[Go] parsing winndows 2000/xp physical memory management

Physical memory is a relatively strained resource, and reasonable utilization will be key to the performance of an operating system. Inside Windows 2000/XP, a structure called a page frame database is used to describe the state of physical memory. This article will begin with this structure to detail the organization and management of Windows physical memory.

Windows divides physical memory by Page_size (on x86, 0x1000 bytes, or 4K), and each unit has a description of its state and purpose in the page-box database. The page box database is actually an array of the structure of each page that describes the situation. The page box database is specified by the kernel variable mmpfndatabase, and the number of items in the database is specified by Mmnumberofphysicalpages, and the number of items is represented by the index of the item called Page Frame # (PFN). Mmnumberofphysicalpages are usually slightly below the physical memory pages that the system actually owns, and the system retains some of the pages in the initialization phase for the operating system itself. It should be noted that the page box database describes only the narrow physical memory and does not contain the memory of other mapped physical devices.

The WinDbg!PFN command is used to analyze the state and purpose of any page of memory, as shown below:

kd> DD mmpfndatabase L 1
80547438 80c00000
Kd>!PFN 143
PFN 00000143 at address 80c01e48
Flink 00000500 blink/share count 00000001 pteaddress E1085174
Reference count 0001 Cached color 0
Restore Pte 00B5AC24 containing page 0096d8 Active P
Shared

Inside Windows 2000 explains the various fields of PFN very clearly. Here I'm just briefly explaining:

Flink and blink are used to link pages of a particular state into a list of kernel variables mmzeroedpagelisthead, mmfreepagelisthead, Mmstandbypagelisthead, Mmmodifiedpagelisthead, Mmmodifiednowritepagelisthead, mmbadpagelisthead the linked header of the page used to indicate these states. From these variable names it is easy to understand the page state of each linked list, there are 8 states in the page box database in Windows, and the other two are: active and transition state. These 8 states are indicated by the first 3bit in the PFN's type (offset:0xd,size:byte) field.

Pteaddress is a PTE address that points to this page. After analysis, there are three main cases:

A. Pteaddress is 0 or 0xffffffff, according to the status indicated by the PFN, can be identified as Zeroedpage or Freepage.
B. pteaddress for 0xc*******, indicating that the page currently has a system or a process exclusive, and in a process or system working set.
C. pteaddress for 0xe*******, stating that this is a prototype PTE, which means that the page is shared. For more information, see my Explore Windows 2000/XP prototype Pte.

Restore Pte, known as original Pte in Inside Windows 2000. Its role is to indicate the back-store position of the page, that is, the location of the data in a pagefile or mapped file on the disk. For example, in the above mentioned case C, it is generally pointed to a mapped file of a subsection, so inside it is called subsection PTE, defined by the mmpte_subsection structure. In another case, it could be a PTE that points to pagefile, defined by the mmpte_software structure. This, the last time I mention in time there is a mistake. The specific bit definitions for mmpte_subsection are as follows:

Valid:pos 0, 1 Bit
Subsectionaddresslow:pos 1, 4 Bits
Protection:pos 5, 5 Bits
Prototype:pos, 1 Bit
Subsectionaddresshigh:pos, Bits
Whichpool:pos, 1 Bit

The highest bit whichpool indicates which pool the subsection is located in (NonPagedPool or PagedPool), valid is 0, indicating that this is not a x86 hardware identifiable Pte, analyzed by Midispatchfault. The algorithm that is converted from subsection Pte to subsection address is given in the code provided below.

This description basically illustrates the role of subsection Pte for locating the page specified by PFN in the corresponding mapped file location. To better explain this process, Inside Windows 2000 uses a block diagram to explain the countless connections inside the memory manager, but the various data structures, such as pfn,segment, are not exhaustive, and the conversion algorithms are not mentioned. It's a picture I re-created based on the Windows XP Professional Build 2600 scenario.

