PTE. I am going to use the following highlighted virtual address which I found in a memory dump. f9a12d0c ff155400a1f9 call dword ptr [sfilter+0x4054 (f9a10054)]Get out your processor manualsThe AMD and Intel manuals both contain helpful reference material on this subject. PDFs of these manuals are available online. Since my CPU is an Intel, I’m going to refer to the Intel manuals. 1: kd> !cpuinfoCP F/M/S Manufacturer MHz PRCB Signature MSR 8B Signature Features
0 15,6,4 GenuineIntel 3192 0000000400000000 a0073fffMy Intel manuals arrived on CD via snail mail a few days after placing my free order:
http://www.intel.com/products/processor/manuals/order.htmIs PAE in use?On this Intel x86 system, we first need to determine if we are using PAE. In the Intel “System Programming section 3.6.1 Paging Options” I found that the PAE (Physical Address Extension) flag can be found in bit 5 of the CR4 register. The PG (Paging) flag in CR0 which enables paging must of course also be set. Register bit numbering starts at zero so it’s the fifth bit from the right. Let’s examine cr4 and convert the value it contains into binary: 1: kd> r cr4
cr4=000006f91: kd> .formats 000006f9
Binary: 00000000 00000000 00000110 11111001Read more: Ntdebugging Blog Part 1, Part 2
0 15,6,4 GenuineIntel 3192 0000000400000000 a0073fffMy Intel manuals arrived on CD via snail mail a few days after placing my free order:
http://www.intel.com/products/processor/manuals/order.htmIs PAE in use?On this Intel x86 system, we first need to determine if we are using PAE. In the Intel “System Programming section 3.6.1 Paging Options” I found that the PAE (Physical Address Extension) flag can be found in bit 5 of the CR4 register. The PG (Paging) flag in CR0 which enables paging must of course also be set. Register bit numbering starts at zero so it’s the fifth bit from the right. Let’s examine cr4 and convert the value it contains into binary: 1: kd> r cr4
cr4=000006f91: kd> .formats 000006f9
Binary: 00000000 00000000 00000110 11111001Read more: Ntdebugging Blog Part 1, Part 2
Posts
0 comments:
Post a Comment