This is a mirror of official site: http://jasper-net.blogspot.com/

Understanding !PTE

Posted by jasper22 at 17:53 | Wednesday, April 21, 2010
Hello. It’s Ryan Mangipano again (Ryanman). Today’s blog will be the first in a multi-part post designed to help you understand the output of the !PTE debuger comand along with the basics of hardware Virtual Addressing.  To better understand Virtual Addressing, we will use the debugger to manually translate a 4-KByte Page Table PAE virtual address into the actual physical addresses in order to understand what !PTE is displaying. I’ll provide relevant information about Virtual Addresses and Virtual Memory along the way.  

We’ll start by translating a non-prototype valid hardware VA from an x86 PAE system

The actual process of manually decoding a virtual addresses is going to vary according to the architecture (x86, x64), size of the page, whether or not the virtual address is a large page, whether the page is marked as valid, whether it’s a hardware or software PTE, and whether PAE is enabled. For simplicity, we will not be going over the table entry (PTE/PDE)  flags until part two of the blog. For my first example, I am going to demonstrate how to use the information in the processor manuals together with the debugger to decode a valid non-prototype virtual address into the physical memory that it references.  You can then try this on your own using windbg and the !pte command to validate your findings.  

Finding an address to translate

To start, we'll need to locate a virtual address that maps to a valid PTE. I am going to use the following highlighted virtual address which I found in a memory dump.  

f9a12d0c ff155400a1f9    call    dword ptr [sfilter+0x4054 (f9a10054)]

Get out your processor manuals

The AMD and Intel manuals both contain helpful reference material on this subject. PDFs of these manuals are available online. Since my CPU is an Intel, I’m going to refer to the Intel manuals.

1: kd> !cpuinfo

CP  F/M/S Manufacturer  MHz PRCB Signature    MSR 8B Signature Features
0 15,6,4 GenuineIntel 3192 0000000400000000                   a0073fff

My Intel manuals arrived on CD via snail mail a few days after placing my free order:
http://www.intel.com/products/processor/manuals/order.htm

Is PAE in use?

On this Intel x86 system, we first need to determine if we are using PAE. In the Intel “System Programming section 3.6.1 Paging Options” I found that the PAE (Physical Address Extension) flag can be found in bit 5 of the CR4 register. The PG (Paging) flag in CR0 which enables paging must of course also be set. Register bit numbering starts at zero so it’s the fifth bit from the right. Let’s examine cr4 and convert the value it contains into binary:

1: kd> r cr4
cr4=000006f9

1: kd> .formats 000006f9
 Binary:  00000000 00000000 00000110 11111001

Read more: Ntdebugging Blog Part 1, Part 2

Posted via email from jasper22's posterous

0 Comments
Subscribe to: Post Comments (Atom)