Shulou(Shulou.com)06/03 Report--

Introduction:

 I have been studying malicious code direction and reverse software direction. I talked about Windows kernel and protection mode related knowledge during the interview. There are many unanswered questions. I have indeed studied relevant materials, but I have not studied them in depth. In addition, I have not reviewed them for a long time. Some of them have been forgotten.

 Basic skills are not solid, after all, I haven't written driver programming and review kernel/protected mode related knowledge for a long time, so calm down and review it.

4GB virtual memory structure:

Virtual memory address range description 0x000000 ~ 0x000FFFF 64kb null pointer area, of course, can not access 0x0001000 ~ 0x7FFFFFF plus the above null pointer area, low 2GB user state space 0x800000 ~ 0xFFFFFF high 2GB kernel state space

For more details, please refer to this blog: blog.csdn.net/wang010366/article/details/52730052

How does a process address map to a physical address?

                    Picture 1: Mapping Relationship

 The above picture is only a partial explanation. A virtual memory address is mapped to a physical memory address through page table conversion. Many processes are actually mapped to physical memory through this mechanism.

                    Picture 2: Address mapping process

 Picture 2 shows the virtual address map. Note that the paging hierarchy is missing. Each entry in the page table is a page. How is the physical address mapping process implemented? First introduce Cr0 series control register, interview time forgot all, then learn again:

Register Name Description CR0 contains processor flag control bits, such as PE,PG,WP, etc. CR1 reserves CR2, which is specially used to save the linear address when the page is missing. CR3 saves the page directory address of the process. CR4 extends the function (such as judging the physical address extension mode, etc.). It is only implemented in Pentium series (including later versions of 486) processors.

                    Picture 3: Control Register

What are PE,PG,WP?

 PE: Bit 0 of CR0 register, Protection Enable, enable protection flag. If this bit is 1, protection mode is enabled; otherwise, PE\PG is set when protection mode is enabled.

 PG: CR0 register bit 31, Paging, paging flag bit. If 1, paging is enabled; if paging is disabled, linear addresses are equal to physical addresses; if enabled, protection mode is required.

 WP: Bit 16 of CR0 register, Write Procect. WP==1 means read-only pages cannot be written, wp==0 means read-only pages can be written.

CR3 register holds the page directory address of each process, what is called page directory?

 After the protection mode and paging mechanism are enabled under Windows, the attributes PE == 1 AND PG == 1 of the current CR0 register mean that the virtual address in the process will be mapped to the corresponding physical address through the page table conversion, as shown in Figure 2. We manually acquire to learn:

First of all, let's introduce one of the recording methods of paging mechanism:

Non-physical address extension mode Physical address extension mode Non-PAE mode PAE mode    

 PAE mode: Physical address extension. The ability to access modes larger than 4GB addressing sizes on 32-bit operating systems allows up to 64GB of physical memory to be used as regular 4KB pages and extends the number of bits the kernel can use to extend physical memory addresses from 32 to 36.

 Non-PAE mode: In non-physical expansion mode, 32 bits can only be up to 4 GB, so even if you have 8 GB of memory, it is in vain.

 So how does the paging mechanism of the operating system work in non-PAE mode? Each page is 4kb, a total of 4GB of memory, 4194304KB size is a total of 1048576 pages, so how to efficiently manage these pages?

 1024(PDT) × 1024(PTT) × 4096 = 4GB

 1024(PTT) × 1024(PTE) × 4 = 4MB

 1024(PDT) ×1024(PTE) = 1MB

As shown in the above formula, it is in this way to manage 4GB of memory paging, PDT, PTT, PTE, as follows

Name Description Page Directory Index Table (PDT) Primary Index Page Table Index Table (PTT) Secondary Index Page Table Entry (PTE) Page Table Entry PDT (1024 entries PDE), PTT (1024 entries PTE)

                   Picture 4: Address Resolution

 It needs to be understood together with Figure 2. The operating system will obtain the page table directory address of the current process through the CR3 register, and then split it into 10, 10, and 12 proportions according to the virtual address, find the page directory, find the page table, and then find the page plus the corresponding offset (physical memory). For convenience of understanding, of course, it is also necessary to write a Mini programs and find out under windbg.

Write the test code as follows:

int main(){ printf("virtual address: 0x%X\n", "hello world"); cout

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.