当前位置: 首页 > ds >正文

nt!MmMapViewInSystemCache函数分析PointerPte的填充

ds 2025/8/26 14:57:10

第一部分:

1: kd> kc
 #
00 nt!MmMapViewInSystemCache
01 nt!CcGetVacbMiss
02 nt!CcGetVirtualAddress
03 nt!CcMapData
04 Ntfs!NtfsMapStream
05 Ntfs!NtfsReadBootSector
06 Ntfs!NtfsMountVolume
07 Ntfs!NtfsCommonFileSystemControl
08 Ntfs!NtfsFspDispatch
09 nt!ExpWorkerThread
0a nt!PspSystemThreadStartup
0b nt!KiThreadStartup


1: kd> p
nt!MmMapViewInSystemCache+0x32b:
80aaf01d 8b0e            mov     ecx,dword ptr [esi]
1: kd> dv
    SectionToMap = 0xe127a740
    CapturedBase = 0x89988000
   SectionOffset = 0xf78d6900 {-9175257283469246464}
CapturedViewSize = 0x00000040
       PteOffset = 0
       LastProto = 0x00000000
     PteContents = struct _MMPTE
         OldIrql = 0x00 ''
         LastPte = 0x89988000
   LastPteOffset = 0x40
          Waited = 1
        ProtoPte = 0xf78d6900
   NumberOfPages = 0x40


    if (PointerPte->u.List.NextEntry == MM_EMPTY_PTE_LIST) {


    if ((PointerPte + 1)->u.List.NextEntry == (KeReadTbFlushTimeStamp() & MM_FLUSH_COUNTER_MASK)) {
        KeFlushEntireTb (TRUE, TRUE);
    }

第二部分:

1: kd> p
nt!MmMapViewInSystemCache+0x355:
80aaf047 8b4e04          mov     ecx,dword ptr [esi+4]
1: kd> r
eax=00001314 ebx=898ff908 ecx=c10c0000 edx=00000000 esi=c0304200


1: kd> dd c0304200
c0304200  c10c0000 00000000 00000000 00000000

    //
    // Zero this explicitly now since the number of pages may be only 1.
    //

    (PointerPte + 1)->u.List.NextEntry = 0;

1: kd> p
nt!MmMapViewInSystemCache+0x36d:
80aaf05f 816604ff0f0000  and     dword ptr [esi+4],0FFFh

1: kd> r
eax=00001314 ebx=898ff908 ecx=00000000 edx=00000000 esi=c0304200 edi=00000000


第三部分:

    *CapturedBase = MiGetVirtualAddressMappedByPte (PointerPte);        c1080000

#define MiGetVirtualAddressMappedByPte(PTE) ((PVOID)((ULONG)(PTE) << 10))

c0304200

1100 0000 0011 0000 0100 0010 0000 0000
11 0000 0100 0010 0000 0000 00 0000 0000  

11 00    00 01    00 00    10 00    00 00    00 00 0000 0000
c1080000

1: kd> !pte c1080000
                 VA c1080000
PDE at C0300C10         PTE at C0304200
contains 0A03F963       contains C10C0000
pfn a03f  -G-DA--KWEV   not valid
                         Page has been freed


第四部分:

回顾PointerPte的由来:

    PointerPte = MmFirstFreeSystemCache;

    //
    // Update next free entry.
    //

    ASSERT (PointerPte->u.Hard.Valid == 0);

    MmFirstFreeSystemCache = MmSystemCachePteBase + PointerPte->u.List.NextEntry;
    ASSERT (MmFirstFreeSystemCache <= MiGetPteAddress (MmSystemCacheEnd));

1: kd> p
nt!MmMapViewInSystemCache+0x377:
80aaf069 8bc6            mov     eax,esi
1: kd> p
nt!MmMapViewInSystemCache+0x379:
80aaf06b c1e00a          shl     eax,0Ah
1: kd> r
eax=c0304200


1: kd> dv
    SectionToMap = 0xe127a740
    CapturedBase = 0x89988000

1: kd> dx -r1 ((ntkrnlmp!void * *)0x89988000)
((ntkrnlmp!void * *)0x89988000)                 : 0x89988000 [Type: void * *]
    0xc1080000

1: kd> !pte 0xc1080000
                 VA c1080000
PDE at C0300C10         PTE at C0304200
contains 0A03F963       contains C10C0000
pfn a03f  -G-DA--KWEV   not valid
                         Page has been freed


1: kd> x nt!MmFirstFreeSystemCache
80b23594          nt!MmFirstFreeSystemCache = 0xc0304300


