Convert a virtual address to a physical address

The input parameters and output results of most debugger commands use virtual addresses instead of physical addresses. However, physical addresses may sometimes be used.

There are two ways to convert a virtual address into a physical address: use! Vtop extension and use! PTE extension. It can also be used in Windows NT 4.0! Vpdd extension.

Use! Vtop for address conversion
Suppose you are running a target computer that is running the myapp.exe process, and you want to investigate the virtual address 0x0012f980. Use! Follow these steps to determine the corresponding physical address for the vtop extension.

Use! Vtop converts a virtual address to a physical address
Make sure that you are working in hexadecimal. Otherwise, use the N 16 command to set the current base number.
Determine the byte index of the address. This value is equal to the minimum 12 bits of the virtual address. Therefore, the byte index of the virtual address 0x0012f980 is 0x980.
Use! Process extension to determine the base Directory address of the address directory base:
Kd>! Process 0 0
* *** Nt active process dump ****
....
Process ff779190 sessionid: 0 CID: 04fc peb: 7ffdf000 parentcid: 0394
Dirbase: 098fd000 objecttable: e1646b30 tablesize: 8.
Image: myapp.exe

Determine the page frame number of the base address of the directory. You only need to remove the base address of the directory from the end of the three hexadecimal zeros. In this example, the base address of the directory is 0x098fd000, so the page frame number is 0x098fd.
Use! Vtop extension. The first parameter of this extension should be the page frame number. ! The second parameter of vtop should be the virtual address being discussed:
Kd>! Vtop 98fd 12f980
PDI 0 PTI 12f
0012f980 09de9000 PFN (09de9)

The second value displayed in the last row is the physical address starting from the physical page.

Add the byte index to the start address of the previous page: 0x09de9000 + 0x980 = 0x09de9980. That is, the desired physical address.

You can verify that the calculation result is correct by displaying the memory of each address .! D * extended display of memory on a specified physical address:

Kd>! DC 9de9980
#9de9980 6d206e49 492f6d65 00120079 0012f9f4 in memory .......
#9de9990 0012f9f8 77e57119 77e8e618 ffffffff ...... Q. W ....
#9de99a0 77e727e0 77f6f13e 77f747e0 ffffffff. '. W>... W. G. W ....
#9de99b0 .....

The D * (Display memory) command uses a virtual address as its parameter:

Kd> DC 12f980
0012f980 6d206e49 127f6d65 00120079 0012f9f4 in memory .......
0012f990 0012f9f8 77e57119 77e8e618 ffffffff ...... Q. W ....
0012f9a0 77e727e0 77f6f13e 77f747e0 ffffffff. '. W>... W. G. W ....
0012f9b0 .....

The results are the same, so this indicates that the physical address 0x09de9980 corresponds to the virtual address 0x0012f980.

Use! PTE for address conversion
Next, we assume that you are investigating the virtual address 0x0012f980 of the myapp.exe process. Use! To determine the corresponding physical address, follow these steps:

Use! PTE converts a virtual address to a physical address
Make sure that you are working in hexadecimal. Otherwise, use the N 16 command to set the current base number.
Determine the byte index of the address. This value is equal to the minimum 12 bits of the virtual address. Therefore, the byte index of the virtual address 0x0012f980 is 0x980.
Set the required process as the process context:
Kd>! Process 0 0
* *** Nt active process dump ****
....
Process ff779190 sessionid: 0 CID: 04fc peb: 7ffdf000 parentcid: 0394
Dirbase: 098fd000 objecttable: e1646b30 tablesize: 8.
Image: myapp.exe

Kd>. Process/P ff779190
Implicit process is now ff779190
. Cache forcedecodeuser done

Use a virtual address as a parameter! PTE extension. Displays information in two columns. The left column describes the page Directory items (pdns) of this address, and the right column describes its page table items (PTE ):
Kd>! PTE 12f980
Va 0012f980
Pdat c0300000 PTE at c00004bc
Contains 0ba58067 contains 09de9067
PFN ba58 --- DA--UWV PFN 9de9 --- DA--UWV

The mark "PFN 9de9" appears in the last column of the right column. The value 0x9de9 is the page frame number (PFn) of the Pte ). Multiply the page frame number by 0x1000 (for example, shift it to 12 places left ). The resulting product 0x09de9000 is the physical address at the beginning of the page.
Add the byte index to the address starting from the previous page: 0x09de9000 + 0x980 = 0x09de9980. That is, the desired physical address.

This is the same as the result obtained by the previous method.

Manual address conversion
Although! Ptov and PTE extensions provide the fastest way to convert virtual addresses into physical addresses, but we can also manually convert them. The description of this process will help you understand some details about the virtual storage structure.

The storage structure varies depending on the processor and hardware configuration. Here, an x86 system that does not enable physical address expansion (PAE) is used as an example.

Or use 0x0012f980 as the virtual address. First, you need to convert it to binary. either manually or use the. Formats (display the formatted value) command:

Kd>. Formats 12f980
Evaluate expression:
HEX: 0012f980
Decimal: 1243520
Octal: 00004574600
Binary: 00000000 00010010 11111001 10000000
Chars :....
Time: Thu Jan 15 01:25:20 1970
Float: Low 1.74e 4e-039 high 0
Double: 6.14381e-318

This virtual address is a combination of three domains. Bytes 0 to 11 are byte indexes. 12-21 is the index of the page table. 22-31 is the index of the page Directory. Separate these domains:

0x0012f980 = 0y 00000000 00 010010 1111 1001

This shows three parts of the virtual address:

Page Directory Index = 0y1_000000 = 0x0
Page table Index = 0y0100101111 = 0x12f
Byte Index = 0y100110000000 = 0x980

Then you need the other three pieces of information about your system.

The size of each Pte. On non-PAE x86 systems, it is 4 bytes.
Page size. It is 0x1000 bytes.
Pte_base virtual address. In a non-PAE system, it is 0xc0000000.

With this data, you can calculate the address of the PTE itself:

PTE address = pte_base
+ (Page Directory Index) * page_size
+ (Page table index) * sizeof (matrix)
= 0xc0000000
+ 0x0*0*1000
+ 0x12f * 4
= 0xc00004bc

This is the PTE address. Pte is a 32-bit dual-byte DWORD. Investigate its content:

Kd> dd 0xc00004bc L1
C00004bc 09de9067

The value of this Pte is 0x09de9067. It consists of two domains:

The low 12 bits of this PTE are Status flags. Here, these tags are 0x067-or expressed as 0y000001100111 in binary format. For more information about status tag, see! PTE reference page.
The 20-bit height of the Pte is equal to the page frame number (PFn) of the Pte ). Here, the PFN is 0x09de9.

The first physical address on the physical page is the PFN multiplied by 0x1000 (12 digits left ). The Byte index is the offset on the page. Therefore, the physical address you want is 0x09de9000 + 0x980 = 0x09de9980. This is the same as the result obtained by the preceding method.