Professional Documents
Culture Documents
Microsoft Corporation
NtQueryVirtualMemory, NtProtectVirtualMemory
Microsoft Corporation 5
NtOpenSection opens an existing section NtQuerySection query attributes for section NtExtendSection NtMapViewOfSection (Sect, Proc, Addr, Size, ) NtUnmapViewOfSection
Microsoft Corporation
NtAllocateUserPhysicalPages (Proc, NPages, &PFNs[]) NtMapUserPhysicalPages (Addr, NPages, PFNs[]) NtMapUserPhysicalPagesScatter NtFreeUserPhysicalPages (Proc, &NPages, PFNs[]) NtResetWriteWatch NtGetWriteWatch Read out dirty bits for a section of memory since last reset Microsoft Corporation
NtAllocateVm flags
MEM_RESERVE Only virtual address alloc MEM_COMMIT Physical alloc too MEM_TOP_DOWN Alloc VA at highest available (subject to addr mask) MEM_RESET Discard pagefile space MEM_PHYSICAL For AWE MEM_LARGE_PAGES 4MB Pages MEM_WRITE_WATCH Used for Write-Watch
Microsoft Corporation
Microsoft Corporation
10
80000000 A0000000 A4000000 C0000000 C0400000 C0800000 C0C00000 C1000000 E1000000 E8000000 FFBE0000 FFC00000
System code, initial non-paged pool Session space (win32k.sys) Sysptes overflow, cache overflow Page directory self-map and page tables Hyperspace (e.g. working set list) Unused no access System working set list System cache Paged pool Reusable system VA (sysptes) Non-paged pool expansion Crash dump information HAL usage
Microsoft Corporation
x86
11
Mm debug general Mm Allocations object directory Symbolic link target strings object device map
Microsoft Corporation 12
Size fields of pool headers expressed in units of smallest pool block size.
Microsoft Corporation
13
MDL flags
MDL_MAPPED_TO_SYSTEM_VA MDL_PAGES_LOCKED MDL_SOURCE_IS_NONPAGED_POOL MDL_ALLOCATED_FIXED_SIZE MDL_PARTIAL MDL_PARTIAL_HAS_BEEN_MAPPED MDL_IO_PAGE_READ MDL_WRITE_OPERATION MDL_PARENT_MAPPED_SYSTEM_VA MDL_FREE_EXTRA_PTES MDL_DESCRIBES_AWE MDL_IO_SPACE MDL_NETWORK_HEADER MDL_MAPPING_CAN_FAIL MDL_ALLOCATED_MUST_SUCCEED 0x0001 0x0002 0x0004 0x0008 0x0010 0x0020 0x0040 0x0080 0x0100 0x0200 0x0400 0x0800 0x1000 0x2000 0x4000
15
Microsoft Corporation
MmProbeAndLockPages
Probes the specified pages Makes the pages resident Locks the physical pages MDL list updated to describe the physical pages
MmUnlockPages
Unlocks the physical pages
Microsoft Corporation 16
MmMapLockedPages
Maps physical pages into system or user virtual addresses
Microsoft Corporation
17
80000000 A0000000 A4000000 C0000000 C0400000 C0800000 C0C00000 C1000000 E1000000 E8000000 FFBE0000 FFC00000
System code, initial non-paged pool Session space (win32k.sys) Sysptes overflow, cache overflow Page directory self-map and page tables Hyperspace (e.g. working set list) Unused no access System working set list System cache Paged pool Reusable system VA (sysptes) Non-paged pool expansion Crash dump information HAL usage
Microsoft Corporation
KVA
x86
18
Sysptes
Used to manage random use of kernel virtual memory, e.g. by device drivers. Kernel implements functions like:
MiReserveSystemPtes (n, type) MiMapLockedPagesInUserSpace (mdl, virtaddr, cachetype,basevirtaddr)
Microsoft Corporation
19
Process Object
Handle Table
VAD
VAD
VAD
object object
Thread
Thread
Microsoft Corporation
Thread
...
20
Access Token
PD
PT
page
DATA
1024 PDEs
1024 PTEs
4096 bytes
00000000
.EXE .EXEcode code Globals Globals Per-thread Per-threaduser user mode modestacks stacks Process Processheaps heaps .DLL .DLLcode code
Per process, accessible only in kernel mode System wide, accessible only in kernel mode
C0000000
FFFFFFFF
Exec, Exec,Kernel, Kernel,HAL, HAL, drivers, drivers,per-thread per-thread kernel mode kernel modestacks, stacks, Win32K.Sys Win32K.Sys Process page tables, hyperspace File Filesystem systemcache cache Paged Pagedpool pool Non-paged Non-pagedpool pool
2 GB systemwide
The operating system is loaded here, and appears in every processs address space There is no process for the operating system (though there are processes that do things for the OS, more or less in background)
24
Microsoft Corporation
00000000
/3GB Option
Unique per .EXE process .EXEcode code (= perGlobals appl.), Globals Per-thread user mode user Per-thread user mode modestacks stacks .DLL .DLLcode code Process Processheaps heaps
Unique per process, accessible in user or kernel mode Per process, accessible only in kernel mode System wide, accessible only in kernel mode
BFFFFFFF C0000000
Process page tables, hyperspace Exec, Exec,kernel, kernel,HAL, HAL, drivers, drivers,etc. etc.
