nt!MiSessionAddProcess函数分析和nt!MmSessionSpace全局变量的关系
第一部分:
1: kd> g
Breakpoint 42 hit
nt!MiSessionAddProcess:
80ab2fbe 55 push ebp
1: kd> kc
#
00 nt!MiSessionAddProcess
01 nt!MmCreateProcessAddressSpace
02 nt!PspCreateProcess
03 nt!NtCreateProcessEx
04 nt!_KiSystemService
05 SharedUserData!SystemCallStub
06 ntdll!NtCreateProcessEx
07 kernel32!CreateProcessInternalW
08 kernel32!CreateProcessW
09 winlogon!StartSystemProcess
0a winlogon!ExecSystemProcesses
0b winlogon!WinMain
0c winlogon!WinMainCRTStartup
#define SESSION_GLOBAL(_Session) (_Session->GlobalVirtualAddress)
第二部分:
1: kd> x nt!MmSessionSpace
80bf0048 nt!MmSessionSpace = 0xbf7f0000
1: kd> dx -r1 ((ntkrnlmp!_MM_SESSION_SPACE *)0xbf7f0000)
((ntkrnlmp!_MM_SESSION_SPACE *)0xbf7f0000) : 0xbf7f0000 [Type: _MM_SESSION_SPACE *]
[+0x000] GlobalVirtualAddress : 0xf79b1000 [Type: _MM_SESSION_SPACE *]
0xf79b1000
1: kd> dx -r1 ((ntkrnlmp!_MM_SESSION_SPACE *)0xbf7f0000)
((ntkrnlmp!_MM_SESSION_SPACE *)0xbf7f0000) : 0xbf7f0000 [Type: _MM_SESSION_SPACE *]
[+0x000] GlobalVirtualAddress : 0xf79b1000 [Type: _MM_SESSION_SPACE *]
[+0x004] ReferenceCount : 0x2 [Type: unsigned long]
[+0x008] u [Type: __unnamed]
[+0x00c] SessionId : 0x0 [Type: unsigned long]
[+0x010] ProcessList [Type: _LIST_ENTRY]
[+0x018] LastProcessSwappedOutTime : {0} [Type: _LARGE_INTEGER]
[+0x020] SessionPageDirectoryIndex : 0x7b44e [Type: unsigned long]
[+0x024] NonPagablePages : 0x10 [Type: unsigned long]
[+0x028] CommittedPages : 0x3e [Type: unsigned long]
[+0x02c] PagedPoolStart : 0xbc000000 [Type: void *]
[+0x030] PagedPoolEnd : 0xbc3fffff [Type: void *]
[+0x034] PagedPoolBasePde : 0xc0300bc0 [Type: _MMPTE *]
[+0x038] Color : 0x37 [Type: unsigned long]
[+0x03c] ProcessOutSwapCount : 0x0 [Type: unsigned long]
[+0x040] SessionPoolAllocationFailures [Type: unsigned long [4]]
[+0x050] ImageList [Type: _LIST_ENTRY]
[+0x058] LocaleId : 0x409 [Type: unsigned long]
[+0x05c] AttachCount : 0x0 [Type: unsigned long]
[+0x060] AttachEvent [Type: _KEVENT]
[+0x070] LastProcess : 0x0 [Type: _EPROCESS *]
[+0x074] ProcessReferenceToSession : 2 [Type: long]
[+0x078] WsListEntry [Type: _LIST_ENTRY]
[+0x080] Lookaside [Type: _GENERAL_LOOKASIDE [26]]
[+0xd80] Session [Type: _MMSESSION]
[+0xdc0] PagedPoolMutex [Type: _KGUARDED_MUTEX]
[+0xde0] PagedPoolInfo [Type: _MM_PAGED_POOL_INFO]
[+0xe00] Vm [Type: _MMSUPPORT]
[+0xe60] Wsle : 0xbf400038 [Type: _MMWSLE *]
[+0xe64] Win32KDriverUnload : 0xbf8aaad0 [Type: void (*)(_DRIVER_OBJECT *)]
[+0xe68] PagedPool [Type: _POOL_DESCRIPTOR]
[+0x1e98] PageTables : 0x89579e00 [Type: _MMPTE *]
[+0x1e9c] ImageLoadingCount : 0 [Type: long]
[+0x1ea0] Debug [Type: unsigned long [56]]
[+0x1f80] Debug2 [Type: _MM_SESSION_MEMORY_COUNTERS [8]]
第三部分:
1: kd> dt nt!MmSessionPoolSize
0x400000
1: kd> dt nt!MiSessionPoolStart
0xbc000000
1: kd> dt nt!MiSessionViewStart
0xbc400000
1: kd> lm
start end module name
bf800000 bfa9a000 win32k (private pdb symbols) j:\retail-checked\sys\win32k.pdb
1: kd> dt nt!MiSessionImageStart
0xbf800000
BOOLEAN
MmInitSystem (
IN ULONG Phase,
IN PLOADER_PARAMETER_BLOCK LoaderBlock
)
{
//
// Initialize some global session variables.
//
MmSessionSpace = (PMM_SESSION_SPACE)((ULONG_PTR)MmSessionBase + MmSessionSize - MmSessionImageSize - MI_SESSION_SPACE_STRUCT_SIZE);
MmSessionSpace=0xbc000000+0x4000000-0x800000-0x10000=0xbf7f0000
1: kd> dt nt!MmSessionBase
0xbc000000
1: kd> dt nt!MmSessionSize
0x4000000
1: kd> dt nt!MmSessionImageSize
0x800000
#define MI_SESSION_SPACE_STRUCT_SIZE MM_ALLOCATION_GRANULARITY
#define MM_ALLOCATION_GRANULARITY ((ULONG)0x10000)
Virtual memory layout of session space when loaded down from 0xC0000000.
Note that the sizes of mapped views, paged pool and images are registry
tunable on 32-bit systems (if NOT booted /3GB, as 3GB has very limited
address space).
+------------------------------------+
C0000000 | |
| win32k.sys, video drivers and any |
| rebased NT4 printer drivers. |
| |
| (8MB) |
| |
+------------------------------------+
BF800000 | |
| MM_SESSION_SPACE & Session WSLs |
| (4MB) |
| |
+------------------------------------+
BF400000 | |
| Mapped views for this session |
| (20MB by default, but is |
| registry configurable) |
| |
+------------------------------------+
BE000000 | |
| Paged pool for this session |
| (16MB by default, but is |
| registry configurable) |
| |
BD000000 +------------------------------------+
第四部分:函数返回后
1: kd> dx -r1 (*((ntkrnlmp!_LIST_ENTRY *)0xbf7f0010))
(*((ntkrnlmp!_LIST_ENTRY *)0xbf7f0010)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x895ea304 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x89544304 [Type: _LIST_ENTRY *]
1: kd> dx -r1 ((ntkrnlmp!_LIST_ENTRY *)0x895ea304)
((ntkrnlmp!_LIST_ENTRY *)0x895ea304) : 0x895ea304 [Type: _LIST_ENTRY *]
[+0x000] Flink : 0x895140d4 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0xf79b1010 [Type: _LIST_ENTRY *]
1: kd> dx -r1 ((ntkrnlmp!_LIST_ENTRY *)0x89544304)
((ntkrnlmp!_LIST_ENTRY *)0x89544304) : 0x89544304 [Type: _LIST_ENTRY *]
[+0x000] Flink : 0xf79b1010 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x895140d4 [Type: _LIST_ENTRY *]