windows核情景分析学笔记6
分类: windows MFC20101019 1137226阅读评(0)收藏举报
1数存储存区间分类
①全局数占空间编译器编译链接时静态分配整进程存亡分配释放见
②局部数占空间调函数时动堆栈动态分配寿命取决函数作域分配释放隐含
③通malloc类函数动态分配存会直存直通free类函数加释放(进程终止运行)
2核户空间理
windows说户空间虚存址00x7fffffff范围2GB进程2GB户空间
般说真正中部分虚存址区间需物理映射
事实前正受访问页面必须映射物理存页面暂时受访问页面映射外设(硬盘)页面交换文件里实际时倒换回物理存页面中
原理说空间中已分配区间作节点然组成链表需时头扫描链表知道区间(实际应中组成成AVL树)
进程进程控制块中指针VadRoot指代表着户空间数结构中指针指颗AVL树颗树节点已分配区间信息节点定义:
[cpp]view plaincopyprint
1 typedef struct _MEMORY_AREA
2 {
3 PVOID StartingAddress
4 PVOID EndingAddress
5 struct _MEMORY_AREA *Parent
6 struct _MEMORY_AREA *LeftChild
7 struct _MEMORY_AREA *RightChild
8 ULONG Type
9 ULONG Protect
10 ULONG Flags
11 BOOLEAN DeleteInProgress
12 ULONG PageOpCount
13 union
14 {
15 struct
16 {
17 ROS_SECTION_OBJECT* Section
18 ULONG ViewOffset
19 PMM_SECTION_SEGMENT Segment
20 BOOLEAN WriteCopyView
21 LIST_ENTRY RegionListHead
22 } SectionData
23 struct
24 {
25 LIST_ENTRY RegionListHead
26 } VirtualMemoryData
27 } Data
28 } MEMORY_AREA *PMEMORY_AREA
颗MEMORY_AREA数结构节点AVL树代表户空间
结构图:
3核户空间理相关函数
AVL树操作应便接踵典型莫MmLocateMemoryAreaByAddress()
[cpp]view plaincopyprint
29 PMEMORY_AREA NTAPI
30 MmLocateMemoryAreaByAddress(
31 PMMSUPPORT AddressSpace
32 PVOID Address)
33 {
34 PMEMORY_AREA Node (PMEMORY_AREA)AddressSpace>WorkingSetExpansionLinksFlink
35
36 DPRINT(MmLocateMemoryAreaByAddress(AddressSpace p Address p)n
37 AddressSpace Address)
38
39 MmVerifyMemoryAreas(AddressSpace)
40
41 while (Node NULL)
42 {
43 if (Address < Node>StartingAddress)
44 Node Node>LeftChild
45 else if (Address > Node>EndingAddress)
46 Node Node>RightChild
47 else
48 {
49 DPRINT(MmLocateMemoryAreaByAddress(p) p [p p]n
50 Address Node Node>StartingAddress Node>EndingAddress)
51 return Node
52 }
53 }
54
55 DPRINT(MmLocateMemoryAreaByAddress(p) 0n Address)
56 return NULL
57 }
函数作定目标址果目标址(存AVL树中)返回节点否返回NULL
典型操作MmFindGap()函数作址空间中寻找定长度空闲址区间
需空间中分配址区间时通MmCreateMemoryArea()AVL树种创建节点函数致执行步骤:
①AVL树中搜索块指定区域(利MmFindGap)
②区域建立MEMORY_AREA结构
③AVL树种插入MEMORY_AREA结构
里虚存区间分配意味着物理页面分配意味着页面映射建立仅仅虚存址资源占
4存理中层次
MEMORY_AREA结构中成分Data枚举类型结构取两种类型SectionDataVirtualMemoryData前者代表文件映射区享存区者代表普通已分配存区间(部分情况)
VirtualMemoryData唯成分RegionListHead值区块链表头
谓区块?
已分配区间指示址连续范围定映射定拥样类型保护模式区块址连续拥相类型保护模式子区间
中区间包含干区块需链表维护链表节点类型_MM_REGION
定义:
[cpp]view plaincopyprint
58 typedef struct _MM_REGION
59 {
60 ULONG Type
61 ULONG Protect
62 ULONG Length
63 LIST_ENTRY RegionListEntry
64 } MM_REGION *PMM_REGION
区块组虚存页面组成页面着相保护模式
综述存中着样层次:空间区间区块页面示意图:
windows核情景分析学笔记7
分类: windows MFC20101019 1934301阅读评(0)收藏举报
1核物理页面理
物理存理页面单位物理存理实际物理页面理
核中物理页面数结构PHYSICAL_PAGE代表定义:
[cpp]view plaincopyprint
1 typedef struct _PHYSICAL_PAGE
2 {
3 union
4 {
5 struct
6 {
7 ULONG Type 2
8 ULONG Consumer 3
9 ULONG Zero 1
10 }
11 Flags
12 ULONG AllFlags
13 }
14
15 LIST_ENTRY ListEntry
16 ULONG ReferenceCount
17 SWAPENTRY SavedSwapEntry
18 ULONG LockCount
19 ULONG MapCount
20 struct _MM_RMAP_ENTRY* RmapListHead
21 }
22 PHYSICAL_PAGE *PPHYSICAL_PAGE
PHYSICAL_PAGE代表物理页面系统初始化时会构建起元素PHYSICAL_PAGE数组MmPageArray全局变量系统中少物理页面数组
样物理页面页面号(pfn)标找物理页面应PHYSICAL_PAGE(MmPageArray[pfn])
物理址页面页面号着固定关系页面4KB定义
[cpp]view plaincopyprint
23 #define PaToPfn(p) ((p)>>12)
PHYSICAL_PAGE中Type字段标示物理页面性质:
[cpp]view plaincopyprint
24 #define MM_PHYSICAL_PAGE_FREE (0x1)
25 #define MM_PHYSICAL_PAGE_USED (0x2)
26 #define MM_PHYSICAL_PAGE_BIOS (0x3)
显然物理页面三种空闲页面中页面BIOS页面
ListEntry字段PHYSICAL_PAGE链入某队列核中定义物理页面队列:
[cpp]view plaincopyprint
27 static LIST_ENTRY UsedPageListHeads[MC_MAXIMUM]
28 static LIST_ENTRY FreeZeroedPageListHead
29 static LIST_ENTRY FreeUnzeroedPageListHead
30 static LIST_ENTRY BiosPageListHead
①物理址0x100000低1MB范围中页面BIOSBiosPageListHead队列中
空闲队列两:
②FreeZeroedPageListHead已清零页面
③FreeUnzeroedPageListHead未清零页面刚释放物理页面时未清0处理
核线程MmZeroPageThreadMain受调度运行会FreeUnzeroedPageListHead队列中摘取物理页面清零挂入FreeZeroedPageListHead队列
④中页面队列UsedPageListHeads队列数组MC_MAXIMUM定义4实物理页面途分4队列
四途定义:
[cpp]view plaincopyprint
31 #define MC_CACHE (0) 磁盘容缓存
32 #define MC_USER (1) 户空间映射
33 #define MC_PPOOL (2) 标示倒换外存页面池
34 #define MC_NPPOOL (3) 标示倒换外存页面池
典型物理页面周转程:
①FreeZeroedPageListHead队列开始
②分配某户空间虚存页面映射该物理页面进入UsedPageListHeads[MC_USER]队列
③释放该物理页面进入FreeUnzeroedPageListHead队列
④核线程MmZeroPageThreadMain受调度运行该页面回FreeZeroedPageListHead队列
2常函数
物理页面分配MmAllocPage()函数函数实现:
[cpp]view plaincopyprint
35 PFN_TYPE
36 NTAPI
37 MmAllocPage(ULONG Consumer SWAPENTRY SavedSwapEntry)
38 {
39 PFN_TYPE PfnOffset
40 PLIST_ENTRY ListEntry
41 PPHYSICAL_PAGE PageDescriptor
42 KIRQL oldIrql
43 BOOLEAN NeedClear FALSE
44
45 KeAcquireSpinLock(&PageListLock &oldIrql)旋转锁操作原子操作
46 if (IsListEmpty(&FreeZeroedPageListHead))
47 {
48 FreeZeroedPageListHead中没页面FreeUnzeroedPageListHead中分配
49 if (IsListEmpty(&FreeUnzeroedPageListHead))
50 {
51 果两队列没页面返回空法分配
52 KeReleaseSpinLock(&PageListLock oldIrql)
53 return 0
54 }
55 ListEntry RemoveTailList(&FreeUnzeroedPageListHead)
56 UnzeroedPageCount
57
58 PageDescriptor CONTAINING_RECORD(ListEntry PHYSICAL_PAGE ListEntry)
59
60 NeedClear TRUE 需重新初始化0
61 }
62 else
63 {
64 优先选择FreeZeroedPageListHead队列中页面
65 ListEntry RemoveTailList(&FreeZeroedPageListHead)
66
67 PageDescriptor CONTAINING_RECORD(ListEntry PHYSICAL_PAGE ListEntry)
68 }
69
70 错误处理
71 if (PageDescriptor>FlagsType MM_PHYSICAL_PAGE_FREE)
72 {
73 KEBUGCHECK(0)
74 }
75 if (PageDescriptor>MapCount 0)
76 {
77 KEBUGCHECK(0)
78 }
79 if (PageDescriptor>ReferenceCount 0)
80 {
81 KEBUGCHECK(0)
82 }
83
84 分配成功初始化PPHYSICAL_PAGE参数
85 PageDescriptor>FlagsType MM_PHYSICAL_PAGE_USED
86 PageDescriptor>FlagsConsumer Consumer
87 PageDescriptor>ReferenceCount 1
88 PageDescriptor>LockCount 0
89 PageDescriptor>MapCount 0
90 PageDescriptor>SavedSwapEntry SavedSwapEntry
91 InsertTailList(&UsedPageListHeads[Consumer] ListEntry)
92
93 MmStatsNrSystemPages++
94 MmStatsNrFreePages
95
96 KeReleaseSpinLock(&PageListLock oldIrql)释放旋转锁原子操作结束
97
98 PfnOffset PageDescriptor MmPageArray
99 if (NeedClear)
100 {
101 FreeUnzeroedPageListHead队列中分配物理页面需初始化0
102 MiZeroPage(PfnOffset)
103 }
104 if (PageDescriptor>MapCount 0)
105 {
106 KEBUGCHECK(0)
107 }
108 return PfnOffset
109 }
参数Consumer表明页面途决定分配成功物理页面挂入队列SavedSwapEntry标示页面交换文件位置取0标示没倒换文件
windows核情景分析学笔记8
分类: windows MFC20101020 1108404阅读评(0)收藏举报
1页面映射
页面映射指虚存页面物理页面映射
虚存页面映射物理页面时间物理页面应空间虚存页面
示意图:
虚存页面虚必须通映射落实物理存储介质物理存储第选择物理存备般选择磁盘页面交换文件(物理存成较高般会做)样需前正受访问受访问页面保存物理存中暂时受访问页面保存页面交换文件中
页面映射示意图
进程页面映射表页面映射表采二级映射方式页面映射表结构
PTE容决定该虚拟页面映射虚拟页面映射列种:
①物理映射
②物理映射映射页面交换文件
③物理映射映射物理存某页面
针第三种情况PTE高20位代表映射物理页面页面号次4位预留程序员低8位定义:
[cpp]view plaincopyprint
1 #define PA_BIT_PRESENT (0)1表示映射页面存中
2 #define PA_BIT_READWRITE (1)1标示写0标示读
3 #define PA_BIT_USER (2)1标示户空间页面
4 #define PA_BIT_WT (3)
5 #define PA_BIT_CD (4)
6 #define PA_BIT_ACCESSED (5)访问该页面MMU动置1
7 #define PA_BIT_DIRTY (6)写入该页面MMU动置1
8 #define PA_BIT_GLOBAL (8)
示意图:
第0位PA_BIT_PRESENT需注意果0映射页面物理存中时操作系统会PTE指示页面页面交换文件中位置windows言高8位标示页面交换文件号低24位标示页面交换文件部页面号加1
2常函数
①
[cpp]view plaincopyprint
9 NTSTATUS
10 NTAPI
11 MmCreateVirtualMapping(PEPROCESS Process
12 PVOID Address
13 ULONG flProtect
14 PPFN_TYPE Pages
15 ULONG PageCount)
函数作:定组物理页面号(Pages)定进程(Process)虚拟址Address开始区块映射组物理页面
②
[cpp]view plaincopyprint
16 VOID
17 NTAPI
18 MmDeleteVirtualMapping(
19 struct _EPROCESS *Process
20 PVOID Address
21 BOOLEAN FreePage
22 BOOLEAN* WasDirty
23 PPFN_TYPE Page
24 )
函数作:删某虚拟址页面映射
③
[cpp]view plaincopyprint
25 NTSTATUS
26 NTAPI
27 MmPageOutVirtualMemory(
28 PMMSUPPORT AddressSpace
29 PMEMORY_AREA MemoryArea
30 PVOID Address
31 struct _MM_PAGEOP* PageOp
32 )
函数作:虚拟页面容倒出页面交换文件
3附加说明
核调度进程运行时需控制寄存器CR3容设置进程页面映射表址时页面映射表物理址样MMU找进PTE装入高速缓存TLB中
CPU需访问访问前进程页面映射表时虚拟址什进程页面映射表虚拟空间位置固定0xc0000000然进程页面映射表物理页面
4系统空间映射
进程系统空间基公PAGETABLE_MAP(页面映射表)HYPERSPACE两块方例外进程页面映射表实际分两部分
①系统空间映射部分容全局核映射表部分页面映射时常驻受进程切换影响
②户空间映射部分特定进程进程切换部分映射受刷
创建进程时核通MmCreateProcessAddressSpace()核映射表复制系统空间映射代码:
[cpp]view plaincopyprint
33 BOOLEAN
34 NTAPI
35 MmCreateProcessAddressSpace(IN ULONG MinWs
36 IN PEPROCESS Process
37 IN PULONG DirectoryTableBase)
38 {
39 NTSTATUS Status
40 ULONG i j
41 PFN_TYPE Pfn[2]
42 PULONG PageDirectory
43
44 分配两物理页面分PAGETABLE_MAPHYPERSPACE
45 for (i 0 i < 2 i++)
46 {
47 MC_NPPOOL允许倒换出物理存
48 Status MmRequestPageMemoryConsumer(MC_NPPOOL FALSE &Pfn[i])
49 if (NT_SUCCESS(Status))
50 {
51 for (j 0 j < i j++)
52 {
53 MmReleasePageMemoryConsumer(MC_NPPOOL Pfn[j])
54 }
55
56 return FALSE
57 }
58 }
59
60 分配第页面Hyperspace映射
61 PageDirectory MmCreateHyperspaceMapping(Pfn[0])
62
63 核映射表复制系统空间映射
64 memcpy(PageDirectory + ADDR_TO_PDE_OFFSET(MmSystemRangeStart)
65 MmGlobalKernelPageDirectory + ADDR_TO_PDE_OFFSET(MmSystemRangeStart)
66 (1024 ADDR_TO_PDE_OFFSET(MmSystemRangeStart)) * sizeof(ULONG))
67
68 PAGETABLE_MAPHYPERSPACE目录项进程变需更改
69 PageDirectory[ADDR_TO_PDE_OFFSET(PAGETABLE_MAP)] PFN_TO_PTE(Pfn[0]) | PA_PRESENT | PA_READWRITE
70 PageDirectory[ADDR_TO_PDE_OFFSET(HYPERSPACE)] PFN_TO_PTE(Pfn[1]) | PA_PRESENT | PA_READWRITE
71
72 MmDeleteHyperspaceMapping(PageDirectory)
73
74 DirectoryTableBase[0] PFN_TO_PTE(Pfn[0])
75 DirectoryTableBase[1] 0
76
77 return TRUE
78 }
函数表明系统空间映射MmGlobalKernelPageDirectory核映射表MmGlobalKernelPageDirectory中信息系统初始化时候创建
[cpp]view plaincopyprint
79 VOID
80 INIT_FUNCTION
81 NTAPI
82 MmInitGlobalKernelPageDirectory(VOID)
83 {
84 ULONG i
85 PAGEDIRECTORY_MAP值0xc0300000PDE基址
86 PULONG CurrentPageDirectory (PULONG)PAGEDIRECTORY_MAP
87
88
89 Setup template
90
91 HyperTemplatePteuLong (PA_PRESENT | PA_READWRITE | PA_DIRTY | PA_ACCESSED)
92 if (Ke386GlobalPagesEnabled) HyperTemplatePteuLong | PA_GLOBAL
93
94 for (i ADDR_TO_PDE_OFFSET(MmSystemRangeStart) i < 1024 i++)
95 {
96 if (i ADDR_TO_PDE_OFFSET(PAGETABLE_MAP) &&
97 i ADDR_TO_PDE_OFFSET(HYPERSPACE) &&
98 0 MmGlobalKernelPageDirectory[i] && 0 CurrentPageDirectory[i])
99 {
100 初始化完全抄CurrentPageDirectory相初始化PDE
101 MmGlobalKernelPageDirectory[i] CurrentPageDirectory[i]
102 if (Ke386GlobalPagesEnabled)
103 {
104 MmGlobalKernelPageDirectory[i] | PA_GLOBAL
105 CurrentPageDirectory[i] | PA_GLOBAL
106 }
107 }
108 }
109 }
windows核情景分析学笔记9
分类: windows MFC20101020 1955257阅读评(0)收藏举报
1系统调NtAllocateVirtualMemory
户空间程序求分配空间求预订块虚拟址区间求兑现预订虚拟址(映射物理址)二者兼NtAllocateVirtualMemory实现
实际熟知windowsAPI中VirtualAlloc调函数实现功
函数声明:
[cpp]view plaincopyprint
1 NTSTATUS NTAPI
2 NtAllocateVirtualMemory(IN HANDLE ProcessHandle
3 IN OUT PVOID* UBaseAddress
4 IN ULONG_PTR ZeroBits
5 IN OUT PSIZE_T URegionSize
6 IN ULONG AllocationType
7 IN ULONG Protect)
参数说明:
①标示欲分配空间进程windows支持进程分配空间
②标示欲分配空间基址
③果参数20核参数分配空间参数表示实际分配址必须少0作前导例参数10表示应分配低4M
④标示欲分配空间长度
⑤标示分配类型组标示位中重MEM_RESERVEMEM_COMMIT前者标示预订虚拟空间真正分配物理页面者标示分配物理页面两者起标示预订落实次位
⑥标示该区间访问权限例:读写执行等
重代码摘录:
[cpp]view plaincopyprint
8 NTSTATUS NTAPI
9 NtAllocateVirtualMemory(IN HANDLE ProcessHandle
10 IN OUT PVOID* UBaseAddress
11 IN ULONG_PTR ZeroBits
12 IN OUT PSIZE_T URegionSize
13 IN ULONG AllocationType
14 IN ULONG Protect)
15 {
16 PEPROCESS Process
17 MEMORY_AREA* MemoryArea
18 ULONG_PTR MemoryAreaLength
19 ULONG Type
20 NTSTATUS Status
21 PMMSUPPORT AddressSpace
22 PVOID BaseAddress
23 ULONG RegionSize
24 PVOID PBaseAddress
25 ULONG PRegionSize
26 ULONG MemProtection
27 PHYSICAL_ADDRESS BoundaryAddressMultiple
28 KPROCESSOR_MODE PreviousMode
29
30 PAGED_CODE()
31
32 参数合理性检查
33
34
35 获取定进程数结构类型:PEPROCESS
36 Status ObReferenceObjectByHandle(ProcessHandle
37 PROCESS_VM_OPERATION
38 PsProcessType
39 PreviousMode
40 (PVOID*)(&Process)
41 NULL)
42 if (NT_SUCCESS(Status))
43 {
44 DPRINT(NtAllocateVirtualMemory() xnStatus)
45 return(Status)
46 }
47
48 Type (AllocationType & MEM_COMMIT) MEM_COMMIT MEM_RESERVE
49 DPRINT(Type xn Type)
50
51 获取AVL树
52 AddressSpace &Process>Vm
53 需互斥进行互斥锁
54 MmLockAddressSpace(AddressSpace)
55
56 if (PBaseAddress 0)
57 {
58 果指定基址直接分配
59 MemoryArea MmLocateMemoryAreaByAddress(AddressSpace BaseAddress)
60
61 if (MemoryArea NULL)
62 {
63 MemoryAreaLength (ULONG_PTR)MemoryArea>EndingAddress
64 (ULONG_PTR)MemoryArea>StartingAddress
65
66 if (MemoryArea>Type MEMORY_AREA_VIRTUAL_MEMORY &&
67 MemoryAreaLength > RegionSize)
68 {
69 类型普通虚存空间合适根参数改变目标区块类型属性
70 Status
71 MmAlterRegion(AddressSpace
72 MemoryArea>StartingAddress
73 &MemoryArea>DataVirtualMemoryDataRegionListHead
74 BaseAddress RegionSize
75 Type Protect MmModifyAttributes)
76 互斥操作结束
77 MmUnlockAddressSpace(AddressSpace)
78 ObDereferenceObject(Process)
79
80 * Give the caller rounded BaseAddress and area length *
81 if (NT_SUCCESS(Status))
82 {
83 *UBaseAddress BaseAddress
84 *URegionSize RegionSize
85 DPRINT(*UBaseAddress x *URegionSize xn BaseAddress RegionSize)
86 }
87 分配成功
88 return(Status)
89 }
90 else if (MemoryAreaLength > RegionSize)
91 {
92 长度符合求区间类型section
93 * Region list initialized *
94 if (MemoryArea>DataSectionDataRegionListHeadFlink)
95 {
96 改变区间类型保护模式
97 Status
98 MmAlterRegion(AddressSpace
99 MemoryArea>StartingAddress
100 &MemoryArea>DataSectionDataRegionListHead
101 BaseAddress RegionSize
102 Type Protect MmModifyAttributes)
103 }
104 else
105 {
106 Status STATUS_ACCESS_VIOLATION
107 }
108
109 MmUnlockAddressSpace(AddressSpace)
110 ObDereferenceObject(Process)
111
112 * Give the caller rounded BaseAddress and area length *
113 if (NT_SUCCESS(Status))
114 {
115 *UBaseAddress BaseAddress
116 *URegionSize RegionSize
117 DPRINT(*UBaseAddress x *URegionSize xn BaseAddress RegionSize)
118 }
119 分配成功
120 return(Status)
121 }
122 else
123 {
124 区间长度够分配失败
125 MmUnlockAddressSpace(AddressSpace)
126 ObDereferenceObject(Process)
127 return(STATUS_UNSUCCESSFUL)
128 }
129 }end if(MemoryArea NULL)
130 }end if(PBaseAddress 0)
131
132 PBaseAddress 0核分配块合适区间
133 Status MmCreateMemoryArea(AddressSpace
134 MEMORY_AREA_VIRTUAL_MEMORY
135 &BaseAddress
136 RegionSize
137 Protect
138 &MemoryArea
139 PBaseAddress 0
140 AllocationType & MEM_TOP_DOWN
141 BoundaryAddressMultiple)
142 if (NT_SUCCESS(Status))
143 {
144 失败
145 MmUnlockAddressSpace(AddressSpace)
146 ObDereferenceObject(Process)
147 return(Status)
148 }
149
150 MemoryAreaLength (ULONG_PTR)MemoryArea>EndingAddress
151 (ULONG_PTR)MemoryArea>StartingAddress
152
153 设置区块类型(刚建立区间中唯区块)
154 MmInitializeRegion(&MemoryArea>DataVirtualMemoryDataRegionListHead
155 MemoryAreaLength Type Protect)
156
157 if ((AllocationType & MEM_COMMIT) &&
158 (Protect & (PAGE_READWRITE | PAGE_EXECUTE_READWRITE)))
159 {
160 const ULONG nPages PAGE_ROUND_UP(MemoryAreaLength) >> PAGE_SHIFT
161 预留页面交换文件中页面
162 MmReserveSwapPages(nPages)
163 }
164
165 *UBaseAddress BaseAddress 返回实际分配址
166 *URegionSize MemoryAreaLength 返回实际分配长度
167
168 MmUnlockAddressSpace(AddressSpace)
169 ObDereferenceObject(Process)
170 return(STATUS_SUCCESS)
171 }
2页面异常
通传递MEM_COMMIT调NtAllocateVirtualMemory成功系统会分配指定虚存区间标志置MEM_COMMIT实际映射物理页面户需访问块已分配区间时会发生页面异常(缺页异常)异常处理中虚存区间建立物理页面映射
样做考虑某情况户求分配空间定会立样物理页面占没意义物理页面映射操作延迟访问时进步提高物理存利率
页面发生异常时核会调异常处理函数MmAccessFault()函数底层异常响应程序调发生某种异常时CPU首先进入相应异常响应程序里根具体情况调处理程序
MmAccessFault代码:
[cpp]view plaincopyprint
172 NTSTATUS
173 NTAPI
174 MmAccessFault(IN BOOLEAN StoreInstruction
175 IN PVOID Address
176 IN KPROCESSOR_MODE Mode
177 IN PVOID TrapInformation)
178 {
179 PMEMORY_AREA MemoryArea
180
181
182
183 StoreInstruction0标示缺页非0标示越权
184 if (StoreInstruction)
185 {
186 * Call access fault * 越权访问引起
187 return MmpAccessFault(Mode (ULONG_PTR)Address TrapInformation FALSE TRUE)
188 }
189 else
190 {
191 * Call not present * 缺页引起(未建立物理页面映射)
192 return MmNotPresentFault(Mode (ULONG_PTR)Address TrapInformation FALSE TRUE)
193 }
194 }
缺页异常处理代码:
[cpp]view plaincopyprint
195 NTSTATUS
196 NTAPI
197 MmNotPresentFault(KPROCESSOR_MODE Mode
198 ULONG_PTR Address
199 BOOLEAN FromMdl)
200 {
201 PMMSUPPORT AddressSpace
202 MEMORY_AREA* MemoryArea
203 NTSTATUS Status
204 BOOLEAN Locked FromMdl
205 extern PMMPTE MmSharedUserDataPte
206
207 if (KeGetCurrentIrql() > DISPATCH_LEVEL)
208 {
209 return(STATUS_UNSUCCESSFUL)
210 }
211
212 if (Address > (ULONG_PTR)MmSystemRangeStart)
213 {
214 异常发生系统空间
215 if (Mode KernelMode)
216 {
217 DPRINT1(Address xn Address)
218 return(STATUS_ACCESS_VIOLATION)
219 }
220 AddressSpace MmGetKernelAddressSpace()
221 }
222 else 异常发生户空间
223 {
224 获取AVL树
225 AddressSpace &PsGetCurrentProcess()>Vm
226 }
227
228 if (FromMdl)
229 {
230 MmLockAddressSpace(AddressSpace)
231 }
232
233 do
234 {
235 AVL树中搜寻异常区间
236 MemoryArea MmLocateMemoryAreaByAddress(AddressSpace (PVOID)Address)
237 if (MemoryArea NULL || MemoryArea>DeleteInProgress)
238 {
239 区间尚未分配正删
240 if (FromMdl)
241 {
242 MmUnlockAddressSpace(AddressSpace)
243 }
244 return (STATUS_ACCESS_VIOLATION)
245 }
246
247 搜索成功根区间类型处理
248 switch (MemoryArea>Type)
249 {
250 case MEMORY_AREA_PAGED_POOL
251 {
252 Status MmCommitPagedPoolAddress((PVOID)Address Locked)
253 break
254 }
255
256 case MEMORY_AREA_SYSTEM
257 Status STATUS_ACCESS_VIOLATION
258 break
259
260 case MEMORY_AREA_SECTION_VIEW
261 Status MmNotPresentFaultSectionView(AddressSpace
262 MemoryArea
263 (PVOID)Address
264 Locked)
265 break
266
267 般虚存区间
268 case MEMORY_AREA_VIRTUAL_MEMORY
269 case MEMORY_AREA_PEB_OR_TEB
270 Status MmNotPresentFaultVirtualMemory(AddressSpace
271 MemoryArea
272 (PVOID)Address
273 Locked)
274 break
275
276 case MEMORY_AREA_SHARED_DATA
277 *MiAddressToPte(USER_SHARED_DATA) *MmSharedUserDataPte
278 Status STATUS_SUCCESS
279 break
280
281 default
282 Status STATUS_ACCESS_VIOLATION
283 break
284 }
285 }
286 while (Status STATUS_MM_RESTART_OPERATION)
287
288 if (FromMdl)
289 {
290 MmUnlockAddressSpace(AddressSpace)
291 }
292 return(Status)
293 }
般虚存区间MmNotPresentFaultVirtualMemory处理函数处理程致:
①MmRequestPageMemoryConsumer申请空闲物理页面
②MmCreateVirtualMapping建立物理页面虚存区块映射
windows核情景分析学笔记10
分类: windows MFC20101023 0939362阅读评(1)收藏举报
1享映射区
户空间映射物理页面通常映射进程户空间
系统空间映射进程享
物理页面映射进程户空间映射虚拟址相样物理页面映射进程虚存空间形成连续区间称享映射区
2享映射区存原
①系统享映射区载入运行exeDLL文件量节约页交换文件空间程序启动时间
②户享映射区访问磁盘数文件避免直接文件进行IO操作文件容进行缓存
③通享映射区台机器进程间享数效率高
3创建享映射区
创建享影射区需执行三步骤:
①创建享映射区象
②分配虚存空间
③建立映射
31创建享映射区象
首先创建享映射区象NtCreateSection
[cpp]view plaincopyprint
1 NtCreateSection (OUT PHANDLE SectionHandle
2 IN ACCESS_MASK DesiredAccess
3 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
4 IN PLARGE_INTEGER MaximumSize OPTIONAL
5 IN ULONG SectionPageProtection OPTIONAL
6 IN ULONG AllocationAttributes
7 IN HANDLE FileHandle OPTIONAL)
参数FileHandle创建文件映射区应该首先开文件获取文件句柄填入填入NULL创建享映射区
实现:
[cpp]view plaincopyprint
8 NTSTATUS NTAPI
9 NtCreateSection (OUT PHANDLE SectionHandle
10 IN ACCESS_MASK DesiredAccess
11 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
12 IN PLARGE_INTEGER MaximumSize OPTIONAL
13 IN ULONG SectionPageProtection OPTIONAL
14 IN ULONG AllocationAttributes
15 IN HANDLE FileHandle OPTIONAL)
16 {
17 LARGE_INTEGER SafeMaximumSize
18 PVOID SectionObject
19 KPROCESSOR_MODE PreviousMode
