Windows virtual memory mechanism and virtual memory mechanism

Windows virtual memory mechanism and virtual memory mechanism

In windows, each process has its own Virtual Address Space ). The size of this address space is related to computer hardware, operating systems, and applications.

For 32-bit programs, up to 2 GB space can be used (0x0000000-0x7ffeffff ). To obtain a 3 GB address space, you can expand it in different windows systems as follows.

1. Operating System

① 32-bit Windows XP

② 32-bit win7 -- run the command as Administrator: bcdedit/set increaseuserva 3072

③ 64-bit win7 -- 3 GB is enabled for 32-bit programs by default, without additional settings

2. Application

For 32-bit or 64-bit windows, to enable 32-bit programs to use 3 GB memory, you must add the parameter/LARGEADDRESSAWARE at the link.

 

Process address space Section

Note: The process address space is low and the operating system kernel is high.

 

Process Address Space Distribution(Take 2 GB as an example)

In Windows, a 0x70000000-0x80000000 (256 MB in total) area is specified in the process space to map these common system DLL (such as kernel32.dll and ntdll. dll)

Adjust the default base address of the system DLL to prevent loading conflicts and trigger ReBasing)

Note: The base address must be aligned to the allocation granularity (64 KB)

 

In Win7, the base address of exe in the PE file is 0x400000, DllPrj. the base address of the dll is 0x0000000 and is not occupied by other dll; however, the actual exe is mapped to 0xEC0000, DllPrj. dll is mapped to 0x535A0000

When the exe and dll modules are generated, the parameter/DYNAMICBASE is used for Link (dynamic base address is enabled)

Note: Address space layout randomization. Address space layout randomization (ASLR): prevents malicious programs from attacking known addresses.

 

The windows Memory allocation process can be divided into the following three key points:

① Retain a segment of virtual memory address space: reserve a segment of address space from 4 GB of the process. // VirtualAlloc function with the MEM_RESERVE Parameter

The starting address must be an integer multiple of the system allocation granularity (64 KB), and the size must be an integer multiple of the system page size (4 kb ).

② Submit a virtual memory address space: map the reserved address space of the process to the virtual memory of the machine. // VirtualAlloc function with the MEM_COMMIT Parameter

Both the start address and size must be an integer multiple of the page size (4 kb ).

③ Ing the virtual memory address space to the physical memory page (RAM): When the page submitted by the access process is accessed, the page is interrupted by missing pages (also missing pages, page errors, PageFault) and modify the address space ing relationship of the corresponding page.

NOTE 1: The addresses accessed in the program must be reserved and submitted virtual memory addresses.

NOTE 2: You can use VirtualFree to release the reserved or submitted virtual memory address space.

 

Memory indicator Concept

Virtual Memory:

Private Bytes // The number of virtual memory Bytes of the Committed process corresponds to [Submit size] In win7 Task Manager and [Submit] in resource manager]

Peak Private Bytes // The maximum number of Bytes of the virtual memory of the Process Committed

Virtual Size // number of bytes in the Virtual address space of the process Reserved

Page Faults // The number of Page breaks that have occurred corresponds to the [Page Error] In the win7 Task Manager]

Physical memory:

Working Set = WS Private + WS writable able // The total number of bytes of physical memory occupied by the process corresponds to [work settings (memory)] In the win7 Task Manager and [Work Set] in the resource manager]

WS Private // The number of physical memory bytes exclusive to the process (for example, heap memory + stack memory + memory created by the cow mechanism) corresponds to [Memory (dedicated working set)] In the win7 task manager )], [dedicated] in Resource Manager]

WS Shareable // The number of physical memory bytes that a process can share with other processes (such as exe, dll code segment, and Data Segment) corresponds to [Shareable] In win7 Resource Manager]

WS Shared // number of physical memory bytes that the process has Shared with other processes, WS Shared <= WS retriable

// If only one exe instance is started, the exe code segment and Data Segment will not be Shared and will not be counted in WS Shared

Peak Working Set // The maximum number of bytes in the physical memory corresponds to [Peak work settings (memory)] In the win7 task manager )]

Note: All indicators in both the virtual memory and physical memory are counted by the user-mode usage.

 

Page Swap File

Page File: It is generally used as a backup storage for writing physical memory pages. In Windows, the file name is pagefile. sys, which is located in the root directory of each disk.

You can set the size of the page swap file based on the hardware and software status of the machine, or even disable the use of the page swap file.

 

Page Out: when the physical memory is insufficient, the system releases some unfrequently used and backup physical memory pages and directs the ing relationship of virtual addresses to the backup.

① Page-based swap files (such as heap and stack) as backups: Allocate space in the page-based swap files, copy the content to it, and release the files.

② Use memory ing files (such as exe and dll) as backups: directly release

Page In: when the system reads a virtual memory address and the Page where the address is located is not In the physical memory Page, a Page disconnection occurs,

Tells the system to retrieve the virtual memory page containing the address from the page swap file or memory ing file (that is, copy the content back to the physical memory page, and create a new virtual address ing to the physical memory page, and then release the space of the corresponding part of the page swap file ).

 

Write replication mechanism

Copy on write (COW): When the WRITECOPY attribute Memory Page is modified, the Memory Page copy is triggered to save the usage of physical memory and Page Swap files.

Note: When ing exe or dll files, the system specifies the data page as the PAGE_WRITECOPY attribute, and the code page as the PAGE_EXECUTE_WRITECOPY attribute.

Specific process:

① When a process modifies a memory page, the system finds an idle physical memory page, copies all the content to the new page, and marks the backup storage of the new page as a page swap file, finally, point the Virtual Memory Page of the process to the new physical memory page.

② After the above steps, the process can use its own copy and modify it on the new physical page without affecting the original memory page.

 

Reset base address

Rebasing: When a module is loaded, if the target address is occupied or is based on security considerations, the system allocates a new base address based on the size of the address space required by the module, load the module to the base address.

Problem:

① Once a Rebasing occurs, address correction should be performed on all pages in the relocation table during module ing.

② When the system modifies the pages of these addresses, the write-time replication mechanism is triggered.

 

Address Space Layout randomization(Address space layout randomization, ASLR)

Microsoft introduced the ASLR Technology in the Vista system. Each time a module is loaded to a random location (pseudo-random), it prevents malicious programs from attacking known addresses.

ASLR not only performs random processing on the module address, but also on the heap, stack, Process Environment Block (PEB), Thread Environment Block (Thread Environment Block, TEB) the address is also randomized.

ASLR technology puts Rebasing in the kernel for processing, which means that the Rebasing can be minimized within the system range (originally only within the process range, this reduces the usage of physical memory and Page Swap files.

 

PE file loading

 

Note: The ing must be in the unit of page (4 kb) and aligned by page boundary

After the ing is executed, most of the commands and data are not loaded into the physical memory. The loading process is dynamic with the execution of the program.

Specific process: When the cpu accesses commands and data, it finds that the page where the address is located is not in the physical memory page, it will trigger page missing interruption. At this time, the system will find an idle physical memory page, and load the content from the backup (image file or Page Swap file) to the physical memory page.