Windows debugging 6

Memory Management

====================

The Memory Manager (Memory Manager) provides a series of system services to allocate (allocate) and release (free) virtual memory. It shares the memory between processes and maps files to the memory, flush the virtual page to the disk, obtain information about a series of virtual pages again, modify the protection settings of the virtual page, and lock the virtual page to the memory.

 

Two main tasks of the Memory Manager

• Converts the virtual address space of the ing process to the physical memory. in this way, when a thread in the process reads and writes virtual address space at runtime, the correct physical memory will be referenced. the virtual address space of a process, which exists in a subset of the physical memory, is called working set.
• Write excessive content in the memory to the disk in the form of pages. excessive usage means that the running thread or system code view uses more physical memory instead of the currently available memory content.

Like other Windows Executable services, the memory management service allows callers to provide process handles to identify the virtual memory in which the process is being manipulated. the caller can manipulate the memory of another process (with proper permissions. for example, if a process creates a sub-process, by default, it has the permission to manipulate the virtual memory of the sub-process. since then, the parent process can represent the sub-process to allocate, release, read, write, and memory by calling the Virtual Memory Service and passing the sub-process handle as a parameter during the call. this feature is used by the quilt system to manage the client process memory, which is also a key technology for implementing the debugger, because the debuggers must be able to read and write the debug memory.

 

The Memory Manager also provides a considerable number of services, such as allocating and releasing physical memory. To execute direct menory access (DMS) for other kernel-state components) access the switch and lock the pages in the physical memory. The lock is like a device driver. these functions start with MM. in addition, some parts of the Memory Manager are not restricted. The execution of the support function (the executive support routines) is prefixed with "ex, it is used to allocate and release data from the System Heap (paging and non-Paging pools), just like manipulating the list of side-by-side modes.

 

System memory pool

====================

During system initialization, the memory manager creates two dynamic memory pools. kernel-mode components use these two pools to allocate system memory.

• Non-Paging pool-a virtual memory address space within the system. The system ensures that the data in the space is always in the physical memory and can be accessed at any time (any IRQL level, any process context) without page errors (page fault ). non-Paging memory is required because there is a rule that page errors cannot meet the DPC/dispatch level or higher level requirements.
• Paging pool-the system space can be paged, and can be replaced to enter and replace the virtual memory area of the system. device drivers do not need to be used at the DPC/dispatch level or higher, so they can use paged pool ). the memory of the paging pool can be accessed by any process context.

Both memory pools exist in the system address space and are mapped to the virtual address space of any process. the Executive provides a function to allocate resources from these two pools and release the memory. exallocatepool is one of these functions.

 

There are two types of non-Paging pools: one is generic and the other is slightly smaller (4 pages), which the system retains for emergencies, the so-called emergency refers to the case where the non-Paging memory is full and the caller cannot tolerate allocation errors. (The latter memory pool is no longer used, and the device driver can properly write data in the case of low memory. driver Verifier makes this test easy .) the single-processor system has three paging pools: the multi-processor system has five paging pools. memory Pool with a redundant one reduces the probability of system code blocking concurrent memory pool requests. Paging and non-Paging memory pools have different initial values based on the size of physical memory, and then grow slowly. if necessary, it is increased to the maximum value when the system is started. you can override the initial values of these pools by modifying the key values nonpagedpoolsize and pagedpoolsize in the registry at HKLM \ System \ CurrentControlSet \ Control \ Session Manager \ Memory Management. 0 indicates to allow the system to automatically calculate the size, or specify a size. The unit is byte.

 

Address Space Layout

======================

By default, every 32-bit Windows user process can have up to 2 GB of private address space, and the operating system has 2 GB of remaining space. windows Server Series supports an option during startup, which allows 3 GB of user address space. windows XP and Windows Server 2003 include a switch (/userva) that allows switching between 2G and 3G address space. for details about the layout of the two memory address spaces, see.

For a process with an address space larger than 2 GB, the image file must have the image_file_large_address_aware flag which is set in the image header. otherwise, Windows reserves additional address space, so the application will not see the address space larger than 0x7fffffff. this flag sets the linker flag when linking an application to construct an executable program.

/Largeaddressaware. this flag does not work on an operating system running 2 GB user address space. in addition, if you enable the 3bg switch, but the operating system does not support 3 GB user address space, the system space will change to 1 GB, and the maximum user address space is 2 GB, even if the flag bit is set, it is still useless because it is not supported by the operating system.

 

X86 system address space layout

======================================

The X86 architecture has the following components in the system space:

• System Code-including operating system images, Hal, and device drivers when the operating system is started
• System ing view-used to map win32k. sys, The loadable part of the kernel-state Win32 subsystem, as well as the kernel-state graphics driver it uses.
• Session space --- used to map the specific information of a user session. when the terminal service is installed, Windows Server supports multi-user sessions. session working set list describes the stored and used parts in the session space.
• Process page table and paging directory --- describe the data structure of virtual address ing
• Hyperspace --- a special region is used to map the working set list of processes and temporarily map them to other physical memory pages, the purpose of ing to other physical memory pages is to perform operations such as clearing a free list or invalidating the page table entries of other page tables (for example, a page is removed from the standy list ), or create a new process address space when the process is created.
• System working set list --- Description System Working Set
• System cache --- the virtual address space is used to map files opened in the system cache.
• Paged pool --- paging system memory heap
• System page table entries (PTEs)-pool used by system Pte to map system pages (such as IO space, kernel stacks, memory descriptor lists ). you can see how many system PTE are available. By checking the memory value: the free system page table entries tag (Counter) in the performance tool)
• Nonpaged pool-a non-paging system memory heap. Generally, there are two parts: one is at the local address of the system, and the other is at the high end of the system address.
• Crash Dump information --- stored to save information about system crashes.
• Hal usage --- the reserved system memory is used to store Hal-related structures.