Analyze memory ing process in Linux x86-32 Mode

Analyze memory ing process in Linux x86-32 Mode
Preface

The virtual memory mechanism has become an indispensable part of modern operating systems. It not only provides an independent address space for each program to ensure security, it can also improve the memory usage efficiency through swap with the disk memory. As an important part of the code on Linux, virtual memory management is very large. This is not to find out the Linux source code-level memory ing, but through the instance to verify the virtual memory conversion process under the x86-32.

Brief description of the ing Process

Memory ing in x86-32 mode is divided into two parts: segmentation and paging. The reason for using two-step ing is more about historical compatibility.

The compiled assembly code uses the logical address in the form of [segment identifier: Intra-segment offset]. By default, the segment identifier can be omitted and the intra-segment offset can be directly given. There are 6 segment Identifiers (CS, DS, SS, ES, FS, GS), each of which has its own meaning.

The logic address is converted to a linear address after "segmentation". From my previous articles, we can see that the segmentation mechanism is no longer actually used, in linux, the segment mode is "flat", that is, the logical address and linear address are the same.

The process of converting a linear address to an actual physical address is called "Paging ". Pagination is the actual virtual address conversion. An iterative page table mechanism is used during paging. The operating system maintains an independent set of page tables for each program to ensure non-interference between programs.

Because this article is a reverse verification process, we will not carefully introduce the entire ing process and need to have a certain understanding of the virtual memory mechanism.

Verification Scheme

The entire process in this Article refers to another article on the Internet. I will list links at the end of the article.

Because the related resources of each program are independent, you must ensure that the program cannot be terminated and output its own register status in the program. Most register access privileges can only be obtained in the kernel and cannot be obtained in the user program. We need to write related modules to run on the kernel, pass parameters to the user program through the linux/proc file system.

At the same time, we also need to verify whether the physical address obtained through the manual ing process is the internal address of the program. We need tools to directly view the data of the specified physical address. We write a character device to process application requests, and use the kmap function to temporarily map the specified physical address page to get its data.

Finally, four programs are required, as shown below.

Program	Function
Sys_reg.ko	Load to the kernel, read related registers, and create the/proc/sys_reg File
Running-prog	The test program must be run all the time. Read/proc/sys_reg to print the register values of the program.
Phy_mem.ko	Load to the kernel, read the specified physical address data, and create the/dev/phy_mem file.
Read-phy-mem	Use/dev/phy_mem to obtain and print the specified physical address data

Verification process compilation and Loading

Compile the file and load the sys_reg.ko and phy_mem.ko modules.

Run running-prog

The following output is displayed after running:

We can see the variable a, which is the variable for finding the physical address. The data and address are both output.

Segmentation Mechanism

Through CR0.PG, we can see that the paging mechanism has been enabled. Variable a is set in the data segment. The value of the ds segment register shows that GDT and entry are used. the base address of GDTR is 0xf70000000. Note that this is a linear address. The address ing offset of the linux kernel is 0xC0000000. Then, the GDT entry address used is obtained as follows.

0xF7386000 - 0xC0000000 + 15 * 8 = 0x37386078

The obtained GDT entry value and gdt entry format show the parameters of this segment:

Name	Value
Base	Zero x 00000000
Limit	0 xfffff
G	1

It can be seen that the base address of the segment is 0x00000000, and G and limit determine the size of the segment as 4 GB. Therefore, the linear address of variable a obtained from the logical address is as follows:

0x0804A044 + 0x00000000 = 0x0804A044;

Paging Mechanism

CR4.PAE = 1 indicates that PAE (physical address extension) is enabled. There are two types of pages in PAE mode.

The register and entry formats are as follows:

In this case, the base address in the bits of the variable a is the base address 0x1EF49000 of the pdpte. The bit 31-30 of the linear address of the variable a represents the serial number of the PDPTE. We can calculate the PDPTE address used:

0x1EF49000 + 0 * 8 = 0x1EF49000

The base address of the page directory is 0x1ec9f000 ~ If the offset is 0x40

0x1EC9F000 + 0x40 * 8 = 0x1EC9F200

In this case, the PDE is 0x0000000020A36067 and bit7 is 0, indicating that the object is directed to the page table, the page table address is 0x20A36000, and the linear address bits 20 ~ 12 is used as the offset of 0x4A, And the PTE address used is

0x20A36000 + 0x4A * 8 = 0x20A36250

PTE is 0x000000000B628067, and the base address of the final 4 K page frame is 0x0B628000. The linear address bits 11 ~ 0 is taken as the offset of 0x44. The physical address of the variable a is

0x0B628000 + 0x44 = 0x0B628044

We see the data 0x013579BB, indicating that we have correctly found the physical address of a, reverse verification of the linux in x86-32 mode after the linear address paing of PAE.

End

Thanks for the Linux memory address ing article. I have referenced the original author's documents and code for my entire process. Thank you for sharing this article.

Next article discusses the process of analyzing memory ing in Linux x86-64 Mode

Below is the source code download. study-linux-vm-32bit

------------------------------------------ Split line ------------------------------------------

Free in http://linux.bkjia.com/

The username and password are both www.bkjia.com

Detailed download directory in/2015 documents/February/in Linux x86-32 mode to analyze the memory ing process/

For the download method, see

------------------------------------------ Split line ------------------------------------------

Usage

Make

Make install

Load Module

Sudo insmod./output/sys_reg.ko

Sudo insmod./output/phy_mem.ko

Running-prog

./Output/running-prog

Read-phy-mem

Use sudo for permission issues on the read/write/dev/phy_mem device.

Sudo./read-phy-mem addr len

Status

This program passes the test in i386 linux mint 14 and kernel 3.5.0-17 mode.

This article permanently updates the link address: