0% found this document useful (0 votes)

138 views

Windows Kernel Internals Advance Virtual Memory PDF

Uploaded by

tamthientai

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

138 views

Windows Kernel Internals Advance Virtual Memory PDF

Uploaded by

tamthientai

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 21

Windows Kernel Internals Advance Virtual Memory

David B. Probert, Ph.D. Windows Kernel Development Microsoft Corporation

Microsoft Corporation 1

Microsoft Corporation

Solomon & Russinovich

Shared Memory Data Structures

Microsoft Corporation

PFN: Working Set Page

Microsoft Corporation

PFN: Free Page

Microsoft Corporation

PFN: Standby Page

Microsoft Corporation

PFN: Transition page

Microsoft Corporation

PFN Fields
PteAddress: VA of PTE referencing page RefCount: count of WS or IO locks OriginalPte: PTE to restore on soft-fault PteFrame: PageFrame for PteAddress Flags:
Modified : 1 ReadInProgress : 1 WriteInProgress : 1 PrototypePte: 1 PageColor : 4 PageLocation : 3 RemovalRequested : 1 CacheAttribute : 2
8

Microsoft Corporation

Page Table Entries

Some fields defined by hardware Six PTE states:
Active/valid Transition Modified-no-write Demand zero Page file Mapped file
Microsoft Corporation 9

Valid x86 Hardware PTEs

Reserved Global Dirty Accessed Cache disabled Write through Owner Write

Pageframe
31

R R R G R D A Cd Wt O W 1
12 11 10 9 8 7 6 5 4 3 2 1 0
10

Microsoft Corporation

x86 Invalid PTEs

Page file
Page file offset 0
31 12 11 10 9

Transition Prototype Protection

5 4

PFN

0
1 0

Transition
Page file offset 1
31 12 11 10 9

Transition Prototype Protection HW ctrl 0

5 4 1 0

Cache disable Write through Owner Microsoft Corporation Write

x86 Invalid PTEs

Demand zero:
PFN Page file PTE with zero offset and

Unknown:

PTE is completely zero or Page Table doesnt exist yet. Examine VADs.

Pointer to Prototype PTE

pPte bits 7-27
31 12 11 10 9 8 7
Microsoft Corporation

pPte bits 0-6

5 4

0
1 0
12

MMPAGING_FILE
PFN_NUMBER Size, MaxSize, MinSize, FreeSpace, CurrUsage, PeekUsage, HighestPage pFileObject ModWriterMdlEntries[] pPageFileName pAllocationBitmap Flags:
PageFileNumber, RefCount, BootPart
Microsoft Corporation 13

MMSUPPORT
// embedded in EPROCESS WorkingSetExpEntry[2] LastTrimTime Flags PageFaultCount, PeakWorkingSetSize, GrowthSinceLastEstimate MinimumWorkingSetSize, MaximumWorkingSetSize pVmWorkingSetList WSLE_NUMBER Claim, NextEstimationSlot, NextAgingSlot, EstimatedAvailable, WorkingSetSize

Microsoft Corporation

MMADDRESS_NODE
pParent, pLeft, pRight StartingVpn, EndingVpn

Microsoft Corporation

MMVAD
MMADDRESS_NODE AddressTreeNode pControlArea pFirstProtoPte pLastContigPte Flags:
CommitCharge, PhysMap, ImageMap, Awe, Prot, MemCommit, Private, LargePages, WriteWatch, NoChange, FileOffset64k, SecNoChange, ReadOnly, Extendable, Inherit, CopyOnWrite
Microsoft Corporation 16

CONTROL_AREA
pSegment DereferenceListEntry[2] nSectRefs, nPfnRefs, nMapViews, nCacheViews, nUserRefs nModWrites, nFlushesActive, Flags pFileObject iPfnBase Subsections[]
Microsoft Corporation 17

SUBSECTION
pControlArea Flags:
ReadOnly, ReadWrite, SubsectionStatic, GlobalMemory, Protection, StartingSector, SectorEndOffset

StartingSector nFullSectors pSubsectBasePtes nUnusedPtes nPtesInSubsection pNextSubsection nMappedViews

Microsoft Corporation 18

SECTION
MMADDRESS_NODE AddressTreeNode pSegment Size InitialPageProt Flags:
BeingDeleted, BeingCreated, BeingPurged, NoModifiedWriting, FailAllIo, Image, Based, File, Networked, NoCache, PhysicalMemory, CopyOnWrite, Commit, FloppyMedia, WasPurged, UserReference, GlobalMemory, DeleteOnClose, FilePointerNull, DebugSymbolsLoaded, SetMappedFileIoComplete, CollidedFlush, NoChange, HadUserReference, ImageMappedInSystemSpace, UserWritable, Accessed, GlobalOnlyPerSession, Rom
Microsoft Corporation 19

SEGMENT
pControlArea nPtes nWritableUserRefs Size PteTemplate nCommittedPages Flags BasedAddress PrototypePte ProtoPtes[]
Microsoft Corporation 20

Discussion

Microsoft Corporation