20 NTSTATUS Status
21
22 Status MmCreateSection(&SectionObject
23 DesiredAccess
24 ObjectAttributes
25 MaximumSize
26 SectionPageProtection
27 AllocationAttributes
28 FileHandle
29 NULL)
30
31 return Status
32 }
显然函数体MmCreateSection
实现:
[cpp]view plaincopyprint
33 NTSTATUS NTAPI
34 MmCreateSection (OUT PVOID * Section
35 IN ACCESS_MASK DesiredAccess
36 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
37 IN PLARGE_INTEGER MaximumSize
38 IN ULONG SectionPageProtection
39 IN ULONG AllocationAttributes
40 IN HANDLE FileHandle OPTIONAL
41 IN PFILE_OBJECT File OPTIONAL)
42 {
43 ULONG Protection
44 PROS_SECTION_OBJECT *SectionObject (PROS_SECTION_OBJECT *)Section
45 *
46 * Check the protection
47 *
48 Protection SectionPageProtection & ~(PAGE_GUARD|PAGE_NOCACHE)
49 if (Protection PAGE_READONLY &&
50 Protection PAGE_READWRITE &&
51 Protection PAGE_WRITECOPY &&
52 Protection PAGE_EXECUTE &&
53 Protection PAGE_EXECUTE_READ &&
54 Protection PAGE_EXECUTE_READWRITE &&
55 Protection PAGE_EXECUTE_WRITECOPY)
56 {
57 return STATUS_INVALID_PAGE_PROTECTION
58 }
59 执行文件
60 if (AllocationAttributes & SEC_IMAGE)
61 {
62 return(MmCreateImageSection(SectionObject
63 DesiredAccess
64 ObjectAttributes
65 MaximumSize
66 SectionPageProtection
67 AllocationAttributes
68 FileHandle))
69 }
70 普通数文件
71 if (FileHandle NULL)
72 {
73 return(MmCreateDataFileSection(SectionObject
74 DesiredAccess
75 ObjectAttributes
76 MaximumSize
77 SectionPageProtection
78 AllocationAttributes
79 FileHandle))
80 }
81 享映射区(没文件句柄)
82 return(MmCreatePageFileSection(SectionObject
83 DesiredAccess
84 ObjectAttributes
85 MaximumSize
86 SectionPageProtection
87 AllocationAttributes))
88 }
函数开始进行页面保护模式合理性检查检查根目标文件性质进行处理:
①果执行文件通MmCreateImageSection处理执行文件着特殊结构做特例处理
②果普通数文件MmCreateDataFileSection创建文件映射区
③果没定目标文件创建享存区(实页面交换文件目标文件)
MmCreateDataFileSection例分析创建文件映射区程
函数中做件事情:
①创建映射区象ObCreateObject完成
②获取数文件象ObReferenceObjectByHandle完成获取数文件FILE_OBJECT结构指针
③构造映射段MM_SECTION_SEGMENT数结构(ExAllocatePoolWithTag完成)映射区象数文件象中相关指针指映射段
④映射区象中FileObject字段指数文件象
关键代码:
[csharp]view plaincopyprint
89 NTSTATUS
90 NTAPI
91 MmCreateDataFileSection(PROS_SECTION_OBJECT *SectionObject
92 ACCESS_MASK DesiredAccess
93 POBJECT_ATTRIBUTES ObjectAttributes
94 PLARGE_INTEGER UMaximumSize
95 ULONG SectionPageProtection
96 ULONG AllocationAttributes
97 HANDLE FileHandle)
98 {
99 PROS_SECTION_OBJECT Section
100 NTSTATUS Status
101 LARGE_INTEGER MaximumSize
102 PFILE_OBJECT FileObject
103 PMM_SECTION_SEGMENT Segment
104 ULONG FileAccess
105 IO_STATUS_BLOCK Iosb
106 LARGE_INTEGER Offset
107 CHAR Buffer
108 FILE_STANDARD_INFORMATION FileInfo
109 *
110 * 创建映射区象Section
111 *
112 Status ObCreateObject(ExGetPreviousMode()
113 MmSectionObjectType
114 ObjectAttributes
115 ExGetPreviousMode()
116 NULL
117 sizeof(ROS_SECTION_OBJECT)
118 0
119 0
120 (PVOID*)(PVOID)&Section)
121 *
122 * 初始化映射区象Section
123 *
124 RtlZeroMemory(Section sizeof(ROS_SECTION_OBJECT))
125 Section>SectionPageProtection SectionPageProtection
126 Section>AllocationAttributes AllocationAttributes
127
128 *
129 * 获取数文件象FileObject
130 *
131 Status ObReferenceObjectByHandle(FileHandle
132 FileAccess
133 IoFileObjectType
134 ExGetPreviousMode()
135 (PVOID*)(PVOID)&FileObject
136 NULL)
137
138 * 果数文件前尚未作文件映射区盾
139 * 构造映射段MM_SECTION_SEGMENT结构
140 *
141 if (FileObject>SectionObjectPointer>DataSectionObject NULL)
142 {
143 Segment ExAllocatePoolWithTag(NonPagedPool sizeof(MM_SECTION_SEGMENT)
144 TAG_MM_SECTION_SEGMENT)
145 映射区象中相关指针指映射段
146 Section>Segment Segment
147 Segment>ReferenceCount 1
148 ExInitializeFastMutex(&Segment>Lock)
149 *
150 * Set the lock before assigning the segment to the file object
151 *
152 ExAcquireFastMutex(&Segment>Lock)
153 数文件象中相关指针指映射段
154 FileObject>SectionObjectPointer>DataSectionObject (PVOID)Segment
155 映射段初始化
156 Segment>FileOffset 0
157 Segment>Protection SectionPageProtection
158 Segment>Flags MM_DATAFILE_SEGMENT
159 Segment>Characteristics 0
160 Segment>WriteCopy FALSE
161 if (AllocationAttributes & SEC_RESERVE)
162 {
163 Segment>Length Segment>RawLength 0
164 }
165 else
166 {
167 Segment>RawLength MaximumSizeuLowPart
168 Segment>Length PAGE_ROUND_UP(Segment>RawLength)
169 }
170 Segment>VirtualAddress 0
171 RtlZeroMemory(&Segment>PageDirectory sizeof(SECTION_PAGE_DIRECTORY))
172 }
173 else
174 {
175 果数文件已映射某映射段需扩展映射段(果需)
176 Segment
177 (PMM_SECTION_SEGMENT)FileObject>SectionObjectPointer>
178 DataSectionObject
179 Section>Segment Segment
180 (void)InterlockedIncrementUL(&Segment>ReferenceCount)
181 MmLockSectionSegment(Segment)
182 if (MaximumSizeuLowPart > Segment>RawLength &&
183 (AllocationAttributes & SEC_RESERVE))
184 {
185 Segment>RawLength MaximumSizeuLowPart
186 Segment>Length PAGE_ROUND_UP(Segment>RawLength)
187 }
188 }
189 MmUnlockSectionSegment(Segment)
190 映射区象中FileObject字段指数文件象
191 Section>FileObject FileObject
192 Section>MaximumSize MaximumSize
193 CcRosReferenceCache(FileObject)
194 *SectionObject Section
195 return(STATUS_SUCCESS)
196 }
32 映射区映射段区
映射区映射段组成映射执行文件文件身分段例代码段数段等映射区分成干映射段映射数文件映射段
映射区象结构
[cpp]view plaincopyprint
197 typedef struct _ROS_SECTION_OBJECT
198 {
199 CSHORT Type
200 CSHORT Size
201 LARGE_INTEGER MaximumSize
202 ULONG SectionPageProtection
203 ULONG AllocationAttributes
204 PFILE_OBJECT FileObject 指文件象
205 union
206 {
207 PMM_IMAGE_SECTION_OBJECT ImageSection 执行文件
208 PMM_SECTION_SEGMENT Segment 数文件(单映射段)
209 }
210 } ROS_SECTION_OBJECT *PROS_SECTION_OBJECT
映射段象结构
[cpp]view plaincopyprint
211 typedef struct _MM_SECTION_SEGMENT
212 {
213 LONG FileOffset * 映射段起点应文件部位移*
214 ULONG_PTR VirtualAddress * Start offset into the address range for image sections *
215 ULONG RawLength * length of the segment which is part of the mapped file *
216 ULONG Length * absolute length of the segment *
217 ULONG Protection
218 FAST_MUTEX Lock * lock which protects the page directory *
219 ULONG ReferenceCount
220 SECTION_PAGE_DIRECTORY PageDirectory 页面目录(指映射段页面表)
221 ULONG Flags
222 ULONG Characteristics
223 BOOLEAN WriteCopy
224 } MM_SECTION_SEGMENT *PMM_SECTION_SEGMENT
33分配虚存空间建立映射
时映射区象建立完毕未实际建立映射实际映射通系统调NtMapViewOfSection完成
系统调作映射区象部分全部映射某进程户空间
数文件终调MmMapViewOfSegment(数文件段)
[cpp]view plaincopyprint
225 static NTSTATUS
226 MmMapViewOfSegment(PMMSUPPORT AddressSpace
227 PROS_SECTION_OBJECT Section
228 PMM_SECTION_SEGMENT Segment
229 PVOID* BaseAddress
230 SIZE_T ViewSize
231 ULONG Protect
232 ULONG ViewOffset
233 ULONG AllocationType)
234 {
235 PMEMORY_AREA MArea
236 NTSTATUS Status
237 PHYSICAL_ADDRESS BoundaryAddressMultiple
238
239 BoundaryAddressMultipleQuadPart 0
240
241 Status MmCreateMemoryArea(AddressSpace
242 MEMORY_AREA_SECTION_VIEW
243 BaseAddress
244 ViewSize
245 Protect
246 &MArea
247 FALSE
248 AllocationType
249 BoundaryAddressMultiple)
250 if (NT_SUCCESS(Status))
251 {
252 return(Status)
253 }
254
255 ObReferenceObject((PVOID)Section)
256
257 MArea>DataSectionDataSegment Segment
258 MArea>DataSectionDataSection Section
259 MArea>DataSectionDataViewOffset ViewOffset
260 MArea>DataSectionDataWriteCopyView FALSE
261 MmInitializeRegion(&MArea>DataSectionDataRegionListHead
262 ViewSize 0 Protect)
263
264 return(STATUS_SUCCESS)
265 }
函数简单申请块虚存空间应MEMORY_AREA结构分量设置成指映射区完事
windows核情景分析学笔记11
分类: windows MFC20101025 1945373阅读评(1)收藏举报
1windows进程线程相关函数
win32API中创建进程CreateProcess函数
CreateProcess完成两件事:
①NtCreateProcess创建进程
②果NtCreateProcess成功NtCreateThread创建进程第线程(线程)
声明:
[cpp]view plaincopyprint
1 NTSTATUS
2 NTAPI
3 NtCreateProcess(OUT PHANDLE ProcessHandle 返回进程句柄(前进程中)
4 IN ACCESS_MASK DesiredAccess 进程访问权限
5 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL 执行执行文件路径名
6 IN HANDLE ParentProcess 指定进程父进程
7 IN BOOLEAN InheritObjectTable 否继承父进程象句柄表
8 IN HANDLE SectionHandle OPTIONAL
9 IN HANDLE DebugPort OPTIONAL
10 IN HANDLE ExceptionPort OPTIONAL)
[cpp]view plaincopyprint
11 NTSTATUS
12 NTAPI
13 NtCreateThread(OUT PHANDLE ThreadHandle 返回线程句柄
14 IN ACCESS_MASK DesiredAccess 访问权限
15 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
16 IN HANDLE ProcessHandle 指定线程属进程
17 OUT PCLIENT_ID ClientId
18 IN PCONTEXT ThreadContext 寄存器值(运行文)
19 IN PINITIAL_TEB InitialTeb 线程环境块
20 IN BOOLEAN CreateSuspended) 线程创建否挂起(立刻运行)
CreateProcessAPI提供CreateThread创建线程函数系统调NtCreateThread
2windows进程相关数结构
系统空间中:
①EPROCESS:理层 进程控制块代表着windows进程
②KPROCESS:核心层 进程控制块EPROCESS分量
③W32PROCESS:窗口进程独
KPROCESS隶属EPROCESS核中进程相关数结构两种EPROCESSW32PROCESS前者进程者窗口进程(通窗口户交互)
户空间中:
①进程环境块PEB:PEB记录进程运行参数映装入址等位置处0x7ffdf000
面定义:
EPROCESS(部分):
[csharp]view plaincopyprint
21 typedef struct _EPROCESS
22 {
23 KPROCESS Pcb 进程KPROCESS
24
25 PHANDLE_TABLE ObjectTable 象句柄表
26
27 PVOID *Win32Process 指进程W32PROCESS结构
28 struct _EJOB *Job
29 PVOID SectionObject 指执行程序创建文件映射区象
30 PVOID SectionBaseAddress
31
32 PVOID DeviceMap 指进程磁盘设备位图
33
34 CHAR ImageFileName[16] 程序文件名
35 LIST_ENTRY JobLinks
36 PVOID LockedPagesList
37 LIST_ENTRY ThreadListHead 进程线程队列
38
39 ACCESS_MASK GrantedAccess 允许访问方式
40
41 struct _PEB* Peb 指户空间PEB
42
43 UCHAR PriorityClass 优先级
44 MM_AVL_TABLE VadRoot 进程户空间AVL树
45 ULONG Cookie
46 } EPROCESS
KPROCESS(部分)
[cpp]view plaincopyprint
47 typedef struct _KPROCESS
48 {
49 DISPATCHER_HEADER Header
50 LIST_ENTRY ProfileListHead
51 ULONG DirectoryTableBase 进程页面映射表物理址
52