WinDbg provides a!memusage command to get the memory usage of each mapped file in the system by analyzing Subsectin Pte, the bottom code is just a detailed list of which mapped file is used by some of the pages, and nothing like! Memusage has detailed statistical functions, but with this code and the articles I have previously provided, I can basically understand the complex relationship between the above image.

1     /*2 For test purpose,i define the below Constant,but no say3 Mmsubsectionbase and Mmnonpagedpoolend is fixed in4 Windows $ and Windows XP. They is initialized on system5 boot phase by NTOSKRNL and rely on the system physical memory size etc.6     */7     #definewin2000_21958 #ifdef winxp_26009     #defineMmsubsectionbase 0x80d21000Ten     #defineMmnonpagedpoolend 0xffbe0000 One     #endif A #ifdef win2000_2195 -     #defineMmsubsectionbase 0x0 -     #defineMmnonpagedpoolend 0xffb7f000 the     #endif -  -     #defineMmpfndatabase 0xffb7f000//Please redefine it on your. -     #defineMmnumberofphysicalpages 0x3f7d//Please redefine it on your. +  -     /* + portion of nt! Migetsubsectionandprotofrompte A Get subsection from Restore Pte (original PTEs) at PFN Database Entry at disasm by Webcrazy ([email protected]) Athttp://webcrazy.yeah.net - Thanks to Wuzq ([e-mail protected]) for light! -     */ -  -UnsignedintMigetsubsectionandprotofrompte (intPte) -     { inUnsignedintsubaddr; -        if(Pte <0){  toSubaddr = Mmsubsectionbase+ ((Pte &0x1e) <<2) | ((pte>>4) &0x7ffff80)) ; +}Else{ -Subaddr = mmnonpagedpoolend-((Pte &0x1e) <<2) | ((pte>>4) &0xfffff80)) ; the        } *        returnsubaddr; $     }Panax Notoginseng  -     /*  the I Release Memusage () to the Dump Control area. + Only mapped file control area were dump. A Please see WinDbg!memusage command. the     */ +  -  $     voidmemusage () $     { -Unsignedint*pfndatabase =mmpfndatabase; -UnsignedintNumberphys =mmnumberofphysicalpages; the  -Unsignedintrestorepte,pfn=0, ppte,subsection;Wuyi  theUnsignedCharflag=0; -          StaticUnsignedintflagnum[8]; Wu          Static Char*flagdesc[8]= -{"zeroed"," Free","Standby","Modified","Modnowrt"," Bad","Active","Trans"}; Aboutmemset (Flagnum,0,sizeof(Flagnum)); $  -           for(;p fn<numberphys;pfn++){ -Flag = * (Char*)((Char*) pfndatabase+0xd); -Flag &=0x07; Aflagnum[flag]++; +pfndatabase+=0x18/0x04; the         } -  $Dbgprint ("\nmemusage:\n"); the          for(flag=0;flag<8; flag++) theDbgprint ("%10s:%04d (%08DK) \ n", flagdesc[flag],flagnum[flag],flagnum[flag]*4); the  the  -Pfndatabase =mmpfndatabase; in          for(pfn=0;p fn<numberphys;pfn++){ theppte=* ((unsignedint*) (pfndatabase+0x1)); therestorepte=* ((unsignedint*) (pfndatabase+0x4)); AboutFlag = * (Char*)((Char*) pfndatabase+0xd); theFlag &=0x07; the  the             if(ppte>=0xe1000000&&ppte<0xf0000000){ +subsection=Migetsubsectionandprotofrompte (restorepte); -Dbgprint ("pfn:%04x,ppte:%08x,restorepte:%08x,subsection:%08x,ca:%08x, theflag:%10s\n", Pfn,ppte,restorepte,subsection,BayiMmisaddressvalid ((void*) subsection)? * (unsignedint*) Subsection: the                     0x11111111, Flagdesc[flag]); the             } -pfndatabase+=0x18/0x04; -         } the}

[Go] parsing winndows 2000/xp physical memory management