FFFFFFFF
Microsoft Corporation
To access PDE/PTE from kernel use the selfmap for the current process:
PageDirectory[0x300] uses PageDirectory as PageTable GetPdeAddress(va): 0xc0300000[va>>20] GetPteAddress(va): 0xc0000000[va>>10]
PDE/PTE formats are compatible! Access another process VA via thread attach
Microsoft Corporation 26
80000000 A0000000 A4000000 C0000000 C0400000 C0800000 C0C00000 C1000000 E1000000 E8000000 FFBE0000 FFC00000
System code, initial non-paged pool Session space (win32k.sys) Sysptes overflow, cache overflow Page directory self-map and page tables Hyperspace (e.g. working set list) Unused no access System working set list System cache Paged pool Reusable system VA (sysptes) Non-paged pool expansion Crash dump information HAL usage
Microsoft Corporation
KVA
x86
27
PD
PT
page
DATA
1024 PDEs
1024 PTEs
4096 bytes
PD
0x300
PTE
0000 0000 0011 1100 0000 0000 0000 1100 0000 0000 0000
Microsoft Corporation 29
PD
0x300 0x390 0x321
PT
0000 0000 0011 1100 0000 1001 0000 0000 1100 0000 1000 0000 0100 0000
Microsoft Corporation 30
Physical Memory
Maximum is 64GB
Intel server processors support up to 64 GB physical memory through PAE mode (cr4)
four more bits of physical address in PTEs
Pageframe
31
R R R G R D A Cd Wt O W 1
12 11 10 9 8 7 6 5 4 3 2 1 0
33
Microsoft Corporation
PFN
0
1 0
Transition
Page file offset 1
31 12 11 10 9
34
Unknown:
PTE is completely zero or Page Table doesnt exist yet. Examine VADs.
0
1 0
35
Prototype PTEs
Kept in array in the segment structure associated with section objects Six PTE states:
Active/valid Transition Modified-no-write Demand zero Page file Mapped file
Microsoft Corporation 36
Microsoft Corporation
37
Paging Dynamics
demand zero page faults page read from disk or kernel allocations
Microsoft Corporation
39
The system can replenish the free page list by taking pages from the top of the standby page list
This breaks the association between the process and the physical page i.e. the system no longer knows if the page still contains the processs info
Pages can be faulted back into a process from the standby and modified page list
The SPL and MPL form a system-wide cache of pages likely to be needed again
Microsoft Corporation 40
80000000 A0000000 A4000000 C0000000 C0400000 C0800000 C0C00000 C1000000 E1000000 E8000000 FFBE0000 FFC00000
System code, initial non-paged pool Session space (win32k.sys) Sysptes overflow, cache overflow Page directory self-map and page tables Hyperspace (e.g. working set list) Unused no access System working set list System cache Paged pool Reusable system VA (sysptes) Non-paged pool expansion Crash dump information HAL usage
Microsoft Corporation
KVA x86
41
Pages in the working set are accessible without incurring a fault A process always starts with an empty working set
Pages itself into existence Many page faults may be resolved from memory (to be described later)
Microsoft Corporation 42
When working set count = working set size, must give up pages to make room for new pages Working set size is settable through SetProcessWorkingSetSize() Pages may be locked in a working set using VirtualLock Page replacement is least recently accessed
Microsoft Corporation
43
Microsoft Corporation
45
Goal is granular locking of thread priority queues Red states related to swapped stacks and processes Microsoft Corporation
46
80000000 A0000000 A4000000 C0000000 C0400000 C0800000 C0C00000 C1000000 E1000000 E8000000 FFBE0000 FFC00000
System code, initial non-paged pool Session space (win32k.sys) Sysptes overflow, cache overflow Page directory self-map and page tables Hyperspace (e.g. working set list) Unused no access System working set list System cache Paged pool Reusable system VA (sysptes) Non-paged pool expansion Crash dump information HAL usage
Microsoft Corporation
KVA
x86
47
Cache Size
Virtual size: 64-960mb
In system virtual address space, so visible to all Divided into 256kb views
Microsoft Corporation
49
Summary
Manages physical memory and pagefiles Manages user/kernel virtual space Working-set based management Provides shared-memory Supports physical I/O Address Windowing Extensions for large memory Provides session-memory for Win32k GUI processes File cache based on shared sections Single implementation spans multiple architectures
Microsoft Corporation
51
Discussion
Microsoft Corporation
52