53 LIST_ENTRY ReadyListHead 进程绪线程队列
54 SINGLE_LIST_ENTRY SwapListEntry
55 PVOID VdmTrapcHandler
56 LIST_ENTRY ThreadListHead 进程线程队列(节点KTHREAD)
57 KSPIN_LOCK ProcessLock
58
59 SCHAR BasePriority 线程优先级
60
61 ULONG StackCount
62 LIST_ENTRY ProcessListEntry 挂入核进程队列
63 } KPROCESS
PEB(部分):
[cpp]view plaincopyprint
64 typedef struct _PEB
65 {
66 BOOLEAN InheritedAddressSpace
67 BOOLEAN ReadImageFileExecOptions
68 BOOLEAN BeingDebugged
69
70 HANDLE Mutant
71 PVOID ImageBaseAddress 程序镜起点
72 PPEB_LDR_DATA Ldr
73 struct _RTL_USER_PROCESS_PARAMETERS *ProcessParameters 指进程参数块(中参数信息前文件目录等)
74
75 PVOID FastPebLock
76 PPEBLOCKROUTINE FastPebLockRoutine
77 PPEBLOCKROUTINE FastPebUnlockRoutine
78 ULONG EnvironmentUpdateCount
79 PVOID* KernelCallbackTable 核回调户空间函数
80 PVOID EventLogSection
81 PVOID EventLog
82
83 } PEB *PPEB
3windows线程相关数结构
进程数结构应线程ETHREADKTHREADW32THREADTEB
ETHREAD:
[cpp]view plaincopyprint
84 typedef struct _ETHREAD
85 {
86 KTHREAD Tcb 线程KTHREAD结构
87
88 LIST_ENTRY ThreadListEntry 挂入EPROCESS中线程队列
89
90 } ETHREAD
KTHREAD
[cppnogutter]view plaincopyprint
91 typedef struct _KTHREAD
92 {
93 DISPATCHER_HEADER DispatcherHeader
94
95 PVOID KernelStack 线程系统空间堆栈
96 KSPIN_LOCK ThreadLock
97 union
98 {
99 KAPC_STATE ApcState 线程ACP状态
100
101 }
102
103 struct _TEB *Teb 户空间线程环境块(TEB)
104
105 PKTRAP_FRAME TrapFrame 系统空间堆栈陷框架
106
107 struct _KPROCESS *Process 属进程KPROCESS结构
108
109 PVOID Win32Thread 指线程W32THREAD结构
110 PVOID StackBase
111
112 LIST_ENTRY ThreadListEntry 挂入KPROCESS中线程队列
113
114 } KTHREAD
windows核情景分析学笔记12
分类: windows MFC20101025 1957298阅读评(0)收藏举报
1windows进程户空间
windows户空间系统空间分界线0x80000000
应软件户空间访问高址0x7ffeffff0x7fff0000访问分界线留64KB隔离区
应软件户空间访问低址0x000100000开始64KB访问
特殊空间:
系统空间0xffdf0000处存放着_KUSER_SHARED_DATA结构(4KB)结构进程享结构字段系统信息NtSystemRoot字段存放系统根目录路径名
户空间中格局安排:
户空间创建格局核函数MmInitializeProcessAddressSpace()实现
[cpp]view plaincopyprint
1 NtCreateProcess>NtCreateProcessEx>PspCreateProcess>MmInitializeProcessAddressSpace
2
3 NTSTATUS
4 NTAPI
5 MmInitializeProcessAddressSpace(IN PEPROCESS Process
6 IN PEPROCESS ProcessClone OPTIONAL
7 IN PVOID Section OPTIONAL
8 IN OUT PULONG Flags
9 IN POBJECT_NAME_INFORMATION *AuditName OPTIONAL)
10 {
11 NTSTATUS Status
12 PMMSUPPORT ProcessAddressSpace &Process>Vm
13 PVOID BaseAddress
14 PMEMORY_AREA MemoryArea
15 PHYSICAL_ADDRESS BoundaryAddressMultiple
16 SIZE_T ViewSize 0
17 PVOID ImageBase 0
18 PROS_SECTION_OBJECT SectionObject Section
19 BoundaryAddressMultipleQuadPart 0
20
21 初始化户空间设置禁区
22 * Initialize the Addresss Space lock *
23 KeInitializeGuardedMutex(&Process>AddressCreationLock)
24 Process>VmWorkingSetExpansionLinksFlink NULL
25
26 * Initialize AVL tree *
27 ASSERT(Process>VadRootNumberGenericTableElements 0)
28 Process>VadRootBalancedRootu1Parent &Process>VadRootBalancedRoot
29
30 * Acquire the Lock *
31 MmLockAddressSpace(ProcessAddressSpace)
32
33 * Protect the highest 64KB of the process address space *
34 BaseAddress (PVOID)MmUserProbeAddress MmSystemRangeStart0x10000
35 Status MmCreateMemoryArea(ProcessAddressSpace
36 MEMORY_AREA_NO_ACCESS
37 &BaseAddress
38 0x10000
39 PAGE_NOACCESS 禁止访问
40 &MemoryArea
41 FALSE
42 0
43 BoundaryAddressMultiple)
44 if (NT_SUCCESS(Status))
45 {
46 goto exit
47 }
48
49 * Protect the 60KB above the shared user page *
50 BaseAddress (char*)USER_SHARED_DATA + PAGE_SIZE 0x7FFE0000+0x1000
51 Status MmCreateMemoryArea(ProcessAddressSpace
52 MEMORY_AREA_NO_ACCESS
53 &BaseAddress
54 0x10000 PAGE_SIZE 0x100000x1000
55 PAGE_NOACCESS 禁止访问
56 &MemoryArea
57 FALSE
58 0
59 BoundaryAddressMultiple)
60 if (NT_SUCCESS(Status))
61 {
62 goto exit
63 }
64
65 * Create the shared data page *
66 BaseAddress (PVOID)USER_SHARED_DATA 0x7FFE0000
67 Status MmCreateMemoryArea(ProcessAddressSpace
68 MEMORY_AREA_SHARED_DATA
69 &BaseAddress
70 PAGE_SIZE 0x1000(4K)
71 PAGE_EXECUTE_READ 读执行
72 &MemoryArea
73 FALSE
74 0
75 BoundaryAddressMultiple)
76 if (NT_SUCCESS(Status))
77 {
78 goto exit
79 }
80
81 * The process now has an address space *
82 Process>HasAddressSpace TRUE
83
84 开始分配户空间
85 * Check if there's a Section Object *
86 if (SectionObject)
87 {已建立执行文件文件映射区
88 UNICODE_STRING FileName
89 PWCHAR szSrc
90 PCHAR szDest
91 USHORT lnFName 0
92
93 * Unlock the Address Space *
94 执行文件分配虚存空间建立映射
95 MmUnlockAddressSpace(ProcessAddressSpace)
96 Status MmMapViewOfSection(Section
97 (PEPROCESS)Process
98 (PVOID*)&ImageBase
99 0
100 0
101 NULL
102 &ViewSize
103 0
104 MEM_COMMIT
105 PAGE_READWRITE)
106 if (NT_SUCCESS(Status))
107 {
108 return Status
109 }
110
111 * Save the pointer *
112 Process>SectionBaseAddress ImageBase 指执行文件起点
113
114 * Determine the image file name and save it to EPROCESS *
115 Getting Image name
116 FileName SectionObject>FileObject>FileName
117 szSrc (PWCHAR)((PCHAR)FileNameBuffer + FileNameLength)
118 if (FileNameBuffer)
119 {
120 * Loop the file name*
121 while (szSrc > FileNameBuffer)
122 {
123 * Make sure this isn't a backslash *
124 if (*szSrc OBJ_NAME_PATH_SEPARATOR)
125 {
126 * If so stop it here *
127 szSrc++
128 break
129 }
130 else
131 {
132 * Otherwise keep going *
133 lnFName++
134 }
135 }
136 }
137
138 * Copy the to the process and truncate it to 15 characters if necessary *
139 szDest Process>ImageFileName
140 lnFName min(lnFName sizeof(Process>ImageFileName) 1)
141 while (lnFName) *szDest++ (UCHAR)*szSrc++
142 *szDest ANSI_NULL
143
144 * Check if caller wants an audit name *
145 if (AuditName)
146 {
147 * Setup the audit name *
148 SeInitializeProcessAuditName(SectionObject>FileObject
149 FALSE
150 AuditName)
151 }
152
153 * Return status to caller *
154 return Status
155 }
156
157 exit
158 * Unlock the Address Space *
159 DPRINT(Unlockingn)
160 MmUnlockAddressSpace(ProcessAddressSpace)
161
162 * Return status to caller *
163 return Status
164 }
EXE文件DLL装入映射户空间中ntdlldll特殊DLL核初始化时候系统创建文件映射区象全局指针PspSystemDllSection指该象数结构
MmInitializeProcessAddressSpacePspMapSystemDll建立ntdlldll映射
[cpp]view plaincopyprint
165 NtCreateProcess>NtCreateProcessEx>PspCreateProcess>PspMapSystemDll
166 NTSTATUS
167 NTAPI
168 PspMapSystemDll(IN PEPROCESS Process
169 IN PVOID *DllBase
170 IN BOOLEAN UseLargePages)
171 {
172 NTSTATUS Status
173 LARGE_INTEGER Offset {{0 0}}
174 SIZE_T ViewSize 0
175 PVOID ImageBase 0
176
177 * Map the System DLL *
178 Status MmMapViewOfSection(PspSystemDllSection ntdlldll
179 Process
180 (PVOID*)&ImageBase
181 0
182 0
183 &Offset
184 &ViewSize
185 ViewShare
186 0
187 PAGE_READWRITE)
188 if (Status STATUS_SUCCESS)
189 {
190 * Normalize status code *
191 Status STATUS_CONFLICTING_ADDRESSES
192 }
193
194 * Write the image base and return status *
195 if (DllBase) *DllBase ImageBase
196 return Status
197 }
进程环境块PEB建立MmCreatePeb完成
[cpp]view plaincopyprint
198 NtCreateProcess>NtCreateProcessEx>PspCreateProcess>MmCreatePeb
199 NTSTATUS
200 NTAPI
201 MmCreatePeb(IN PEPROCESS Process
202 IN PINITIAL_PEB InitialPeb
203 OUT PPEB *BasePeb)
204 {
205 PPEB Peb NULL
206 LARGE_INTEGER SectionOffset
207 SIZE_T ViewSize 0
208 PVOID TableBase NULL
209 PIMAGE_NT_HEADERS NtHeaders
210 PIMAGE_LOAD_CONFIG_DIRECTORY ImageConfigData
211 NTSTATUS Status
212 USHORT Characteristics
213 KAFFINITY ProcessAffinityMask 0
214 SectionOffsetQuadPart (ULONGLONG)0
215 *BasePeb NULL
216
217 Attach to Process
218 挂新进程
219 KeAttachProcess(&Process>Pcb)
220
221 Allocate the PEB
222 址MM_HIGHEST_USER_ADDRESS (16 * PAGE_SIZE)+1
223 0x7ffeffff(16 * PAGE_SIZE)+1
224 0x7ffdffff+1
225 0x7ffe0000
226 0x7ffe0000取0x1000区间存放peb
227 peb首址0x7FFDF0000x1000
228 Peb MiCreatePebOrTeb(Process
229 (PVOID)((ULONG_PTR)MM_HIGHEST_VAD_ADDRESS + 1))
230 ASSERT(Peb (PVOID)0x7FFDF000)
231
232
233
234 Use SEH in case we can't load the PEB
235 _SEH2_TRY
236 {
237 Initialize the PEB
238 RtlZeroMemory(Peb sizeof(PEB))
239
240 Set up data
241 Peb>ImageBaseAddress Process>SectionBaseAddress
242 Peb>InheritedAddressSpace InitialPeb>InheritedAddressSpace
243 Peb>Mutant InitialPeb>Mutant
244 Peb>ImageUsesLargePages InitialPeb>ImageUsesLargePages
245
246 NLS
247 Peb>AnsiCodePageData (PCHAR)TableBase + ExpAnsiCodePageDataOffset
248 Peb>OemCodePageData (PCHAR)TableBase + ExpOemCodePageDataOffset
249 Peb>UnicodeCaseTableData (PCHAR)TableBase + ExpUnicodeCaseTableDataOffset
250
251 Default Version Data (could get changed below)
252 Peb>OSMajorVersion NtMajorVersion
253 Peb>OSMinorVersion NtMinorVersion
254 Peb>OSBuildNumber (USHORT)(NtBuildNumber & 0x3FFF)
255 Peb>OSPlatformId 2 * VER_PLATFORM_WIN32_NT *
256 Peb>OSCSDVersion (USHORT)CmNtCSDVersion
257
258 Heap and Debug Data
259 Peb>NumberOfProcessors KeNumberProcessors
260 Peb>BeingDebugged (BOOLEAN)(Process>DebugPort NULL TRUE FALSE)
261 Peb>NtGlobalFlag NtGlobalFlag
262 Peb>MaximumNumberOfHeaps (PAGE_SIZE sizeof(PEB)) sizeof(PVOID) peb身剩余空间存储堆指针数组堆数量算出
263 Peb>ProcessHeaps (PVOID*)(Peb + 1) 指堆指针数组起点
264
265 Session ID
266 if (Process>Session) Peb>SessionId 0 MmGetSessionId(Process)
267 }
268 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
269 {
270 Fail
271 KeDetachProcess()
272 _SEH2_YIELD(return _SEH2_GetExceptionCode())
273 }
274 _SEH2_END
275
276
277
278 Detach from the Process
279 KeDetachProcess()
280 *BasePeb Peb
281 return STATUS_SUCCESS
282 }
文档香网(httpswwwxiangdangnet)户传
《香当网》用户分享的内容,不代表《香当网》观点或立场,请自行判断内容的真实性和可靠性!
