After PAE is turned on, the structure of the 32-bit linear address has changed, with the following structure
30-31-bit: Page directory pointer table index
21-29-bit: Page Catalog index
12-20-bit: Page table index
0-11-bit: in-page offset
After PAE is turned on, the address in the table is a physical address, and the size of all table entries becomes 8Byte, in the following format:
Analyzing PAE's address conversion mechanism in conjunction with address analysis of numbers in Calc.exe in Windows Server 2008
We open calc.exe in the virtual machine, then enter "1234567890", then we open WinDbg, attach to Calc.exe process, use "x calc!gp*" to view the virtual address of all symbols beginning with GP in Calc.exe
0:002> x calc!g*
000b4aad calc! GroupDigits = <no Type information>
000c4edc Calc!ghwndtimeoutdlg = <no type information>
000c4d70 calc!g_fhighcontrast = <no type information>
000b5682 calc! Getkeycolor = <no Type information>
000C4ECC calc!gfexiting = <no type information>
000b56cc calc! Gethelpid = <no Type information>
000c4b80 calc!ghnoprecnum = <no type information>
000c4be8 calc!ghnoparnum = <no type information>
000c4038 calc!gszsep = <no type information>
000C4EC0 calc!ghcurold = <no type information>
000c4b6c calc!g_ahnochopnumbers = <no type information>
000c4ed4 calc!ghcalcdone = <no type information>
000c4d84 calc!gpsznum = <no type information>
000c4ee0 calc!gnpendingerror = <no type information>
000c402c Calc!gszdec = <no type information>
000c4000 calc!gndecgrouping = <no type information>
000c4d98 Calc!gcio = <no type information>
000c4d6c calc!ghnolastnum = <no type information>
000c4ed8 calc!ghdogthread = <no type information>
000c4d54 calc!g_hdecmenu = <no type information>
000C4EFC calc!gbinexact = <no type information>
000C4D50 calc!g_hhexmenu = <no type information>
000c4ed0 Calc!ghcalcstart = <no type information>
000c4d74 Calc!g_flayoutrtl = <no type information>
000c4d90 Calc!gbrecord = <no type information>
000c4d88 calc!gcchnum = <no type information>
000C4C4C calc!gcintdigits = <no type information>
000C4D40 Calc!g_hwnddlg = <no type information>
000C4F10 Calc!gfhalt = <no type information>
000C4D20 calc!gbusesep = <no type information>
000c4d68 Calc!ghnomem = <no type information>
000c4f00 calc!gllfact = <no type information>
000c4d64 calc!ghnonum = <no type information>
000c4070 calc!gldprevious = <no type Informatio
Where Calc!gpsznum is the variable name of the number, its virtual address is 000c4d84, with!dd 000c4d84 to see the address that the variable points to
0:002> DD 000c4d84
000c4d84 00428378 0000000c 00000000 00000001
00428378 is the virtual address of the string "1234567890"
0:002> DC 00428378
00428378 00320031 00340033 00360035 00380037 1.2.3.4.5.6.7.8.
00428388 00300039 0000002e 5da02f60 88000000 9.0 ..... ....
We use virtual address 00428378 to convert to physical address, first using the. formats command to convert the address into binary form
0:002>. Formats 00428378
Evaluate expression:
hex:00428378
decimal:4359032
octal:00020501570
binary:00000000 01000010 10000011 01111000
Chars:. b.x
Time:fri Feb 20 18:50:32 1970
Float:low 6.1083e-039 High 0
double:2.15365e-317
Based on the structure of the PAE32-bit linear address we derive:
Page Catalog pointer Table index = 0x0
Page Directory index is 000000 010 = 0x2
Page Table index is 00010 = 0x28
In-page offset is 0011 01111000 = 0x378
We use!process 0 0 to find the eprocess structure of calc.exe, where Dirbase is the value of CR3, that is, the base address of the page directory pointer table
PROCESS 8340c9f0 sessionid:1 cid:0a34 peb:7ffdd000 parentcid:0278
dirbase:3ed32440 objecttable:8fa64808 handlecount:46.
Image:calc.exe
Because the CR3 low 5-bit value is all 0, the page Directory pointer table base address is 3ed32440, using!DQ 3ed32440 to view the contents of the table
Kd>!DQ 3ed32440
#3ed32440 00000000 ' 06a49801 00000000 ' 0698a801
#3ed32450 00000000 ' 0638b801 00000000 ' 0630c801
The virtual address of the page directory pointer table is 0, so we want to examine the table entry as 00000000 ' 06a49801
The value of 12-35 bits for the page directory table of the base address 24 bits, so the page directory table base address is 06a49000, page directory index is 0x2, so input!dq 06a49000+0x2*8 (each table item size is 8Byte)
Kd>!DQ 06a49000+0x2*8
# 6a49010 00000000 ' 06b31867 00000000 ' 06d7e867
This value is 00000000 ' 06b31867,12-35 bit for the page table base address 24-bit, so the page table base address is 06b31000, page table index is 0x28, so input!dq 06b31000+0x28*8
Kd>!DQ 06b31000+0x28*8
# 6b31140 80000000 ' 0620b867 00000000 ' 00000000
This value is 80000000 ' 0620b867,12-35 bit for the page base address 24-bit, so the page base address is 0620b000, the page offset is 0x378, so input!DC 0620b000+0x378
Kd>!DC 0620b000+0x378
# 620b378 00320031 00340033 00360035 00380037 1.2.3.4.5.6.7.8.
# 620b388 00300039 0000002e 5da02f60 88000000 9.0 ..... ....
Therefore, the physical address is 0620b378
Use WinDbg to turn the virtual address into a physical address when PAE is turned on