Memory management in the yjx_driver_033_ drive

1.

Memory management in the drive
A, physical memory
B, virtual memory
C, RING0 address and RING3 address
D. Relationship of drivers and processes
E, paging, and non-paged memory
F. Allocating kernel memory

"120" understands two concepts: physical memory virtual memory

"140" concept for 32-bit Windows operating system (32-bit and above CPU) (32-bit/64-bit CPU)

These concepts are slightly different under the "210" 64-bit

"240"

“

A, physical Memory: (Physical memories Address)

The current mainstream operating system is still 32-bit XP, while the 32-bit system provides the addressing capability is 2^32 bytes, the user can use up to 4GB of real physical memory. 0-0xffffffff 2g+0.5g+0.1 (2.75-3.25) 2G

”

"310" 64-bit theoretical addressing capability 2^64 bytes

"420" "Physical Memory" is a generic term. We are equipped with 2G of RAM, 0.5G of video memory, and cache 0.1G on the hard disk, all of which are physical memory and will be mapped to the corresponding address. "565" that is, the physical memory is our memory, video, memory, and other device configuration of some of the ram add up, is our real physical memory. This is generally the case.

"645"

“

B, Virtual Memory: (Address)

Although it can address 4GB of memory, but in the PC often do not have so much real physical memory, now the mainstream computer is generally about 2G of memory, operating system and hardware provides the concept of virtual memory.

The role of virtual memory:
1, regardless of whether the PC has enough physical memory, the operating system will always have 4GB of virtual memory. This allows the user to request more memory, when the physical memory is not enough, you can use the infrequently used virtual memory pages to the paging file, and so on when necessary to read.
2, the virtual memory of different processes do not interfere with each other, in order to allow the system to run different processes, the Windows operating system so that each process sees the virtual memory is different, this method enables different processes will have different physical memory to virtual memory mapping. For example, the memory address of process A and process B 0x400123 will be completely different. Modifying this address of process A does not affect process B, because this address of the a process may be mapped to a physical memory address, while the B process is another physical memory address that is mapped.

”

"900" virtual memory settings where

"1080" ZC: Here the virtual memory of the 2nd role, seemingly is the role of sub-page/paging, not the role of virtual memory it?

"1220"

“

C, RING0 address and RING3 address
User Mode Address:
In 32-bit Windows operating system, the virtual memory 4GB of the low 2GB is the virtual address 0-0X7FFFFFFF this range of addresses to user mode.

Kernel mode address:
While the virtual memory between the 0X80000000-0XFFFFFFFF to the kernel mode, that is, the high 2gb.windows system also stipulates in the user state (Ring3 layer) of the program, only access to the user-mode address, and in the kernel State (RING0 layer) of the program, You can access the entire 4GB virtual memory, which is the address of user mode and kernel mode.

”

"1500"

“

D. Relationship of Windows drivers and processes
The driver can be seen as a special library of DLL functions, except that the loaded address is a kernel-mode address, but this DLL can access the entire 4GB of virtual memory.

Then take a look at the relationship between the drive and the process:
The different routines in the window driver run in different processes. DriverEntry routines are run in the system process, while other routines such as Irp_mj_read,irp_mj_write,irp_mj_irp_mj_create and Irp_mj_device_ Routines such as control run in the context of a process, and the virtual address of the process is the one that can be accessed.

”

"1520" drive, ∵ it can not run independently, generally it is to pass the user layer EXE program to load it

ZC: That's one-sided.

The "1700" driverentry routines may be considered by many to be running in our load-driven EXE process, which is actually not the case, it is running in the system process

"1865" ZC: What process does "a process" refer to?

"1890" for an example. For example, we start the test_exe.exe, use it to load the driver, then, and use it to send the corresponding IRP information into our drive, then the corresponding driver code is running in this process

Zc:irp_mj_read, Irp_mj_write, irp_mj_create, etc. should be running in the process of sending them. is not necessarily a load-driven process.

"1980" So how do you differentiate it from running in a process environment (ZC: "How do you tell which process environment it runs in?") ）

2.