该内容是文档的文本内容,更好的格式请下载文档
分类: windows MFC20101019 1137226阅读评(0)收藏举报
1数存储存区间分类
①全局数占空间编译器编译链接时静态分配整进程存亡分配释放见
②局部数占空间调函数时动堆栈动态分配寿命取决函数作域分配释放隐含
③通malloc类函数动态分配存会直存直通free类函数加释放(进程终止运行)
2核户空间理
windows说户空间虚存址00x7fffffff范围2GB进程2GB户空间
般说真正中部分虚存址区间需物理映射
事实前正受访问页面必须映射物理存页面暂时受访问页面映射外设(硬盘)页面交换文件里实际时倒换回物理存页面中
原理说空间中已分配区间作节点然组成链表需时头扫描链表知道区间(实际应中组成成AVL树)
进程进程控制块中指针VadRoot指代表着户空间数结构中指针指颗AVL树颗树节点已分配区间信息节点定义:
[cpp]view plaincopyprint
1 typedef struct _MEMORY_AREA
2 {
3 PVOID StartingAddress
4 PVOID EndingAddress
5 struct _MEMORY_AREA *Parent
6 struct _MEMORY_AREA *LeftChild
7 struct _MEMORY_AREA *RightChild
8 ULONG Type
9 ULONG Protect
10 ULONG Flags
11 BOOLEAN DeleteInProgress
12 ULONG PageOpCount
13 union
14 {
15 struct
16 {
17 ROS_SECTION_OBJECT* Section
18 ULONG ViewOffset
19 PMM_SECTION_SEGMENT Segment
20 BOOLEAN WriteCopyView
21 LIST_ENTRY RegionListHead
22 } SectionData
23 struct
24 {
25 LIST_ENTRY RegionListHead
26 } VirtualMemoryData
27 } Data
28 } MEMORY_AREA *PMEMORY_AREA
颗MEMORY_AREA数结构节点AVL树代表户空间
结构图:
3核户空间理相关函数
AVL树操作应便接踵典型莫MmLocateMemoryAreaByAddress()
[cpp]view plaincopyprint
29 PMEMORY_AREA NTAPI
30 MmLocateMemoryAreaByAddress(
31 PMMSUPPORT AddressSpace
32 PVOID Address)
33 {
34 PMEMORY_AREA Node (PMEMORY_AREA)AddressSpace>WorkingSetExpansionLinksFlink
35
36 DPRINT(MmLocateMemoryAreaByAddress(AddressSpace p Address p)n
37 AddressSpace Address)
38
39 MmVerifyMemoryAreas(AddressSpace)
40
41 while (Node NULL)
42 {
43 if (Address < Node>StartingAddress)
44 Node Node>LeftChild
45 else if (Address > Node>EndingAddress)
46 Node Node>RightChild
47 else
48 {
49 DPRINT(MmLocateMemoryAreaByAddress(p) p [p p]n
50 Address Node Node>StartingAddress Node>EndingAddress)
51 return Node
52 }
53 }
54
55 DPRINT(MmLocateMemoryAreaByAddress(p) 0n Address)
56 return NULL
57 }
函数作定目标址果目标址(存AVL树中)返回节点否返回NULL
典型操作MmFindGap()函数作址空间中寻找定长度空闲址区间
需空间中分配址区间时通MmCreateMemoryArea()AVL树种创建节点函数致执行步骤:
①AVL树中搜索块指定区域(利MmFindGap)
②区域建立MEMORY_AREA结构
③AVL树种插入MEMORY_AREA结构
里虚存区间分配意味着物理页面分配意味着页面映射建立仅仅虚存址资源占
4存理中层次
MEMORY_AREA结构中成分Data枚举类型结构取两种类型SectionDataVirtualMemoryData前者代表文件映射区享存区者代表普通已分配存区间(部分情况)
VirtualMemoryData唯成分RegionListHead值区块链表头
谓区块?
已分配区间指示址连续范围定映射定拥样类型保护模式区块址连续拥相类型保护模式子区间
中区间包含干区块需链表维护链表节点类型_MM_REGION
定义:
[cpp]view plaincopyprint
58 typedef struct _MM_REGION
59 {
60 ULONG Type
61 ULONG Protect
62 ULONG Length
63 LIST_ENTRY RegionListEntry
64 } MM_REGION *PMM_REGION
区块组虚存页面组成页面着相保护模式
综述存中着样层次:空间区间区块页面示意图:
windows核情景分析学笔记7
分类: windows MFC20101019 1934301阅读评(0)收藏举报
1核物理页面理
物理存理页面单位物理存理实际物理页面理
核中物理页面数结构PHYSICAL_PAGE代表定义:
[cpp]view plaincopyprint
1 typedef struct _PHYSICAL_PAGE
2 {
3 union
4 {
5 struct
6 {
7 ULONG Type 2
8 ULONG Consumer 3
9 ULONG Zero 1
10 }
11 Flags
12 ULONG AllFlags
13 }
14
15 LIST_ENTRY ListEntry
16 ULONG ReferenceCount
17 SWAPENTRY SavedSwapEntry
18 ULONG LockCount
19 ULONG MapCount
20 struct _MM_RMAP_ENTRY* RmapListHead
21 }
22 PHYSICAL_PAGE *PPHYSICAL_PAGE
PHYSICAL_PAGE代表物理页面系统初始化时会构建起元素PHYSICAL_PAGE数组MmPageArray全局变量系统中少物理页面数组
样物理页面页面号(pfn)标找物理页面应PHYSICAL_PAGE(MmPageArray[pfn])
物理址页面页面号着固定关系页面4KB定义
[cpp]view plaincopyprint
23 #define PaToPfn(p) ((p)>>12)
PHYSICAL_PAGE中Type字段标示物理页面性质:
[cpp]view plaincopyprint
24 #define MM_PHYSICAL_PAGE_FREE (0x1)
25 #define MM_PHYSICAL_PAGE_USED (0x2)
26 #define MM_PHYSICAL_PAGE_BIOS (0x3)
显然物理页面三种空闲页面中页面BIOS页面
ListEntry字段PHYSICAL_PAGE链入某队列核中定义物理页面队列:
[cpp]view plaincopyprint
27 static LIST_ENTRY UsedPageListHeads[MC_MAXIMUM]
28 static LIST_ENTRY FreeZeroedPageListHead
29 static LIST_ENTRY FreeUnzeroedPageListHead
30 static LIST_ENTRY BiosPageListHead
①物理址0x100000低1MB范围中页面BIOSBiosPageListHead队列中
空闲队列两:
②FreeZeroedPageListHead已清零页面
③FreeUnzeroedPageListHead未清零页面刚释放物理页面时未清0处理
核线程MmZeroPageThreadMain受调度运行会FreeUnzeroedPageListHead队列中摘取物理页面清零挂入FreeZeroedPageListHead队列
④中页面队列UsedPageListHeads队列数组MC_MAXIMUM定义4实物理页面途分4队列
四途定义:
[cpp]view plaincopyprint
31 #define MC_CACHE (0) 磁盘容缓存
32 #define MC_USER (1) 户空间映射
33 #define MC_PPOOL (2) 标示倒换外存页面池
34 #define MC_NPPOOL (3) 标示倒换外存页面池
典型物理页面周转程:
①FreeZeroedPageListHead队列开始
②分配某户空间虚存页面映射该物理页面进入UsedPageListHeads[MC_USER]队列
③释放该物理页面进入FreeUnzeroedPageListHead队列
④核线程MmZeroPageThreadMain受调度运行该页面回FreeZeroedPageListHead队列
2常函数
物理页面分配MmAllocPage()函数函数实现:
[cpp]view plaincopyprint
35 PFN_TYPE
36 NTAPI
37 MmAllocPage(ULONG Consumer SWAPENTRY SavedSwapEntry)
38 {
39 PFN_TYPE PfnOffset
40 PLIST_ENTRY ListEntry
41 PPHYSICAL_PAGE PageDescriptor
42 KIRQL oldIrql
43 BOOLEAN NeedClear FALSE
44
45 KeAcquireSpinLock(&PageListLock &oldIrql)旋转锁操作原子操作
46 if (IsListEmpty(&FreeZeroedPageListHead))
47 {
48 FreeZeroedPageListHead中没页面FreeUnzeroedPageListHead中分配
49 if (IsListEmpty(&FreeUnzeroedPageListHead))
50 {
51 果两队列没页面返回空法分配
52 KeReleaseSpinLock(&PageListLock oldIrql)
53 return 0
54 }
55 ListEntry RemoveTailList(&FreeUnzeroedPageListHead)
56 UnzeroedPageCount
57
58 PageDescriptor CONTAINING_RECORD(ListEntry PHYSICAL_PAGE ListEntry)
59
60 NeedClear TRUE 需重新初始化0
61 }
62 else
63 {
64 优先选择FreeZeroedPageListHead队列中页面
65 ListEntry RemoveTailList(&FreeZeroedPageListHead)
66
67 PageDescriptor CONTAINING_RECORD(ListEntry PHYSICAL_PAGE ListEntry)
68 }
69
70 错误处理
71 if (PageDescriptor>FlagsType MM_PHYSICAL_PAGE_FREE)
72 {
73 KEBUGCHECK(0)
74 }
75 if (PageDescriptor>MapCount 0)
76 {
77 KEBUGCHECK(0)
78 }
79 if (PageDescriptor>ReferenceCount 0)
80 {
81 KEBUGCHECK(0)
82 }
83
84 分配成功初始化PPHYSICAL_PAGE参数
85 PageDescriptor>FlagsType MM_PHYSICAL_PAGE_USED
86 PageDescriptor>FlagsConsumer Consumer
87 PageDescriptor>ReferenceCount 1
88 PageDescriptor>LockCount 0
89 PageDescriptor>MapCount 0
90 PageDescriptor>SavedSwapEntry SavedSwapEntry
91 InsertTailList(&UsedPageListHeads[Consumer] ListEntry)
92
93 MmStatsNrSystemPages++
94 MmStatsNrFreePages
95
96 KeReleaseSpinLock(&PageListLock oldIrql)释放旋转锁原子操作结束
97
98 PfnOffset PageDescriptor MmPageArray
99 if (NeedClear)
100 {
101 FreeUnzeroedPageListHead队列中分配物理页面需初始化0
102 MiZeroPage(PfnOffset)
103 }
104 if (PageDescriptor>MapCount 0)
105 {
106 KEBUGCHECK(0)
107 }
108 return PfnOffset
109 }
参数Consumer表明页面途决定分配成功物理页面挂入队列SavedSwapEntry标示页面交换文件位置取0标示没倒换文件
windows核情景分析学笔记8
分类: windows MFC20101020 1108404阅读评(0)收藏举报
1页面映射
页面映射指虚存页面物理页面映射
虚存页面映射物理页面时间物理页面应空间虚存页面
示意图:
虚存页面虚必须通映射落实物理存储介质物理存储第选择物理存备般选择磁盘页面交换文件(物理存成较高般会做)样需前正受访问受访问页面保存物理存中暂时受访问页面保存页面交换文件中
页面映射示意图
进程页面映射表页面映射表采二级映射方式页面映射表结构
PTE容决定该虚拟页面映射虚拟页面映射列种:
①物理映射
②物理映射映射页面交换文件
③物理映射映射物理存某页面
针第三种情况PTE高20位代表映射物理页面页面号次4位预留程序员低8位定义:
[cpp]view plaincopyprint
1 #define PA_BIT_PRESENT (0)1表示映射页面存中
2 #define PA_BIT_READWRITE (1)1标示写0标示读
3 #define PA_BIT_USER (2)1标示户空间页面
4 #define PA_BIT_WT (3)
5 #define PA_BIT_CD (4)
6 #define PA_BIT_ACCESSED (5)访问该页面MMU动置1
7 #define PA_BIT_DIRTY (6)写入该页面MMU动置1
8 #define PA_BIT_GLOBAL (8)
示意图:
第0位PA_BIT_PRESENT需注意果0映射页面物理存中时操作系统会PTE指示页面页面交换文件中位置windows言高8位标示页面交换文件号低24位标示页面交换文件部页面号加1
2常函数
①
[cpp]view plaincopyprint
9 NTSTATUS
10 NTAPI
11 MmCreateVirtualMapping(PEPROCESS Process
12 PVOID Address
13 ULONG flProtect
14 PPFN_TYPE Pages
15 ULONG PageCount)
函数作:定组物理页面号(Pages)定进程(Process)虚拟址Address开始区块映射组物理页面
②
[cpp]view plaincopyprint
16 VOID
17 NTAPI
18 MmDeleteVirtualMapping(
19 struct _EPROCESS *Process
20 PVOID Address
21 BOOLEAN FreePage
22 BOOLEAN* WasDirty
23 PPFN_TYPE Page
24 )
函数作:删某虚拟址页面映射
③
[cpp]view plaincopyprint
25 NTSTATUS
26 NTAPI
27 MmPageOutVirtualMemory(
28 PMMSUPPORT AddressSpace
29 PMEMORY_AREA MemoryArea
30 PVOID Address
31 struct _MM_PAGEOP* PageOp
32 )
函数作:虚拟页面容倒出页面交换文件
3附加说明
核调度进程运行时需控制寄存器CR3容设置进程页面映射表址时页面映射表物理址样MMU找进PTE装入高速缓存TLB中
CPU需访问访问前进程页面映射表时虚拟址什进程页面映射表虚拟空间位置固定0xc0000000然进程页面映射表物理页面
4系统空间映射
进程系统空间基公PAGETABLE_MAP(页面映射表)HYPERSPACE两块方例外进程页面映射表实际分两部分
①系统空间映射部分容全局核映射表部分页面映射时常驻受进程切换影响
②户空间映射部分特定进程进程切换部分映射受刷
创建进程时核通MmCreateProcessAddressSpace()核映射表复制系统空间映射代码:
[cpp]view plaincopyprint
33 BOOLEAN
34 NTAPI
35 MmCreateProcessAddressSpace(IN ULONG MinWs
36 IN PEPROCESS Process
37 IN PULONG DirectoryTableBase)
38 {
39 NTSTATUS Status
40 ULONG i j
41 PFN_TYPE Pfn[2]
42 PULONG PageDirectory
43
44 分配两物理页面分PAGETABLE_MAPHYPERSPACE
45 for (i 0 i < 2 i++)
46 {
47 MC_NPPOOL允许倒换出物理存
48 Status MmRequestPageMemoryConsumer(MC_NPPOOL FALSE &Pfn[i])
49 if (NT_SUCCESS(Status))
50 {
51 for (j 0 j < i j++)
52 {
53 MmReleasePageMemoryConsumer(MC_NPPOOL Pfn[j])
54 }
55
56 return FALSE
57 }
58 }
59
60 分配第页面Hyperspace映射
61 PageDirectory MmCreateHyperspaceMapping(Pfn[0])
62
63 核映射表复制系统空间映射
64 memcpy(PageDirectory + ADDR_TO_PDE_OFFSET(MmSystemRangeStart)
65 MmGlobalKernelPageDirectory + ADDR_TO_PDE_OFFSET(MmSystemRangeStart)
66 (1024 ADDR_TO_PDE_OFFSET(MmSystemRangeStart)) * sizeof(ULONG))
67
68 PAGETABLE_MAPHYPERSPACE目录项进程变需更改
69 PageDirectory[ADDR_TO_PDE_OFFSET(PAGETABLE_MAP)] PFN_TO_PTE(Pfn[0]) | PA_PRESENT | PA_READWRITE
70 PageDirectory[ADDR_TO_PDE_OFFSET(HYPERSPACE)] PFN_TO_PTE(Pfn[1]) | PA_PRESENT | PA_READWRITE
71
72 MmDeleteHyperspaceMapping(PageDirectory)
73
74 DirectoryTableBase[0] PFN_TO_PTE(Pfn[0])
75 DirectoryTableBase[1] 0
76
77 return TRUE
78 }
函数表明系统空间映射MmGlobalKernelPageDirectory核映射表MmGlobalKernelPageDirectory中信息系统初始化时候创建
[cpp]view plaincopyprint
79 VOID
80 INIT_FUNCTION
81 NTAPI
82 MmInitGlobalKernelPageDirectory(VOID)
83 {
84 ULONG i
85 PAGEDIRECTORY_MAP值0xc0300000PDE基址
86 PULONG CurrentPageDirectory (PULONG)PAGEDIRECTORY_MAP
87
88
