2015年2月17日星期二

虚拟地址转换物理地址

1: kd> db 400000
00400000  4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00  MZ..............
00400010  b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00  ........@.......
00400020  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00400030  00 00 00 00 00 00 00 00-00 00 00 00 e8 00 00 00  ................
00400040  0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68  ........!..L.!Th
00400050  69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f  is program canno
00400060  74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20  t be run in DOS
00400070  6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00  mode....$.......
1: kd> !vtop 0 400000 当前进程的环境。
X86VtoP: Virt 00400000, pagedir 29801e0
X86VtoP: PAE PDPE 29801e0 - 0000000019aa2801
X86VtoP: PAE PDE 19aa2010 - 000000000f2c0867
X86VtoP: PAE PTE f2c0000 - 8000000009be0025
X86VtoP: PAE Mapped phys 9be0000
Virtual address 400000 translates to physical address 9be0000.
1: kd> !db 9be0000
# 9be0000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............
# 9be0010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
# 9be0020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
# 9be0030 00 00 00 00 00 00 00 00-00 00 00 00 e8 00 00 00 ................
# 9be0040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
# 9be0050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
# 9be0060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS
# 9be0070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$.......


方法二:
1: kd> !process 0 0 explorer.exe
PROCESS 8206d730  SessionId: 0  Cid: 0654    Peb: 7ffd9000  ParentCid: 05e4
    DirBase: 029801e0  ObjectTable: e16c6460  HandleCount: 322.
    Image: explorer.exe

1: kd> !vtop 029801e0  400000
X86VtoP: Virt 00400000, pagedir 29801e0
X86VtoP: PAE PDPE 29801e0 - 0000000019aa2801
X86VtoP: PAE PDE 19aa2010 - 000000000f2c0867
X86VtoP: PAE PTE f2c0000 - 8000000009be0025
X86VtoP: PAE Mapped phys 9be0000
Virtual address 400000 translates to physical address 9be0000.
1: kd> !db 9be0000
# 9be0000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............
# 9be0010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
# 9be0020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
# 9be0030 00 00 00 00 00 00 00 00-00 00 00 00 e8 00 00 00 ................
# 9be0040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
# 9be0050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
# 9be0060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS
# 9be0070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$.......


1: kd> r cr3
cr3=029801e0


这些方法不是自己计算的,而是应该用命令,所以应该在32位的PAE或者非PAE的系统上和X64的系统都可以使用。
另外一个命令是PTE,这里就不演示了。



以下摘自:http://blogs.msdn.com/b/ntdebugging/archive/2010/06/22/part-3-understanding-pte-non-pae-and-x64.aspx
The PAE bit is bit number five, which is the sixth bit due to bit numbering starting at zero. You can see PAE is not enabled on this system.

       0: kd> .formats @cr4

  Binary:  00000000 00000000 00000110 11010001
                                        543210 自己添加。
 Another method of checking this:

               1: kd> j ((@cr4 & 0y00000000000000000000000000100000) != 0) '.echo PAE flag Enabled';'.echo PAE flag Disabled'

PAE flag Enabled


--------------------------------------------------------------------------------------------------------------------------------------------------
64位系统的分析:


1: kd> !process 0 0 explorer.exe
PROCESS fffffa801aab4b30
    SessionId: 1  Cid: 06b0    Peb: 7fffffd8000  ParentCid: 0650
    DirBase: 64e06000  ObjectTable: fffff8a001495e00  HandleCount: 796.
    Image: explorer.exe

1: kd> .process /r /p fffffa801aab4b30
Implicit process is now fffffa80`1aab4b30
.cache forcedecodeuser done
Loading User Symbols
................................................................
................................................................
....................
1: kd> db 40000
00000000`00040000  41 63 74 78 20 00 00 00-01 00 00 00 b8 1f 00 00  Actx ...........
00000000`00040010  94 00 00 00 00 00 00 00-20 00 00 00 00 00 00 00  ........ .......
00000000`00040020  14 00 00 00 01 00 00 00-04 00 00 00 34 00 00 00  ............4...
00000000`00040030  34 01 00 00 01 00 00 00-00 00 00 00 00 00 00 00  4...............
00000000`00040040  00 00 00 00 00 00 00 00-00 00 00 00 02 00 00 00  ................
00000000`00040050  00 00 00 00 00 00 00 00-00 00 00 00 f8 01 00 00  ................
00000000`00040060  56 01 00 00 00 00 00 00-cd ea ce 32 50 03 00 00  V..........2P...
00000000`00040070  42 00 00 00 94 03 00 00-3c 03 00 00 00 00 00 00  B.......<.......
1: kd> !vtop 0 40000
Amd64VtoP: Virt 00000000`00040000, pagedir 64e06000
Amd64VtoP: PML4E 64e06000
Amd64VtoP: PDPE 64a07000
Amd64VtoP: PDE 64a4e000
Amd64VtoP: PTE 64fcf200
Amd64VtoP: Mapped phys 64d06000
Virtual address 40000 translates to physical address 64d06000.
1: kd> !db 64d06000
#64d06000 41 63 74 78 20 00 00 00-01 00 00 00 b8 1f 00 00 Actx ...........
#64d06010 94 00 00 00 00 00 00 00-20 00 00 00 00 00 00 00 ........ .......
#64d06020 14 00 00 00 01 00 00 00-04 00 00 00 34 00 00 00 ............4...
#64d06030 34 01 00 00 01 00 00 00-00 00 00 00 00 00 00 00 4...............
#64d06040 00 00 00 00 00 00 00 00-00 00 00 00 02 00 00 00 ................
#64d06050 00 00 00 00 00 00 00 00-00 00 00 00 f8 01 00 00 ................
#64d06060 56 01 00 00 00 00 00 00-cd ea ce 32 50 03 00 00 V..........2P...
#64d06070 42 00 00 00 94 03 00 00-3c 03 00 00 00 00 00 00 B.......<.......
1: kd> !vtop 64e06000   40000
Amd64VtoP: Virt 00000000`00040000, pagedir 64e06000
Amd64VtoP: PML4E 64e06000
Amd64VtoP: PDPE 64a07000
Amd64VtoP: PDE 64a4e000
Amd64VtoP: PTE 64fcf200
Amd64VtoP: Mapped phys 64d06000
Virtual address 40000 translates to physical address 64d06000.
1: kd> !db 64d06000
#64d06000 41 63 74 78 20 00 00 00-01 00 00 00 b8 1f 00 00 Actx ...........
#64d06010 94 00 00 00 00 00 00 00-20 00 00 00 00 00 00 00 ........ .......
#64d06020 14 00 00 00 01 00 00 00-04 00 00 00 34 00 00 00 ............4...
#64d06030 34 01 00 00 01 00 00 00-00 00 00 00 00 00 00 00 4...............
#64d06040 00 00 00 00 00 00 00 00-00 00 00 00 02 00 00 00 ................
#64d06050 00 00 00 00 00 00 00 00-00 00 00 00 f8 01 00 00 ................
#64d06060 56 01 00 00 00 00 00 00-cd ea ce 32 50 03 00 00 V..........2P...
#64d06070 42 00 00 00 94 03 00 00-3c 03 00 00 00 00 00 00 B.......<.......
1: kd> r cr3
cr3=0000000000187000
1: kd> r cr4
cr4=00000000000406f8



另一思路:
http://blogs.technet.com/b/marcelofartura/archive/2008/11/20/how-to-manually-translate-virtual-addresses-into-physical-ones.aspx
d* /p VA




made by correy
made at 2014.12.25

发帖者 时间:
标签:

没有评论:

发表评论

订阅: 博文评论 (Atom)