Windbg demonstrates the address conversion process under Windows paging mechanism under IA-32 CPU

Today, when I was studying software debugging, I encountered a problem when I practiced converting a virtual address to a physical address. When you use windbg to debug the kernel function locally ,! Dd unavailable

The following error occurs when you use the windbg command DD:

KD & gt ;! Dd 0b3c03c0
Physical memory read at b3c03c0 failed
If you know the caching attributes used for the memory,
Try specifying [c], [uc] or [WC], as in! Dd [C].
Warning: incorrect use of these flags will cause unpredictable
Processor upload uption. This may immediately (or at any time in
The future until reboot) result in a system hang, incorrect data
Being displayed or other strange crashes and upload uption.

After the online query, it is estimated that it is a 360 problem, but I don't want to uninstall it. So I tried it in the VM. DD is okay, but the new problem arises. When I index the page table address, the obtained page table address is always 0. Later I thought about the reason for the virtual machine. It is estimated that the location is different from the real computer environment. There is no way to proceed in the XP system. Delete the 360 anti-virus service, the DD command is still wrong, and then delete the 360 security guard. windbg is normal and can use the DD command normally. The computer system is profound and profound, it is unknown where the conflict may occur, and we hope to know it in the near future. The following is the process of this experiment, which is detailed and therefore reproduced directly.

============== The following are reprinted ========================

We know that the IA-32 CPU starts to support paging from 386. After paging is enabled, the OS divides the linear address space into fixed pages (usually 4 kb or 4 MB ).

This article demonstrates how to use windbg to demonstrate how to convert virtual addresses in Windows paging to physical addresses.

In modern OS, several concepts related to paging are as follows (taking 32-bit Ia CPU & Microsoft Windows OS as an example ):

Page directory ):

Page Directory is a linear table used to store page-directory entry (PVDF) (page Directory table item. Each page Directory occupies a 4 kb Memory Page. In PD, the length of each partial key is 32 bits (20 bits in height is the starting address of the page table pointed to by the partial key, if the value is 12 bits low, this is the property of this partial code ). Therefore, each PD can contain a maximum of 1024 PDUS.

The format of the page Directory address with a memory page size of 4 kb is as follows:

In fact, only 20 bits are useful, and 12 bits are fixed to 0.

The format of the page Directory address with a memory page size of 4 MB is as follows:

In fact, only 10 bit high is useful, and its 12 bit low is fixed to 0.

Its height of 20 (10) is the starting address of the directory on this page.

Page table)

A page table is a linear table that contains page table items (page table entry, PTE. Similarly, each PT occupies one memory page, and each Pte has a length of 32 bits (where 20 bits are the starting address of the physical page pointed to by PT, and 12 bits are the attributes of the physical page ), therefore, each Pt can contain a maximum of 1024 Pte.

Virtual Address)

The format of a 32bit virtual address is as follows:

 

The top 10 bits are the index items in the page directory, the middle 10 bits are the index items in the page table, and the lowest 12 bits are the intra-page offset addresses.

The conversion process from virtual address to physical address is as follows:

Step 1:

The starting position (dirbase) of the page Directory is located through the Cr 3 register. Therefore, the CR 3 regesiter is also called the base address register of the page Directory.

Step 2:

Take the 10-bit high value of the virtual address as the index, and find the corresponding PDE in the PD.

Step 3:

Locate the page table (page table) based on the base address of the page table (that is, 20 bits of the PDDE)

Step 4:

Use 10-21bit in virtual address as the index and select a PTE (page table entry) in the page table)

Step 5:

Take the base address (20 bits in height) of the memory page table in the PTE + 12 bits in the virtual address to obtain the actual physical
Address.

The figure is as follows:

The following uses windbg to demonstrate the address conversion process.

Take Windows Calculator (calc.exe) as an Example

1. Open calc.exe, enter a number, for example, 123456, and start calc.exe under user mode.

0: 002> X calc! G *
01014f08 calc! Ghwndtimeoutdlg = <no type information>
01014d9c calc! G_fhighcontrast = <no type information>
0100514d calc! Getkeycolor = <no type information>
01014ef8 calc! Gfexiting = <no type information>
0100518d calc! Gethelpid = <no type information>
01014c70 calc! Ghnoprecnum = <no type information>
01014c08 calc! Ghnoparnum = <no type information>
01014038 calc! Gszsep = <no type information>
01014eec calc! Ghcurold = <no type information>
01014d38 calc! G_ahnochopnumbers = <no type information>
01014f00 calc! Ghcalcdone = <no type information>
01014db0 calc! Gpsznum = <no type information>
01014f0c calc! Gnpendingerror = <no type information>
01014000 calc! Gndecgrouping = <no type information>
01014dc0 calc! GCIO = <no type information>
01014d98 calc! Ghnolastnum = <no type information>
01014f04 calc! Ghdogthread = <no type information>
01014d80 calc! G_hdecmenu = <no type information>
01014f48 calc! Gbinexact = <no type information>
01014d7c calc! G_hhexmenu = <no type information>
01014efc calc! Ghcalcstart = <no type information>
01014da0 calc! G_flayoutrtl = <no type information>
01014db8 calc! Gbrecord = <no type information>
010149d8 calc! Gcintdigits = <no type information>
01014d6c calc! G_hwnddlg = <no type information>
01014d4c calc! Gbusesep = <no type information>
01014d94 calc! Ghnomem = <no type information>
010044b4 calc! Groupdigits = <no type information>
01014f4c calc! Gllfact = <no type information>
01014d90 calc! Ghnonum = <no type information>
01014064 calc! Gldprevious = <no type information>