89 Setup template
90
91 HyperTemplatePteuLong (PA_PRESENT | PA_READWRITE | PA_DIRTY | PA_ACCESSED)
92 if (Ke386GlobalPagesEnabled) HyperTemplatePteuLong | PA_GLOBAL
93
94 for (i ADDR_TO_PDE_OFFSET(MmSystemRangeStart) i < 1024 i++)
95 {
96 if (i ADDR_TO_PDE_OFFSET(PAGETABLE_MAP) &&
97 i ADDR_TO_PDE_OFFSET(HYPERSPACE) &&
98 0 MmGlobalKernelPageDirectory[i] && 0 CurrentPageDirectory[i])
99 {
100 初始化完全抄CurrentPageDirectory相初始化PDE
101 MmGlobalKernelPageDirectory[i] CurrentPageDirectory[i]
102 if (Ke386GlobalPagesEnabled)
103 {
104 MmGlobalKernelPageDirectory[i] | PA_GLOBAL
105 CurrentPageDirectory[i] | PA_GLOBAL
106 }
107 }
108 }
109 }
windows核情景分析学笔记9
分类: windows MFC20101020 1955257阅读评(0)收藏举报
1系统调NtAllocateVirtualMemory
户空间程序求分配空间求预订块虚拟址区间求兑现预订虚拟址(映射物理址)二者兼NtAllocateVirtualMemory实现
实际熟知windowsAPI中VirtualAlloc调函数实现功
函数声明:
[cpp]view plaincopyprint
1 NTSTATUS NTAPI
2 NtAllocateVirtualMemory(IN HANDLE ProcessHandle
3 IN OUT PVOID* UBaseAddress
4 IN ULONG_PTR ZeroBits
5 IN OUT PSIZE_T URegionSize
6 IN ULONG AllocationType
7 IN ULONG Protect)
参数说明:
①标示欲分配空间进程windows支持进程分配空间
②标示欲分配空间基址
③果参数20核参数分配空间参数表示实际分配址必须少0作前导例参数10表示应分配低4M
④标示欲分配空间长度
⑤标示分配类型组标示位中重MEM_RESERVEMEM_COMMIT前者标示预订虚拟空间真正分配物理页面者标示分配物理页面两者起标示预订落实次位
⑥标示该区间访问权限例:读写执行等
重代码摘录:
[cpp]view plaincopyprint
8 NTSTATUS NTAPI
9 NtAllocateVirtualMemory(IN HANDLE ProcessHandle
10 IN OUT PVOID* UBaseAddress
11 IN ULONG_PTR ZeroBits
12 IN OUT PSIZE_T URegionSize
13 IN ULONG AllocationType
14 IN ULONG Protect)
15 {
16 PEPROCESS Process
17 MEMORY_AREA* MemoryArea
18 ULONG_PTR MemoryAreaLength
19 ULONG Type
20 NTSTATUS Status
21 PMMSUPPORT AddressSpace
22 PVOID BaseAddress
23 ULONG RegionSize
24 PVOID PBaseAddress
25 ULONG PRegionSize
26 ULONG MemProtection
27 PHYSICAL_ADDRESS BoundaryAddressMultiple
28 KPROCESSOR_MODE PreviousMode
29
30 PAGED_CODE()
31
32 参数合理性检查
33
34
35 获取定进程数结构类型:PEPROCESS
36 Status ObReferenceObjectByHandle(ProcessHandle
37 PROCESS_VM_OPERATION
38 PsProcessType
39 PreviousMode
40 (PVOID*)(&Process)
41 NULL)
42 if (NT_SUCCESS(Status))
43 {
44 DPRINT(NtAllocateVirtualMemory() xnStatus)
45 return(Status)
46 }
47
48 Type (AllocationType & MEM_COMMIT) MEM_COMMIT MEM_RESERVE
49 DPRINT(Type xn Type)
50
51 获取AVL树
52 AddressSpace &Process>Vm
53 需互斥进行互斥锁
54 MmLockAddressSpace(AddressSpace)
55
56 if (PBaseAddress 0)
57 {
58 果指定基址直接分配
59 MemoryArea MmLocateMemoryAreaByAddress(AddressSpace BaseAddress)
60
61 if (MemoryArea NULL)
62 {
63 MemoryAreaLength (ULONG_PTR)MemoryArea>EndingAddress
64 (ULONG_PTR)MemoryArea>StartingAddress
65
66 if (MemoryArea>Type MEMORY_AREA_VIRTUAL_MEMORY &&
67 MemoryAreaLength > RegionSize)
68 {
69 类型普通虚存空间合适根参数改变目标区块类型属性
70 Status
71 MmAlterRegion(AddressSpace
72 MemoryArea>StartingAddress
73 &MemoryArea>DataVirtualMemoryDataRegionListHead
74 BaseAddress RegionSize
75 Type Protect MmModifyAttributes)
76 互斥操作结束
77 MmUnlockAddressSpace(AddressSpace)
78 ObDereferenceObject(Process)
79
80 * Give the caller rounded BaseAddress and area length *
81 if (NT_SUCCESS(Status))
82 {
83 *UBaseAddress BaseAddress
84 *URegionSize RegionSize
85 DPRINT(*UBaseAddress x *URegionSize xn BaseAddress RegionSize)
86 }
87 分配成功
88 return(Status)
89 }
90 else if (MemoryAreaLength > RegionSize)
91 {
92 长度符合求区间类型section
93 * Region list initialized *
94 if (MemoryArea>DataSectionDataRegionListHeadFlink)
95 {
96 改变区间类型保护模式
97 Status
98 MmAlterRegion(AddressSpace
99 MemoryArea>StartingAddress
100 &MemoryArea>DataSectionDataRegionListHead
101 BaseAddress RegionSize
102 Type Protect MmModifyAttributes)
103 }
104 else
105 {
106 Status STATUS_ACCESS_VIOLATION
107 }
108
109 MmUnlockAddressSpace(AddressSpace)
110 ObDereferenceObject(Process)
111
112 * Give the caller rounded BaseAddress and area length *
113 if (NT_SUCCESS(Status))
114 {
115 *UBaseAddress BaseAddress
116 *URegionSize RegionSize
117 DPRINT(*UBaseAddress x *URegionSize xn BaseAddress RegionSize)
118 }
119 分配成功
120 return(Status)
121 }
122 else
123 {
124 区间长度够分配失败
125 MmUnlockAddressSpace(AddressSpace)
126 ObDereferenceObject(Process)
127 return(STATUS_UNSUCCESSFUL)
128 }
129 }end if(MemoryArea NULL)
130 }end if(PBaseAddress 0)
131
132 PBaseAddress 0核分配块合适区间
133 Status MmCreateMemoryArea(AddressSpace
134 MEMORY_AREA_VIRTUAL_MEMORY
135 &BaseAddress
136 RegionSize
137 Protect
138 &MemoryArea
139 PBaseAddress 0
140 AllocationType & MEM_TOP_DOWN
141 BoundaryAddressMultiple)
142 if (NT_SUCCESS(Status))
143 {
144 失败
145 MmUnlockAddressSpace(AddressSpace)
146 ObDereferenceObject(Process)
147 return(Status)
148 }
149
150 MemoryAreaLength (ULONG_PTR)MemoryArea>EndingAddress
151 (ULONG_PTR)MemoryArea>StartingAddress
152
153 设置区块类型(刚建立区间中唯区块)
154 MmInitializeRegion(&MemoryArea>DataVirtualMemoryDataRegionListHead
155 MemoryAreaLength Type Protect)
156
157 if ((AllocationType & MEM_COMMIT) &&
158 (Protect & (PAGE_READWRITE | PAGE_EXECUTE_READWRITE)))
159 {
160 const ULONG nPages PAGE_ROUND_UP(MemoryAreaLength) >> PAGE_SHIFT
161 预留页面交换文件中页面
162 MmReserveSwapPages(nPages)
163 }
164
165 *UBaseAddress BaseAddress 返回实际分配址
166 *URegionSize MemoryAreaLength 返回实际分配长度
167
168 MmUnlockAddressSpace(AddressSpace)
169 ObDereferenceObject(Process)
170 return(STATUS_SUCCESS)
171 }
2页面异常
通传递MEM_COMMIT调NtAllocateVirtualMemory成功系统会分配指定虚存区间标志置MEM_COMMIT实际映射物理页面户需访问块已分配区间时会发生页面异常(缺页异常)异常处理中虚存区间建立物理页面映射
样做考虑某情况户求分配空间定会立样物理页面占没意义物理页面映射操作延迟访问时进步提高物理存利率
页面发生异常时核会调异常处理函数MmAccessFault()函数底层异常响应程序调发生某种异常时CPU首先进入相应异常响应程序里根具体情况调处理程序
MmAccessFault代码:
[cpp]view plaincopyprint
172 NTSTATUS
173 NTAPI
174 MmAccessFault(IN BOOLEAN StoreInstruction
175 IN PVOID Address
176 IN KPROCESSOR_MODE Mode
177 IN PVOID TrapInformation)
178 {
179 PMEMORY_AREA MemoryArea
180
181
182
183 StoreInstruction0标示缺页非0标示越权
184 if (StoreInstruction)
185 {
186 * Call access fault * 越权访问引起
187 return MmpAccessFault(Mode (ULONG_PTR)Address TrapInformation FALSE TRUE)
188 }
189 else
190 {
191 * Call not present * 缺页引起(未建立物理页面映射)
192 return MmNotPresentFault(Mode (ULONG_PTR)Address TrapInformation FALSE TRUE)
193 }
194 }
缺页异常处理代码:
[cpp]view plaincopyprint
195 NTSTATUS
196 NTAPI
197 MmNotPresentFault(KPROCESSOR_MODE Mode
198 ULONG_PTR Address
199 BOOLEAN FromMdl)
200 {
201 PMMSUPPORT AddressSpace
202 MEMORY_AREA* MemoryArea
203 NTSTATUS Status
204 BOOLEAN Locked FromMdl
205 extern PMMPTE MmSharedUserDataPte
206
207 if (KeGetCurrentIrql() > DISPATCH_LEVEL)
208 {
209 return(STATUS_UNSUCCESSFUL)
210 }
211
212 if (Address > (ULONG_PTR)MmSystemRangeStart)
213 {
214 异常发生系统空间
215 if (Mode KernelMode)
216 {
217 DPRINT1(Address xn Address)
218 return(STATUS_ACCESS_VIOLATION)
219 }
220 AddressSpace MmGetKernelAddressSpace()
221 }
222 else 异常发生户空间
223 {
224 获取AVL树
225 AddressSpace &PsGetCurrentProcess()>Vm
226 }
227
228 if (FromMdl)
229 {
230 MmLockAddressSpace(AddressSpace)
231 }
232
233 do
234 {
235 AVL树中搜寻异常区间
236 MemoryArea MmLocateMemoryAreaByAddress(AddressSpace (PVOID)Address)
237 if (MemoryArea NULL || MemoryArea>DeleteInProgress)
238 {
239 区间尚未分配正删
240 if (FromMdl)
241 {
242 MmUnlockAddressSpace(AddressSpace)
243 }
244 return (STATUS_ACCESS_VIOLATION)
245 }
246
247 搜索成功根区间类型处理
248 switch (MemoryArea>Type)
249 {
250 case MEMORY_AREA_PAGED_POOL
251 {
252 Status MmCommitPagedPoolAddress((PVOID)Address Locked)
253 break
254 }
255
256 case MEMORY_AREA_SYSTEM
257 Status STATUS_ACCESS_VIOLATION
258 break
259
260 case MEMORY_AREA_SECTION_VIEW
261 Status MmNotPresentFaultSectionView(AddressSpace
262 MemoryArea
263 (PVOID)Address
264 Locked)
265 break
266
267 般虚存区间
268 case MEMORY_AREA_VIRTUAL_MEMORY
269 case MEMORY_AREA_PEB_OR_TEB
270 Status MmNotPresentFaultVirtualMemory(AddressSpace
271 MemoryArea
272 (PVOID)Address
273 Locked)
274 break
275
276 case MEMORY_AREA_SHARED_DATA
277 *MiAddressToPte(USER_SHARED_DATA) *MmSharedUserDataPte
278 Status STATUS_SUCCESS
279 break
280
281 default
282 Status STATUS_ACCESS_VIOLATION
283 break
284 }
285 }
286 while (Status STATUS_MM_RESTART_OPERATION)
287
288 if (FromMdl)
289 {
290 MmUnlockAddressSpace(AddressSpace)
291 }
292 return(Status)
293 }
般虚存区间MmNotPresentFaultVirtualMemory处理函数处理程致:
①MmRequestPageMemoryConsumer申请空闲物理页面
②MmCreateVirtualMapping建立物理页面虚存区块映射
windows核情景分析学笔记10
分类: windows MFC20101023 0939362阅读评(1)收藏举报
1享映射区
户空间映射物理页面通常映射进程户空间
系统空间映射进程享
物理页面映射进程户空间映射虚拟址相样物理页面映射进程虚存空间形成连续区间称享映射区
2享映射区存原
①系统享映射区载入运行exeDLL文件量节约页交换文件空间程序启动时间
②户享映射区访问磁盘数文件避免直接文件进行IO操作文件容进行缓存
③通享映射区台机器进程间享数效率高
3创建享映射区
创建享影射区需执行三步骤:
①创建享映射区象
②分配虚存空间
③建立映射
31创建享映射区象
首先创建享映射区象NtCreateSection
[cpp]view plaincopyprint
1 NtCreateSection (OUT PHANDLE SectionHandle
2 IN ACCESS_MASK DesiredAccess
3 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
4 IN PLARGE_INTEGER MaximumSize OPTIONAL
5 IN ULONG SectionPageProtection OPTIONAL
6 IN ULONG AllocationAttributes
7 IN HANDLE FileHandle OPTIONAL)
参数FileHandle创建文件映射区应该首先开文件获取文件句柄填入填入NULL创建享映射区
实现:
[cpp]view plaincopyprint
8 NTSTATUS NTAPI
9 NtCreateSection (OUT PHANDLE SectionHandle
10 IN ACCESS_MASK DesiredAccess
11 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
12 IN PLARGE_INTEGER MaximumSize OPTIONAL
13 IN ULONG SectionPageProtection OPTIONAL
14 IN ULONG AllocationAttributes
15 IN HANDLE FileHandle OPTIONAL)
16 {
17 LARGE_INTEGER SafeMaximumSize
18 PVOID SectionObject
19 KPROCESSOR_MODE PreviousMode