The code in Lesson 32nd
If the PID is protected, access is denied and the handle is set to NULL

if (PID = = mypid)
{
Kdprint (("protected process mypid=%d \ n", (int) mypid));
Debug output like C-language Printf
ProcessHandle = NULL; This is the key.
rc = status_access_denied; This return value
Pslookupprocessbyprocessid (ULONG) (PID,&EP);
Ep=psgetcurrentprocess (); Get information about the current process
Kdprint (("ACESS Process Name--:%s--\ n", (PTSTR) ((ULONG) ep+0x174)); PID +0x84
}

E, paging, and non-paged memory
The relationship between virtual memory pages and physical memory pages is described in the front, and Windows specifies that some virtual memory pages can be swapped into files, which are called paged memory. Some virtual memory pages are never exchanged to a file, which is called non-paged memory.

When compiling a driver, you can specify whether a routine and a global variable are loaded with paged memory or non-paged memory.

In MINI_DDK We also define such a paging macro

#include "ctl_code.h"
#include <windef.h>
The memory of the #define Initcode code_seg ("INIT")//This flag will be released in a timely manner and save a lot of memory data_seg
#define Pagecode code_seg ("page")/* indicates that there is not enough memory to be displaced to the hard disk */
#define PAGEDATA data_seg ("page")//define variables and data

#pragma initcode extern "C" NTSTATUS driverentry (pdriver_object pdriverobject,punicode_string B)//typedef LONG NTSTATUS
#pragma pagecode
NTSTATUS Ddk_dispatchroutine_control (in Pdevice_object pdevobj,in pirp pirp)

Note: When the interrupt request level is dispatch_level and above, the program can only use nonpaged memory, otherwise it will be judged by the blue screen panic plus this macro paged_code ().

F. Allocating kernel memory
The memory resources used by Windows drivers are very valuable and should be saved as much as possible when allocating memory. As with applications, local variables are placed in stack space, but the stack space is not as large as the application, so the driver is not suitable for recursion or local variables are large structures. If you need a large structure, you typically use the heap to apply.

Because the memory is allocated in the kernel, the new delete operator or the method of allocating memory such as malloc is not available.

User state

int *pi= (int*) malloc (sizeof (int));
int *pi= (int*) new int;

Kernel state to use

int *pi= (int*) ExAllocatePool (pagedpool,sizeof (int));

For the time being, we'll test each memory-related kernel API in detail in the next lesson.

1000 Physical Address

Peprocess

int ep= (int) psgetcurrentprocess ();
ulong* pid= (ulong*) (ep+0x84); process ID offset under//XP system
Ptstr pname= (PTSTR) (ep+0x174);//xp System process Name

