Reproduced Page catalogs in the Win7

Transferred from: http://user.qzone.qq.com/31731705/blog/1324046552

Article Analysis of Virtual memory mapping under PAE (  http://user.qzone.qq.com/31731705/blog/1323414733 ) And  Virtual Memory Mapping practice under PAE ( http://user.qzone.qq.com/31731705/blog/1323426728 ) The memory mapping in PAE mode under Win7 is observed, and the particularity of Dirbase is also discussed, and now we can see where dirbase is. The following script can output the process name and the value of the dirbase.
r @ $t 0 = 0;. printf/d "address\t\timagefile\r\n";!for_each_process "dirbase, r @ $t 1 = @ #Process +;ImageFile, r @ $t 2 = @ #Process + 16c; r @[email protected] $t 0+1;. printf/d \ "%p\\t\\t%ma\\r\\n\", poi (@ $t 1), @ $t 2 ";. P RINTF/D "There is total%d items.\r\n" @ $t 0;Using Excel to sort the output,
Address imagefile
185000 System
dc922020 Smss.exe
dc922040 Csrss.exe
dc922060 Csrss.exe
dc922080 Svchost.exe
DC9220A0 Wininit.exe
DC9220C0 Services.exe
Dc9220e0 Lsass.exe
dc922100 Lsm.exe
dc922120 Winlogon.exe
dc922140 Nvvsvc.exe
dc922160 Svchost.exe
dc922180 Svchost.exe
Dc9221a0 Engie.exe
DC9221C0 Svchost.exe
DC9221E0 Svchost.exe
dc922200 Stacsv.exe
dc922220 LiveUpdate360.
dc922260 Svchost.exe
dc922280 WUDFHost.exe
Dc9222a0 Zhudongfangyu.
DC9222C0 Svchost.exe
Dc9222e0 Wlanext.exe
dc922300 Conhost.exe
dc922320 Spoolsv.exe
dc922340 Hostcontrolser
dc922360 Hoststorageser
dc922380 Svchost.exe
Dc9223a0 Svchost.exe
DC9223C0 Svchost.exe
Dc9223e0 AEstSrv.exe
dc922400 Svchost.exe
dc922420 Btwdins.exe
dc922440 Dsncservice.ex
dc922460 EvtEng.exe
dc922480 Svchost.exe
dc9224a0 Sqlservr.exe
DC9224C0 Svchost.exe
DC9224E0 Svchost.exe
dc922500 RegSrvc.exe
dc922520 Snmp.exe
dc922540 Sqlwriter.exe
dc922560 Txupd.exe
dc922580 TdmService.exe
Dc9225a0 TDMEAgent.exe
DC9225C0 PEAgent.exe
Dc9225e0 Peagentmonitor
dc922600 Vmnat.exe
dc922620 Vmware-convert
dc922640 Unsecapp.exe
dc922660 Vmware-convert
dc922680 WmiPrvSE.exe
Dc9226a0 Tomcat6.exe
DC9226C0 Vmware-convert
Dc9226e0 Conhost.exe
dc922700 Svchost.exe
dc922720 Wlcrasvc.exe
dc922740 wlidsvc. Exe
dc922760 WLCRDPSYSTEM.E
dc922780 DCPBUTTONSVC.E
Dc9227a0 CcmExec.exe
Dc9227c0 WLIDSVCM. Exe
Dc9227e0 DCPSYSMGRSVC.E
dc922800 VMWARE-AUTHD.E
dc922820 Vmnetdhcp.exe
dc922840 VMWARE-HOSTD.E
dc922860 WmiPrvSE.exe
dc922880 Conhost.exe
DC9228A0 Alg.exe
DC9228C0 Hidfind.exe
Dc9228e0 Svchost.exe
dc922900 Svchost.exe
dc922920 WmiPrvSE.exe
dc922940 Nvvsvc.exe
dc922980 WmiPrvSE.exe
Dc9229a0 ApMsgFwd.exe
DC9229C0 Svchost.exe
Dc9229e0 LMS.exe
Dc922a00 Svchost.exe
DC922A20 EmEditor.exe
Dc922a40 Iastordatamgrs
Dc922a60 Searchindexer.
DC922A80 TXPlatform.exe
DC922AA0 UNS.exe
DC922AC0 Taskhost.exe
Dc922b00 Explorer.exe
Dc922b20 Iexplore.exe
DC922B40 Chrome.exe
Dc922b60 Wlcomm.exe
Dc922b80 Dwm.exe
DC922BA0 Chrome.exe
DC922BC0 RMAgent.exe
DC922C00 Livekd.exe
DC922C20 SynTPEnh.exe
Dc922c40 Sttray.exe
DC922C60 IAStorIcon.exe
Dc922c80 Btstackserver.
DC922CA0 rundll32.exe
DC922CC0 TDMEAgent.exe
Dc922ce0 Conhost.exe
Dc922d00 WavXDocMgr.exe
DC922D20 Dell.controlpo
DC922D40 BCMDEVICEANDTA
Dc922d60 Apoint.exe
Dc922d80 Wmdc.exe
Dc922dc0 Onenotem. Exe
Dc922de0 Acrotray.exe
Dc922e00 COMMUNICATOR.E
Dc922e20 TdmNotify.exe
Dc922e40 Stormtray.exe
Dc922e60 Chrome.exe
Dc922e80 Msnmsgr.exe
DC922EA0 BTTray.exe
Dc922ee0 ApntEx.exe
DC922F00 DCPSysMgr.exe
Dc922f20 QQ.exe
Dc922f40 Conhost.exe
Dc922f60 OUTLOOK. Exe
Dc922f80 360tray.exe
Dc922fa0 rundll32.exe
DC922FC0 Chrome.exe
Dc922fe0 QQExternal.exe
defd1020 osppsvc. EXE
defd1080 DctSer.exe
Defd10e0 Windbg.exe
defd1100 WmiApSrv.exe
defd1120 YodaoDict.exe
defd1140 Chrome.exe
defd1160 WordBook.exe
defd1180 Chrome.exe
DEFD11A0 Windbg.exe
DEFD11E0 Audiodg.exe
defd1200 Taskeng.exe from the output results, Dirbase's address is divided into 3 blocks,
1.185000 System
This process is always special and uses a 4K page to store the pages directory.
0:kd>!vtop 0 80185000
X86vtop:virt 80185000, Pagedir defd11a0