20 NTSTATUS Status
21
22 Status MmCreateSection(&SectionObject
23 DesiredAccess
24 ObjectAttributes
25 MaximumSize
26 SectionPageProtection
27 AllocationAttributes
28 FileHandle
29 NULL)
30
31 return Status
32 }
显然函数体MmCreateSection
实现:
[cpp]view plaincopyprint
33 NTSTATUS NTAPI
34 MmCreateSection (OUT PVOID * Section
35 IN ACCESS_MASK DesiredAccess
36 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
37 IN PLARGE_INTEGER MaximumSize
38 IN ULONG SectionPageProtection
39 IN ULONG AllocationAttributes
40 IN HANDLE FileHandle OPTIONAL
41 IN PFILE_OBJECT File OPTIONAL)
42 {
43 ULONG Protection
44 PROS_SECTION_OBJECT *SectionObject (PROS_SECTION_OBJECT *)Section
45 *
46 * Check the protection
47 *
48 Protection SectionPageProtection & ~(PAGE_GUARD|PAGE_NOCACHE)
49 if (Protection PAGE_READONLY &&
50 Protection PAGE_READWRITE &&
51 Protection PAGE_WRITECOPY &&
52 Protection PAGE_EXECUTE &&
53 Protection PAGE_EXECUTE_READ &&
54 Protection PAGE_EXECUTE_READWRITE &&
55 Protection PAGE_EXECUTE_WRITECOPY)
56 {
57 return STATUS_INVALID_PAGE_PROTECTION
58 }
59 执行文件
60 if (AllocationAttributes & SEC_IMAGE)
61 {
62 return(MmCreateImageSection(SectionObject
63 DesiredAccess
64 ObjectAttributes
65 MaximumSize
66 SectionPageProtection
67 AllocationAttributes
68 FileHandle))
69 }
70 普通数文件
71 if (FileHandle NULL)
72 {
73 return(MmCreateDataFileSection(SectionObject
74 DesiredAccess
75 ObjectAttributes
76 MaximumSize
77 SectionPageProtection
78 AllocationAttributes
79 FileHandle))
80 }
81 享映射区(没文件句柄)
82 return(MmCreatePageFileSection(SectionObject
83 DesiredAccess
84 ObjectAttributes
85 MaximumSize
86 SectionPageProtection
87 AllocationAttributes))
88 }
函数开始进行页面保护模式合理性检查检查根目标文件性质进行处理:
①果执行文件通MmCreateImageSection处理执行文件着特殊结构做特例处理
②果普通数文件MmCreateDataFileSection创建文件映射区
③果没定目标文件创建享存区(实页面交换文件目标文件)
MmCreateDataFileSection例分析创建文件映射区程
函数中做件事情:
①创建映射区象ObCreateObject完成
②获取数文件象ObReferenceObjectByHandle完成获取数文件FILE_OBJECT结构指针
③构造映射段MM_SECTION_SEGMENT数结构(ExAllocatePoolWithTag完成)映射区象数文件象中相关指针指映射段
④映射区象中FileObject字段指数文件象
关键代码:
[csharp]view plaincopyprint
89 NTSTATUS
90 NTAPI
91 MmCreateDataFileSection(PROS_SECTION_OBJECT *SectionObject
92 ACCESS_MASK DesiredAccess
93 POBJECT_ATTRIBUTES ObjectAttributes
94 PLARGE_INTEGER UMaximumSize
95 ULONG SectionPageProtection
96 ULONG AllocationAttributes
97 HANDLE FileHandle)
98 {
99 PROS_SECTION_OBJECT Section
100 NTSTATUS Status
101 LARGE_INTEGER MaximumSize
102 PFILE_OBJECT FileObject
103 PMM_SECTION_SEGMENT Segment
104 ULONG FileAccess
105 IO_STATUS_BLOCK Iosb
106 LARGE_INTEGER Offset
107 CHAR Buffer
108 FILE_STANDARD_INFORMATION FileInfo
109 *
110 * 创建映射区象Section
111 *
112 Status ObCreateObject(ExGetPreviousMode()
113 MmSectionObjectType
114 ObjectAttributes
115 ExGetPreviousMode()
116 NULL
117 sizeof(ROS_SECTION_OBJECT)
118 0
119 0
120 (PVOID*)(PVOID)&Section)
121 *
122 * 初始化映射区象Section
123 *
124 RtlZeroMemory(Section sizeof(ROS_SECTION_OBJECT))
125 Section>SectionPageProtection SectionPageProtection
126 Section>AllocationAttributes AllocationAttributes
127
128 *
129 * 获取数文件象FileObject
130 *
131 Status ObReferenceObjectByHandle(FileHandle
132 FileAccess
133 IoFileObjectType
134 ExGetPreviousMode()
135 (PVOID*)(PVOID)&FileObject
136 NULL)
137
138 * 果数文件前尚未作文件映射区盾
139 * 构造映射段MM_SECTION_SEGMENT结构
140 *
141 if (FileObject>SectionObjectPointer>DataSectionObject NULL)
142 {
143 Segment ExAllocatePoolWithTag(NonPagedPool sizeof(MM_SECTION_SEGMENT)
144 TAG_MM_SECTION_SEGMENT)
145 映射区象中相关指针指映射段
146 Section>Segment Segment
147 Segment>ReferenceCount 1
148 ExInitializeFastMutex(&Segment>Lock)
149 *
150 * Set the lock before assigning the segment to the file object
151 *
152 ExAcquireFastMutex(&Segment>Lock)
153 数文件象中相关指针指映射段
154 FileObject>SectionObjectPointer>DataSectionObject (PVOID)Segment
155 映射段初始化
156 Segment>FileOffset 0
157 Segment>Protection SectionPageProtection
158 Segment>Flags MM_DATAFILE_SEGMENT
159 Segment>Characteristics 0
160 Segment>WriteCopy FALSE
161 if (AllocationAttributes & SEC_RESERVE)
162 {
163 Segment>Length Segment>RawLength 0
164 }
165 else
166 {
167 Segment>RawLength MaximumSizeuLowPart
168 Segment>Length PAGE_ROUND_UP(Segment>RawLength)
169 }
170 Segment>VirtualAddress 0
171 RtlZeroMemory(&Segment>PageDirectory sizeof(SECTION_PAGE_DIRECTORY))
172 }
173 else
174 {
175 果数文件已映射某映射段需扩展映射段(果需)
176 Segment
177 (PMM_SECTION_SEGMENT)FileObject>SectionObjectPointer>
178 DataSectionObject
179 Section>Segment Segment
180 (void)InterlockedIncrementUL(&Segment>ReferenceCount)
181 MmLockSectionSegment(Segment)
182 if (MaximumSizeuLowPart > Segment>RawLength &&
183 (AllocationAttributes & SEC_RESERVE))
184 {
185 Segment>RawLength MaximumSizeuLowPart
186 Segment>Length PAGE_ROUND_UP(Segment>RawLength)
187 }
188 }
189 MmUnlockSectionSegment(Segment)
190 映射区象中FileObject字段指数文件象
191 Section>FileObject FileObject
192 Section>MaximumSize MaximumSize
193 CcRosReferenceCache(FileObject)
194 *SectionObject Section
195 return(STATUS_SUCCESS)
196 }
32 映射区映射段区
映射区映射段组成映射执行文件文件身分段例代码段数段等映射区分成干映射段映射数文件映射段
映射区象结构
[cpp]view plaincopyprint
197 typedef struct _ROS_SECTION_OBJECT
198 {
199 CSHORT Type
200 CSHORT Size
201 LARGE_INTEGER MaximumSize
202 ULONG SectionPageProtection
203 ULONG AllocationAttributes
204 PFILE_OBJECT FileObject 指文件象
205 union
206 {
207 PMM_IMAGE_SECTION_OBJECT ImageSection 执行文件
208 PMM_SECTION_SEGMENT Segment 数文件(单映射段)
209 }
210 } ROS_SECTION_OBJECT *PROS_SECTION_OBJECT
映射段象结构
[cpp]view plaincopyprint
211 typedef struct _MM_SECTION_SEGMENT
212 {
213 LONG FileOffset * 映射段起点应文件部位移*
214 ULONG_PTR VirtualAddress * Start offset into the address range for image sections *
215 ULONG RawLength * length of the segment which is part of the mapped file *
216 ULONG Length * absolute length of the segment *
217 ULONG Protection
218 FAST_MUTEX Lock * lock which protects the page directory *
219 ULONG ReferenceCount
220 SECTION_PAGE_DIRECTORY PageDirectory 页面目录(指映射段页面表)
221 ULONG Flags
222 ULONG Characteristics
223 BOOLEAN WriteCopy
224 } MM_SECTION_SEGMENT *PMM_SECTION_SEGMENT
33分配虚存空间建立映射
时映射区象建立完毕未实际建立映射实际映射通系统调NtMapViewOfSection完成
系统调作映射区象部分全部映射某进程户空间
数文件终调MmMapViewOfSegment(数文件段)
[cpp]view plaincopyprint
225 static NTSTATUS
226 MmMapViewOfSegment(PMMSUPPORT AddressSpace
227 PROS_SECTION_OBJECT Section
228 PMM_SECTION_SEGMENT Segment
229 PVOID* BaseAddress
230 SIZE_T ViewSize
231 ULONG Protect
232 ULONG ViewOffset
233 ULONG AllocationType)
234 {
235 PMEMORY_AREA MArea
236 NTSTATUS Status
237 PHYSICAL_ADDRESS BoundaryAddressMultiple
238
239 BoundaryAddressMultipleQuadPart 0
240
241 Status MmCreateMemoryArea(AddressSpace
242 MEMORY_AREA_SECTION_VIEW
243 BaseAddress
244 ViewSize
245 Protect
246 &MArea
247 FALSE
248 AllocationType
249 BoundaryAddressMultiple)
250 if (NT_SUCCESS(Status))
251 {
252 return(Status)
253 }
254
255 ObReferenceObject((PVOID)Section)
256
257 MArea>DataSectionDataSegment Segment
258 MArea>DataSectionDataSection Section
259 MArea>DataSectionDataViewOffset ViewOffset
260 MArea>DataSectionDataWriteCopyView FALSE
261 MmInitializeRegion(&MArea>DataSectionDataRegionListHead
262 ViewSize 0 Protect)
263
264 return(STATUS_SUCCESS)
265 }
函数简单申请块虚存空间应MEMORY_AREA结构分量设置成指映射区完事
windows核情景分析学笔记11
分类: windows MFC20101025 1945373阅读评(1)收藏举报
1windows进程线程相关函数
win32API中创建进程CreateProcess函数
CreateProcess完成两件事:
①NtCreateProcess创建进程
②果NtCreateProcess成功NtCreateThread创建进程第线程(线程)
声明:
[cpp]view plaincopyprint
1 NTSTATUS
2 NTAPI
3 NtCreateProcess(OUT PHANDLE ProcessHandle 返回进程句柄(前进程中)
4 IN ACCESS_MASK DesiredAccess 进程访问权限
5 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL 执行执行文件路径名
6 IN HANDLE ParentProcess 指定进程父进程
7 IN BOOLEAN InheritObjectTable 否继承父进程象句柄表
8 IN HANDLE SectionHandle OPTIONAL
9 IN HANDLE DebugPort OPTIONAL
10 IN HANDLE ExceptionPort OPTIONAL)
[cpp]view plaincopyprint
11 NTSTATUS
12 NTAPI
13 NtCreateThread(OUT PHANDLE ThreadHandle 返回线程句柄
14 IN ACCESS_MASK DesiredAccess 访问权限
15 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
16 IN HANDLE ProcessHandle 指定线程属进程
17 OUT PCLIENT_ID ClientId
18 IN PCONTEXT ThreadContext 寄存器值(运行文)
19 IN PINITIAL_TEB InitialTeb 线程环境块
20 IN BOOLEAN CreateSuspended) 线程创建否挂起(立刻运行)
CreateProcessAPI提供CreateThread创建线程函数系统调NtCreateThread
2windows进程相关数结构
系统空间中:
①EPROCESS:理层 进程控制块代表着windows进程
②KPROCESS:核心层 进程控制块EPROCESS分量
③W32PROCESS:窗口进程独
KPROCESS隶属EPROCESS核中进程相关数结构两种EPROCESSW32PROCESS前者进程者窗口进程(通窗口户交互)
户空间中:
①进程环境块PEB:PEB记录进程运行参数映装入址等位置处0x7ffdf000
面定义:
EPROCESS(部分):
[csharp]view plaincopyprint
21 typedef struct _EPROCESS
22 {
23 KPROCESS Pcb 进程KPROCESS
24
25 PHANDLE_TABLE ObjectTable 象句柄表
26
27 PVOID *Win32Process 指进程W32PROCESS结构
28 struct _EJOB *Job
29 PVOID SectionObject 指执行程序创建文件映射区象
30 PVOID SectionBaseAddress
31
32 PVOID DeviceMap 指进程磁盘设备位图
33
34 CHAR ImageFileName[16] 程序文件名
35 LIST_ENTRY JobLinks
36 PVOID LockedPagesList
37 LIST_ENTRY ThreadListHead 进程线程队列
38
39 ACCESS_MASK GrantedAccess 允许访问方式
40
41 struct _PEB* Peb 指户空间PEB
42
43 UCHAR PriorityClass 优先级
44 MM_AVL_TABLE VadRoot 进程户空间AVL树
45 ULONG Cookie
46 } EPROCESS
KPROCESS(部分)
[cpp]view plaincopyprint
47 typedef struct _KPROCESS
48 {
49 DISPATCHER_HEADER Header
50 LIST_ENTRY ProfileListHead
51 ULONG DirectoryTableBase 进程页面映射表物理址
52
53 LIST_ENTRY ReadyListHead 进程绪线程队列