0:kd> DT _eprocess

Nt!_eprocess
+0x000 PCB: _kprocess
+0x06c Processlock: _ex_push_lock
+0x070 Createtime: _large_integer
+0x078 Exittime: _large_integer
+0x080 Rundownprotect: _ex_rundown_ref
+0x084 Uniqueprocessid:ptr32 Void//process PID Different system this offset is different from +0 2003 +0x094
+0x088 activeprocesslinks: _list_entry
+0x090 quotausage: [3] uint4b
+0x09c quotapeak: [3] uint4b
+0X0A8 commitcharge:uint4b
+0X0AC peakvirtualsize:uint4b
+0x0b0 virtualsize:uint4b
+0X0B4 sessionprocesslinks: _list_entry
+0X0BC Debugport:ptr32 Void
+0X0C0 Exceptionport:ptr32 Void
+0X0C4 Objecttable:ptr32 _handle_table
+0X0C8 Token: _ex_fast_ref
+0x0cc Workingsetlock: _fast_mutex
+0x0ec workingsetpage:uint4b
+0X0F0 Addresscreationlock: _fast_mutex
+0x110 hyperspacelock:uint4b
+0x114 Forkinprogress:ptr32 _ethread
+0x118 hardwaretrigger:uint4b
+0x11c Vadroot:ptr32 Void
+0x120 Vadhint:ptr32 Void
+0x124 Cloneroot:ptr32 Void
+0x128 numberofprivatepages:uint4b
+0X12C numberoflockedpages:uint4b
+0x130 Win32process:ptr32 Void
+0x134 Job:ptr32 _ejob
+0x138 Sectionobject:ptr32 Void
+0x13c Sectionbaseaddress:ptr32 Void
+0x140 Quotablock:ptr32 _eprocess_quota_block
+0x144 Workingsetwatch:ptr32 _pagefault_history
+0x148 Win32windowstation:ptr32 Void
+0x14c Inheritedfromuniqueprocessid:ptr32 Void
+0x150 Ldtinformation:ptr32 Void
+0x154 Vadfreehint:ptr32 Void
+0x158 Vdmobjects:ptr32 Void
+0x15c Devicemap:ptr32 Void
+0x160 physicalvadlist: _list_entry
+0x168 Pagedirectorypte: _hardware_pte
+0x168 filler:uint8b
+0x170 Session:ptr32 Void
+0x174 imagefilename: [+] UChar
+0x184 joblinks: _list_entry
+0x18c Lockedpageslist:ptr32 Void
+0x190 Threadlisthead: _list_entry
+0x198 Securityport:ptr32 Void
+0x19c Paetop:ptr32 Void
+0x1a0 activethreads:uint4b
+0X1A4 grantedaccess:uint4b
+0x1a8 defaultharderrorprocessing:uint4b
+0x1ac lastthreadexitstatus:int4b
+0x1b0 Peb:ptr32 _peb
+0X1B4 Prefetchtrace: _ex_fast_ref
+0x1b8 Readoperationcount: _large_integer
+0X1C0 Writeoperationcount: _large_integer
+0x1c8 Otheroperationcount: _large_integer
+0x1d0 Readtransfercount: _large_integer
+0x1d8 Writetransfercount: _large_integer
+0X1E0 Othertransfercount: _large_integer
+0x1e8 commitchargelimit:uint4b
+0x1ec commitchargepeak:uint4b
+0x1f0 Aweinfo:ptr32 Void
+0x1f4 Seauditprocesscreationinfo: _se_audit_process_creation_info
+0x1f8 Vm: _mmsupport
+0x238 lastfaultcount:uint4b
+0x23c modifiedpagecount:uint4b
+0x240 numberofvads:uint4b
+0x244 jobstatus:uint4b
+0x248 flags:uint4b
+0x248 Createreported:pos 0, 1 Bit
+0x248 Nodebuginherit:pos 1, 1 Bit
+0x248 Processexiting:pos 2, 1 Bit
+0x248 Processdelete:pos 3, 1 Bit
+0x248 Wow64splitpages:pos 4, 1 Bit
+0x248 Vmdeleted:pos 5, 1 Bit
+0x248 Outswapenabled:pos 6, 1 Bit
+0x248 Outswapped:pos 7, 1 Bit
+0x248 Forkfailed:pos 8, 1 Bit
+0x248 Hasphysicalvad:pos 9, 1 Bit
+0x248 Addressspaceinitialized:pos, 2 Bits
+0x248 Settimerresolution:pos, 1 Bit
+0x248 Breakontermination:pos, 1 Bit
+0x248 Sessioncreationunderway:pos, 1 Bit
+0x248 Writewatch:pos, 1 Bit
+0x248 Processinsession:pos, 1 Bit
+0x248 Overrideaddressspace:pos, 1 Bit
+0x248 Hasaddressspace:pos, 1 Bit
+0x248 Launchprefetched:pos, 1 Bit
+0x248 Injectinpageerrors:pos, 1 Bit
+0x248 Vmtopdown:pos, 1 Bit
+0x248 Unused3:pos, 1 Bit
+0x248 Unused4:pos, 1 Bit
+0x248 Vdmallowed:pos, 1 Bit
+0x248 Unused:pos, 5 Bits
+0x248 Unused1:pos, 1 Bit
+0x248 Unused2:pos, 1 Bit
+0x24c exitstatus:int4b
+0x250 NEXTPAGECOLOR:UINT2B
+0x252 Subsystemminorversion:uchar
+0x253 Subsystemmajorversion:uchar
+0x252 SUBSYSTEMVERSION:UINT2B
+0x254 Priorityclass:uchar
+0x255 Workingsetacquiredunsafe:uchar
+0x258 cookie:uint4b

Memory management in the yjx_driver_033_ drive