It's been a while since I last used WinDbg, I decided to get back to it
One of the commands it has is !vtop which translates a virtual address to its physical equivalent.
In this conversion, consulting the CR3 register which holds the location of the page directory is necessary.
This base address is different for each process mind you.
First switch to a certain process, LSA for example.
It's now within the right context, CR3 seems to be intact.
This happens because we're debugging the kernel.
Because PAE is inactive, the address is segmented as follows (starting from the MSB):
- 10 bits (Directory offset)
- 10 bits (Table offset)
- 12 bits (Page offset)
To get a better grip at things, let's convert the start address of the msv1_0 module.
The first two tables hold 4-byte elements, thus the multiplier used.
(Remember to left-pad the base-2 representation to length 32)
0111010100 (468 * 4 = 1872)
0000000000 (0 * 4 = 0)
000000000000 (0)
Given the PTE, it might be tempting to say the physical page is at 0x22ab5000.
Except, it's not true. In fact, in this scenario PPTEs are involved.
Resources
Converting Virtual Addresses to Physical Addresses (Microsoft)
No comments:
Post a Comment