54 SINGLE_LIST_ENTRY SwapListEntry
55 PVOID VdmTrapcHandler
56 LIST_ENTRY ThreadListHead 进程线程队列(节点KTHREAD)
57 KSPIN_LOCK ProcessLock
58
59 SCHAR BasePriority 线程优先级
60
61 ULONG StackCount
62 LIST_ENTRY ProcessListEntry 挂入核进程队列
63 } KPROCESS
PEB(部分):
[cpp]view plaincopyprint
64 typedef struct _PEB
65 {
66 BOOLEAN InheritedAddressSpace
67 BOOLEAN ReadImageFileExecOptions
68 BOOLEAN BeingDebugged
69
70 HANDLE Mutant
71 PVOID ImageBaseAddress 程序镜起点
72 PPEB_LDR_DATA Ldr
73 struct _RTL_USER_PROCESS_PARAMETERS *ProcessParameters 指进程参数块(中参数信息前文件目录等)
74
75 PVOID FastPebLock
76 PPEBLOCKROUTINE FastPebLockRoutine
77 PPEBLOCKROUTINE FastPebUnlockRoutine
78 ULONG EnvironmentUpdateCount
79 PVOID* KernelCallbackTable 核回调户空间函数
80 PVOID EventLogSection
81 PVOID EventLog
82
83 } PEB *PPEB
3windows线程相关数结构
进程数结构应线程ETHREADKTHREADW32THREADTEB
ETHREAD:
[cpp]view plaincopyprint
84 typedef struct _ETHREAD
85 {
86 KTHREAD Tcb 线程KTHREAD结构
87
88 LIST_ENTRY ThreadListEntry 挂入EPROCESS中线程队列
89
90 } ETHREAD
KTHREAD
[cppnogutter]view plaincopyprint
91 typedef struct _KTHREAD
92 {
93 DISPATCHER_HEADER DispatcherHeader
94
95 PVOID KernelStack 线程系统空间堆栈
96 KSPIN_LOCK ThreadLock
97 union
98 {
99 KAPC_STATE ApcState 线程ACP状态
100
101 }
102
103 struct _TEB *Teb 户空间线程环境块(TEB)
104
105 PKTRAP_FRAME TrapFrame 系统空间堆栈陷框架
106
107 struct _KPROCESS *Process 属进程KPROCESS结构
108
109 PVOID Win32Thread 指线程W32THREAD结构
110 PVOID StackBase
111
112 LIST_ENTRY ThreadListEntry 挂入KPROCESS中线程队列
113
114 } KTHREAD
windows核情景分析学笔记12
分类: windows MFC20101025 1957298阅读评(0)收藏举报
1windows进程户空间
windows户空间系统空间分界线0x80000000
应软件户空间访问高址0x7ffeffff0x7fff0000访问分界线留64KB隔离区
应软件户空间访问低址0x000100000开始64KB访问
特殊空间:
系统空间0xffdf0000处存放着_KUSER_SHARED_DATA结构(4KB)结构进程享结构字段系统信息NtSystemRoot字段存放系统根目录路径名
户空间中格局安排:
户空间创建格局核函数MmInitializeProcessAddressSpace()实现
[cpp]view plaincopyprint
1 NtCreateProcess>NtCreateProcessEx>PspCreateProcess>MmInitializeProcessAddressSpace
2
3 NTSTATUS
4 NTAPI
5 MmInitializeProcessAddressSpace(IN PEPROCESS Process
6 IN PEPROCESS ProcessClone OPTIONAL
7 IN PVOID Section OPTIONAL
8 IN OUT PULONG Flags
9 IN POBJECT_NAME_INFORMATION *AuditName OPTIONAL)
10 {
11 NTSTATUS Status
12 PMMSUPPORT ProcessAddressSpace &Process>Vm
13 PVOID BaseAddress
14 PMEMORY_AREA MemoryArea
15 PHYSICAL_ADDRESS BoundaryAddressMultiple
16 SIZE_T ViewSize 0
17 PVOID ImageBase 0
18 PROS_SECTION_OBJECT SectionObject Section
19 BoundaryAddressMultipleQuadPart 0
20
21 初始化户空间设置禁区
22 * Initialize the Addresss Space lock *
23 KeInitializeGuardedMutex(&Process>AddressCreationLock)
24 Process>VmWorkingSetExpansionLinksFlink NULL
25
26 * Initialize AVL tree *
27 ASSERT(Process>VadRootNumberGenericTableElements 0)
28 Process>VadRootBalancedRootu1Parent &Process>VadRootBalancedRoot
29
30 * Acquire the Lock *
31 MmLockAddressSpace(ProcessAddressSpace)
32
33 * Protect the highest 64KB of the process address space *
34 BaseAddress (PVOID)MmUserProbeAddress MmSystemRangeStart0x10000
35 Status MmCreateMemoryArea(ProcessAddressSpace
36 MEMORY_AREA_NO_ACCESS
37 &BaseAddress
38 0x10000
39 PAGE_NOACCESS 禁止访问
40 &MemoryArea
41 FALSE
42 0
43 BoundaryAddressMultiple)
44 if (NT_SUCCESS(Status))
45 {
46 goto exit
47 }
48
49 * Protect the 60KB above the shared user page *
50 BaseAddress (char*)USER_SHARED_DATA + PAGE_SIZE 0x7FFE0000+0x1000
51 Status MmCreateMemoryArea(ProcessAddressSpace
52 MEMORY_AREA_NO_ACCESS
53 &BaseAddress
54 0x10000 PAGE_SIZE 0x100000x1000
55 PAGE_NOACCESS 禁止访问
56 &MemoryArea
57 FALSE
58 0
59 BoundaryAddressMultiple)
60 if (NT_SUCCESS(Status))
61 {
62 goto exit
63 }
64
65 * Create the shared data page *
66 BaseAddress (PVOID)USER_SHARED_DATA 0x7FFE0000
67 Status MmCreateMemoryArea(ProcessAddressSpace
68 MEMORY_AREA_SHARED_DATA
69 &BaseAddress
70 PAGE_SIZE 0x1000(4K)
71 PAGE_EXECUTE_READ 读执行
72 &MemoryArea
73 FALSE
74 0
75 BoundaryAddressMultiple)
76 if (NT_SUCCESS(Status))
77 {
78 goto exit
79 }
80
81 * The process now has an address space *
82 Process>HasAddressSpace TRUE
83
84 开始分配户空间
85 * Check if there's a Section Object *
86 if (SectionObject)
87 {已建立执行文件文件映射区
88 UNICODE_STRING FileName
89 PWCHAR szSrc
90 PCHAR szDest
91 USHORT lnFName 0
92
93 * Unlock the Address Space *
94 执行文件分配虚存空间建立映射
95 MmUnlockAddressSpace(ProcessAddressSpace)
96 Status MmMapViewOfSection(Section
97 (PEPROCESS)Process
98 (PVOID*)&ImageBase
99 0
100 0
101 NULL
102 &ViewSize
103 0
104 MEM_COMMIT
105 PAGE_READWRITE)
106 if (NT_SUCCESS(Status))
107 {
108 return Status
109 }
110
111 * Save the pointer *
112 Process>SectionBaseAddress ImageBase 指执行文件起点
113
114 * Determine the image file name and save it to EPROCESS *
115 Getting Image name
116 FileName SectionObject>FileObject>FileName
117 szSrc (PWCHAR)((PCHAR)FileNameBuffer + FileNameLength)
118 if (FileNameBuffer)
119 {
120 * Loop the file name*
121 while (szSrc > FileNameBuffer)
122 {
123 * Make sure this isn't a backslash *
124 if (*szSrc OBJ_NAME_PATH_SEPARATOR)
125 {
126 * If so stop it here *
127 szSrc++
128 break
129 }
130 else
131 {
132 * Otherwise keep going *
133 lnFName++
134 }
135 }
136 }
137
138 * Copy the to the process and truncate it to 15 characters if necessary *
139 szDest Process>ImageFileName
140 lnFName min(lnFName sizeof(Process>ImageFileName) 1)
141 while (lnFName) *szDest++ (UCHAR)*szSrc++
142 *szDest ANSI_NULL
143
144 * Check if caller wants an audit name *
145 if (AuditName)
146 {
147 * Setup the audit name *
148 SeInitializeProcessAuditName(SectionObject>FileObject
149 FALSE
150 AuditName)
151 }
152
153 * Return status to caller *
154 return Status
155 }
156
157 exit
158 * Unlock the Address Space *
159 DPRINT(Unlockingn)
160 MmUnlockAddressSpace(ProcessAddressSpace)
161
162 * Return status to caller *
163 return Status
164 }
EXE文件DLL装入映射户空间中ntdlldll特殊DLL核初始化时候系统创建文件映射区象全局指针PspSystemDllSection指该象数结构
MmInitializeProcessAddressSpacePspMapSystemDll建立ntdlldll映射
[cpp]view plaincopyprint
165 NtCreateProcess>NtCreateProcessEx>PspCreateProcess>PspMapSystemDll
166 NTSTATUS
167 NTAPI
168 PspMapSystemDll(IN PEPROCESS Process
169 IN PVOID *DllBase
170 IN BOOLEAN UseLargePages)
171 {
172 NTSTATUS Status
173 LARGE_INTEGER Offset {{0 0}}
174 SIZE_T ViewSize 0
175 PVOID ImageBase 0
176
177 * Map the System DLL *
178 Status MmMapViewOfSection(PspSystemDllSection ntdlldll
179 Process
180 (PVOID*)&ImageBase
181 0
182 0
183 &Offset
184 &ViewSize
185 ViewShare
186 0
187 PAGE_READWRITE)
188 if (Status STATUS_SUCCESS)
189 {
190 * Normalize status code *
191 Status STATUS_CONFLICTING_ADDRESSES
192 }
193
194 * Write the image base and return status *
195 if (DllBase) *DllBase ImageBase
196 return Status
197 }
进程环境块PEB建立MmCreatePeb完成
[cpp]view plaincopyprint
198 NtCreateProcess>NtCreateProcessEx>PspCreateProcess>MmCreatePeb
199 NTSTATUS
200 NTAPI
201 MmCreatePeb(IN PEPROCESS Process
202 IN PINITIAL_PEB InitialPeb
203 OUT PPEB *BasePeb)
204 {
205 PPEB Peb NULL
206 LARGE_INTEGER SectionOffset
207 SIZE_T ViewSize 0
208 PVOID TableBase NULL
209 PIMAGE_NT_HEADERS NtHeaders
210 PIMAGE_LOAD_CONFIG_DIRECTORY ImageConfigData
211 NTSTATUS Status
212 USHORT Characteristics
213 KAFFINITY ProcessAffinityMask 0
214 SectionOffsetQuadPart (ULONGLONG)0
215 *BasePeb NULL
216
217 Attach to Process
218 挂新进程
219 KeAttachProcess(&Process>Pcb)
220
221 Allocate the PEB
222 址MM_HIGHEST_USER_ADDRESS (16 * PAGE_SIZE)+1
223 0x7ffeffff(16 * PAGE_SIZE)+1
224 0x7ffdffff+1
225 0x7ffe0000
226 0x7ffe0000取0x1000区间存放peb
227 peb首址0x7FFDF0000x1000
228 Peb MiCreatePebOrTeb(Process
229 (PVOID)((ULONG_PTR)MM_HIGHEST_VAD_ADDRESS + 1))
230 ASSERT(Peb (PVOID)0x7FFDF000)
231
232
233
234 Use SEH in case we can't load the PEB
235 _SEH2_TRY
236 {
237 Initialize the PEB
238 RtlZeroMemory(Peb sizeof(PEB))
239
240 Set up data
241 Peb>ImageBaseAddress Process>SectionBaseAddress
242 Peb>InheritedAddressSpace InitialPeb>InheritedAddressSpace
243 Peb>Mutant InitialPeb>Mutant
244 Peb>ImageUsesLargePages InitialPeb>ImageUsesLargePages
245
246 NLS
247 Peb>AnsiCodePageData (PCHAR)TableBase + ExpAnsiCodePageDataOffset
248 Peb>OemCodePageData (PCHAR)TableBase + ExpOemCodePageDataOffset
249 Peb>UnicodeCaseTableData (PCHAR)TableBase + ExpUnicodeCaseTableDataOffset
250
251 Default Version Data (could get changed below)
252 Peb>OSMajorVersion NtMajorVersion
253 Peb>OSMinorVersion NtMinorVersion
254 Peb>OSBuildNumber (USHORT)(NtBuildNumber & 0x3FFF)
255 Peb>OSPlatformId 2 * VER_PLATFORM_WIN32_NT *
256 Peb>OSCSDVersion (USHORT)CmNtCSDVersion
257
258 Heap and Debug Data
259 Peb>NumberOfProcessors KeNumberProcessors
260 Peb>BeingDebugged (BOOLEAN)(Process>DebugPort NULL TRUE FALSE)
261 Peb>NtGlobalFlag NtGlobalFlag
262 Peb>MaximumNumberOfHeaps (PAGE_SIZE sizeof(PEB)) sizeof(PVOID) peb身剩余空间存储堆指针数组堆数量算出
263 Peb>ProcessHeaps (PVOID*)(Peb + 1) 指堆指针数组起点
264
265 Session ID
266 if (Process>Session) Peb>SessionId 0 MmGetSessionId(Process)
267 }
268 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
269 {
270 Fail
271 KeDetachProcess()
272 _SEH2_YIELD(return _SEH2_GetExceptionCode())
273 }
274 _SEH2_END
275
276
277
278 Detach from the Process
279 KeDetachProcess()
280 *BasePeb Peb
281 return STATUS_SUCCESS
282 }
文档香网(httpswwwxiangdangnet)户传
《香当网》用户分享的内容,不代表《香当网》观点或立场,请自行判断内容的真实性和可靠性!
该内容是文档的文本内容,更好的格式请下载文档