0: 002> dd 01014db0
01014db0 000b2ee0 00000000 00000001 00000000
01014dc0 00000000 ffffffff 00000000 00000000
01014dd0 00000006 00320031 00340033
01014de0 00000000 00000000 00000000
01014df0 00000000 00000000 00000000 00000000
01014e00 00000000 00000000 00000000
01014e10 00000000 00000000 00000000 00000000
01014e20 00000000 00000000 00000000 00000000

Let's take a look at the content in the continuous memory space near 000b2ee0:

0: 002> dd 000b2ee0
000b2ee0 00320031 00340033 00360035 0000002e
000b2ef0 00030025 0008013d 000b3060 000b2f14
000b2f00 00000000 00000000 00000000 00000000
000b2f10 00000000 5443534d 614d2e46 61687372
000b2f20 746e496c 61667265 462e6563 4d656c69
000b2f30 412e7061 462e4c4d 4545482e 00464945
000b2f40 00000000 00000000 00000000 00000000
000b2f50 00000000 00000000 00000000 00000000

The address of the input string variable is in the 000b2ee0 memory.
0: 002> du 000b2ee0
000b2ee0 "123456 ."

The address 000b2ee0 stores exactly the number we entered: 123456. 000b2ee0 is virtual address. So what is its physical address? According to the previous introduction, a 32bit virtual address consists of three parts. Let's take a look at the values of each part.

0: 002>. Formats 000b2ee0
Evaluate expression:
HEX: 000b2ee0
Decimal: 732896
Octal: 00002627340
Binary: 00000000 00001011 00101110 11100000
Chars :....
Time: Fri Jan 09 03:34:56 1970
Float: Low 1.02701e-039 high 0
Double: 3.62099e-318

As can be seen from the above, its partial index is high 10: 0, PTE index (intermediate 10bit): B2, In-page offset address: ee0

Find the absolute address of the virtual address

Start another kernal model debug-> Local

Lkd>! Process 0 0

......

Process 85185288 sessionid: 0 CID: 0b8c peb: 7ffde000 parentcid: 021c
Dirbase: 1d0000000 objecttable: e1ff17e0 handlecount: 187.
Image: dllhost.exe

Process 84f10da0 sessionid: 0 CID: 049c peb: 7ffde000 parentcid: 0508
Dirbase: 093ee000 objecttable: e2ace720 handlecount: 49.
Image: calc.exe

Process 847e6220 sessionid: 0 CID: 0840 peb: 7ffde000 parentcid: 02c4
Dirbase: 15297000 objecttable: e2b1fe30 handlecount: 161.
Image: msmsgs.exe

Where dirbase directs to the base address of the calc.exe page Directory, which is 20bit higher: 093ee000 (the base address is fixed as 0 for low 12)

Next let's take a look at the specific PDE in PD.

Lkd>! Dd 093ee000 (displays the table items in the page Directory of the specified address)
#93ee000 093fb067 0c765067 1803b067 00000000
#93ee010 14240067 00000000 00000000 00000000
#93ee020 00000000 00000000 00000000 00000000
#93ee030 00000000 00000000 00000000 00000000
#93ee040 00000000 00000000 00000000 00000000
#93ee050 00000000 00000000 00000000 00000000
#93ee060 00000000 00000000 00000000 00000000
#93ee070 00000000 00000000 00000000 00000000
According to the title in the virtual address, the index of PDT in PD is 0, that is, the index of 1st PDES: 093fb067.

In the 093fb067 address, its 20bit (that is, 093fb000) is the starting address of its page table (page table), and 12bit is the page table attribute. What attributes each bit represents, we will not repeat it here.

The starting address of the page table + the index of the page table entry in the page table can obtain the physical address of the Pte. We know from the above that the index value of the virtual address in PT is B2, so the PTE address is:

093fb000 + B2 * 4 (because each table item occupies 4 bytes)

Lkd>! Dd 093fb000 + B2 * 4
#93fb2c8 105eb067 148ec886 18aed886 0dcee886
#93fb2d8 00000080 00000000 00000000 00000000
#93fb2e8 00000000 00000000 00000000 00000000
#93fb2f800000000 00000000 00000000 00000000
#93fb308 00000000 00000000 00000000 00000000
#93fb318 00000000 00000000 00000000 00000000
#93fb328 00000000 00000000 00000000 00000000
#93fb338 00000000 00000000 00000000 00000000

We can see that the PTE address in this address is 105eb067, and the 20 bit (105eb000) high of this address is the starting address of the physical memory page, and the 12 bit low is the Memory Page attribute.

Obtain the starting address of the physical page and the offset of the virtual address to obtain the physical address.

That is, 105eb000 + ee0 = 105ebee0

Let's take a look at what the content in this address is:

Lkd>! Dd 105ebee0
#105ebee0 00320031 00340033 00360035 0000002e
#105ebef0 00030025 0008013d 000b3060 000b2f14
#105ebf00 00000000 00000000 00000000 00000000
#105ebf10 00000000 5443534d 614d2e46 61687372
#105ebf20 746e496c 61667265 462e6563 4d656c69
#105ebf30 412e7061 462e4c4d 4545482e 00464945
#105ebf40 00000000 00000000 00000000 00000000
#105ebf50 00000000 00000000 00000000 00000000

Lkd>! Du 105ebee0
#105ebee0. "123456 ."

We can see that the content of DD 000b2ee0 in user mode is identical.

That is to say, we found the exact physical address of Virtual Address: 000b2ee0: 105ebee0.

However, when dd is used in user mode, the conversion process is completed automatically.