X86vtop:pae PDPE defd11b0-0000000029b6c801
X86vtop:pae PDE 29b6c000-0000000000191063
X86vtop:pae PTE 191c28-0000000000185123
X86vtop:pae Mapped Phys 185000
Virtual address 80185000 translates to physical address 185000.
0:kd>!pte 80185000
VA 80185000
PDE at C0602000 PTEs at C0400c28
Contains 0000000000191063 contains 0000000000185123
PFN 191---Da--kwev pfn 185-g--a--kwev 2. dc922020 Smss.exe
The SMSS process is the 1th real process in Windows, and the page directory of the subsequent process is saved on a 2M large page. (PAE mode large page is 2M)
0:kd>!vtop 0 8a722020
X86vtop:virt 8a722020, Pagedir defd11a0
X86vtop:pae PDPE defd11b0-0000000029b6c801
X86vtop:pae PDE 29b6c298-00000000dc8009e3
X86VTOP:PAE Large page Mapped phys dc922020
Virtual address 8a722020 translates to physical address dc922020.
0:kd>!pte 8a722020
VA 8a722020
PDE atC0602298PTE at C0453910
Contains 00000000dc8009e3 contains 0000000000000000
PFN Dc800-glda--kwev LARGE PAGE pfn dc922
Depending on the size of the page, the start address of the page is calculated
0:kd>!vtop 0 8a600000
X86vtop:virt 8a600000, Pagedir defd11a0
X86vtop:pae PDPE defd11b0-0000000029b6c801
X86vtop:pae PDE 29b6c298-00000000dc8009e3
X86VTOP:PAE Large page Mapped phys dc800000
Virtual address 8a600000 translates to physical address dc800000.
0:kd>!pte 8a600000
VA 8a600000
PDE atC0602298PTE at C0453000
Contains 00000000dc8009e3 contains 0000000000000000
PFN Dc800-glda--kwev LARGE PAGE pfn dc800
By the above results, 0x8a600000 is the page boundary, and dirbase from 8a722020, combined with the above process list, speculated Win7 use nearly 4K (from dc922020 to dc923000, actually 4K less than 20 bytes, 0xfe0 size) Space to save the page directory of the process, so this page can hold up to fe0/20=7f (0n127) processes. In the list of processes above, the discontinuity in the middle of the dirbase I suspect that some of the processes that have been run but have been terminated have been used. 3. defd1020 Osppsvc. Exe
What about more than 127 processes? Then use a page chant.
0:kd>!pte 881d1020
VA 881d1020
PDE atC0602200PTE at C0440e88
Contains 00000000dee009e3 contains 0000000000000000
PFN Dee00-glda--kwev LARGE PAGE pfn defd1
0:kd>!vtop 0 881d1020
X86vtop:virt 881d1020, Pagedir defd11a0
X86vtop:pae PDPE defd11b0-0000000029b6c801
X86vtop:pae PDE 29b6c200-00000000dee009e3
X86VTOP:PAE Large page Mapped phys defd1020
Virtual address 881d1020 translates to physical address defd1020.
Or a large page that observes the starting address of the pages,
0:kd>!vtop 0 88000000
X86vtop:virt 88000000, Pagedir defd11a0
X86vtop:pae PDPE defd11b0-0000000029b6c801
X86vtop:pae PDE 29b6c200-00000000dee009e3
X86VTOP:PAE Large page Mapped phys dee00000
Virtual address 88000000 translates to physical address dee00000.
0:kd>!pte 88000000
VA 88000000
PDE atC0602200PTE at C0440000
Contains 00000000dee009e3 contains 0000000000000000
PFN Dee00-glda--kwev LARGE PAGE pfn dee00
The page boundary is at 88000000, and Dirbase is starting from 881d1020, which, according to the observations from the previous page 8a600000, should be a space to save the page directory using 881d1020 to 881d2000. The final summary: System is special, tested several times, the system process of the dirbase always in 80185000 this 4K page. The dirbase of other processes are stored in a 2M-size large page, and in many cases there may be multiple such large page. Large page is generally used by the operating system, on the one hand reduces overhead (no PTEs required), on the one hand reduces the processor in the page switch to improve performance. Usually large page is also resident physical memory. This is described on MSDN (http://msdn.microsoft.com/en-us/library/windows/desktop/aa366720 (v=vs.85). aspx)The memory is always read/write and nonpageable (always resident in physical memory).,Finally, attach a process diagram for address mapping in PAE mode large page:

[Reprint the page directory in]win7