[原]线性地址到物理地址转换

参考
 
 
cr4第5位(从0开始)判断是否开启PAE(Physical Address Extension)
kd> .formats cr4
Evaluate expression:
  Hex:     000406f9
  Decimal: 263929
  Octal:   00001003371
  Binary:  00000000 00000100 00000110 11111001
  Chars:   ....
  Time:    Sun Jan 04 09:18:49 1970
  Float:   low 3.69843e-040 high 0
  Double:  1.30398e-318
 
第5位是1,故开启了PAE. 如果第5位是0,我们还要查看cr4的第4位,第4位表示是否开启大页面PSE(Page Size Extentions)
 
 
要查找的线性地址
kd> .formats 0x34f8ec
Evaluate expression:
  Hex:     0034f8ec
  Decimal: 3471596
  Octal:   00015174354
  Binary:  00000000 00110100 11111000 11101100
  Chars:   .4..
  Time:    Tue Feb 10 12:19:56 1970
  Float:   low 4.86474e-039 high 0
  Double:  1.7152e-317
 
 
按2 9 9 12分
2位:(30—31)页目录指针表的索引(PDPD)
9位:(21—29)页目录表索引
9位:(12—20)页表索引
12位:(0—11)页内偏移
 
Page Directory Pointer Index(PDPI)       00                 0x0,   Index into 1st table(Page Directory Pointer Table)
Page Directory Index(PDI)                000000001          0x1,   Index into 2nd table(Page Directory Table)
Page Table Index(PTI)                    101001111          0x14f, Index into 3rd table(Page Table)
Byte Index                               100011101100       0x8ec, the offset into the physical memory page
 
查找页目录基地址
kd> r cr3
cr3=3edd3480
 
找到对应的PDE
kd> !dq (@cr3 & 0xffffffe0)+(0y00*@@(sizeof(nt!_MMPTE))) L1
#3edd3480 00000000`281d8801
 
找到对应的PTE
kd> !dq (0x281d8801 & 0xFFFFFF000) +( 0y000000001*@@(sizeof(nt! _MMPTE))) L1
#281d8008 00000000`281ce867
 
 
找到对应的PT
kd> !dq (0x281ce867&0xFFFFFF000)+(0y101001111*@@(sizeof(nt! _MMPTE))) L1
#281cea78 80000000`27756867
 
kd> ?? (0x80000000`27756867 & 0xFFFFFFFF`FFFFFFF000)
unsigned int64 0x80000000`27756000
 
0x80000000`27756000就是我们要找的页表基址
虚拟地址0x34f8ec对应的物理地址则是0x80000000`277568ec
 
我们来验证下
kd> db 0x34f8ec
0034f8ec  61 61 61 61 00 cc cc cc-cc cc cc cc 44 f9 34 00  aaaa........D.4.
0034f8fc  3a c7 0f 00 01 00 00 00-20 fd 3a 00 80 fd 3a 00  :....... .:...:.
0034f90c  3f 03 b0 56 00 00 00 00-00 00 00 00 00 f0 fd 7f  ?..V............
0034f91c  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0034f92c  0c f9 34 00 bc 7a 2d f8-88 f9 34 00 bf a4 0f 00  ..4..z-...4.....
0034f93c  5b e3 92 56 00 00 00 00-4c f9 34 00 1d c9 0f 00  [..V....L.4.....
0034f94c  58 f9 34 00 45 3c 46 77-00 f0 fd 7f 98 f9 34 00  X.4.E<Fw......4.
0034f95c  f5 37 89 77 00 f0 fd 7f-7b 96 bf 77 00 00 00 00  .7.w....{..w....
kd> !db 0x80000000`277568ec
#80000000277568ec 61 61 61 61 00 cc cc cc-cc cc cc cc 44 f9 34 00 aaaa........D.4.
#80000000277568fc 3a c7 0f 00 01 00 00 00-20 fd 3a 00 80 fd 3a 00 :....... .:...:.
#800000002775690c 3f 03 b0 56 00 00 00 00-00 00 00 00 00 f0 fd 7f ?..V............
#800000002775691c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
#800000002775692c 0c f9 34 00 bc 7a 2d f8-88 f9 34 00 bf a4 0f 00 ..4..z-...4.....
#800000002775693c 5b e3 92 56 00 00 00 00-4c f9 34 00 1d c9 0f 00 [..V....L.4.....
#800000002775694c 58 f9 34 00 45 3c 46 77-00 f0 fd 7f 98 f9 34 00 X.4.E<Fw......4.
#800000002775695c f5 37 89 77 00 f0 fd 7f-7b 96 bf 77 00 00 00 00 .7.w....{..w....
 
正是我们的字符串aaaa
 
 
或者我们可以更简单的用!pte命令来取得物理地址
 
kd> !pte 0x34f8ec
                    VA 0034f8ec
PDE at C0600008            PTE at C0001A78
contains 00000000281CE867  contains 8000000027756867
pfn 281ce     ---DA--UWEV  pfn 27756     ---DA--UW-V
 
8000000027756867低12位清零后就是页表基址。和我们手动算出来的一样。
 
=======================================================
后记:之前用用内核调试,.process /p eprocess切换进程后, 
cr3的值和切换的进程的PDBR的值总是不一样。导致手动推导出来的物理地址不对。
后来突然想起来,cr3的值是操作系统在切换进程的时候才会切换的,所以用/process /p切换后值会不一样。
具体参考笔记:
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 





posted @ 2016-12-29 08:55  BCN  阅读(1566)  评论(0编辑  收藏  举报