1: kd> dd 0xc0304200        //0xc0304200下一个是0xc0304300
c0304200  c10c0000

304300
0011 0000 0100 0011 0000 0000
0011 0000 0100 0011 0000 00
00    11 00    00 01    00 00    11 00    00 00
c10c0        //正确

1: kd> dd 0xc0304200
c0304200  c10c0000 00000000 00000000 00000000
c0304210  00000000 00000000 00000000 00000000


第五部分:

1: kd> dt subsection 0x898ff8d8+30
nt!SUBSECTION
   +0x000 ControlArea      : 0x898ff8d8 _CONTROL_AREA
   +0x004 u                : __unnamed
   +0x008 StartingSector   : 0
   +0x00c NumberOfFullSectors : 0x100
   +0x010 SubsectionBase   : 0xe1009c00 _MMPTE
   +0x014 UnusedPtes       : 0
   +0x018 PtesInSubsection : 0x100
   +0x01c NextSubsection   : (null)

       PteOffset = 0

    ProtoPte = &Subsection->SubsectionBase[PteOffset];        =0xe1009c00

1: kd> dd 0xe1009c00
e1009c00  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c10  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c20  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c30  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2

1: kd> p
nt!MmMapViewInSystemCache+0x384:
80aaf076 8d0c88          lea     ecx,[eax+ecx*4]
1: kd> r
eax=e1009c00 ebx=898ff908 ecx=00000000 edx=00000000 esi=c0304200 edi=00000000
eip=80aaf076 esp=f78d6910 ebp=f78d6930 iopl=0         nv up ei ng nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000286
nt!MmMapViewInSystemCache+0x384:
80aaf076 8d0c88          lea     ecx,[eax+ecx*4]
1: kd> p
nt!MmMapViewInSystemCache+0x387:
80aaf079 894d10          mov     dword ptr [ebp+10h],ecx
1: kd> r
eax=e1009c00 ebx=898ff908 ecx=e1009c00 edx=00000000 esi=c0304200 edi=00000000


1: kd> dv
    SectionToMap = 0xe127a740
 
        ProtoPte = 0xe1009c00        //正确

第六部分:


    LastProto = &Subsection->SubsectionBase[Subsection->PtesInSubsection];


   +0x018 PtesInSubsection : 0x100

0xe1009c00+0x100*4=

1: kd> ?0xe1009c00+0x100*4
Evaluate expression: -520052736 = e100a000

1: kd> dv
    SectionToMap = 0xe127a740

       LastProto = 0xe100a000


    LastPte = PointerPte + NumberOfPages;    eax=c0304300

0xc0304200+0x40*4=
1: kd> ?0xc0304200+0x40*4
Evaluate expression: -1070578944 = c0304300

1: kd> p
nt!MmMapViewInSystemCache+0x396:
80aaf088 8d0486          lea     eax,[esi+eax*4]
1: kd> r
eax=00000040 ebx=898ff908 ecx=00000100 edx=00000000 esi=c0304200 edi=00000000
eip=80aaf088 esp=f78d6910 ebp=f78d6930 iopl=0         nv up ei ng nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000286
nt!MmMapViewInSystemCache+0x396:
80aaf088 8d0486          lea     eax,[esi+eax*4]
1: kd> p
nt!MmMapViewInSystemCache+0x399:
80aaf08b 8d7e08          lea     edi,[esi+8]
1: kd> r
eax=c0304300

第七部分:


    while (PointerPte < LastPte) {

        if (ProtoPte >= LastProto) {

            //
            // Handle extended subsections.
            //

            Subsection = Subsection->NextSubsection;
            ProtoPte = Subsection->SubsectionBase;
            LastProto = &Subsection->SubsectionBase[
                                        Subsection->PtesInSubsection];
        }
        PteContents.u.Long = MiProtoAddressForKernelPte (ProtoPte);
        MI_WRITE_INVALID_PTE (PointerPte, PteContents);

        ASSERT (((ULONG_PTR)PointerPte & (MM_COLOR_MASK << PTE_SHIFT)) ==
                 (((ULONG_PTR)ProtoPte & (MM_COLOR_MASK << PTE_SHIFT))));

        PointerPte += 1;
        ProtoPte += 1;
    }

    ProtoPte = &Subsection->SubsectionBase[PteOffset];        =0xe1009c00

#define MiProtoAddressForKernelPte(proto_va)  MiProtoAddressForPte(proto_va)

#define MiProtoAddressForPte(proto_va)  \
   ((((((ULONG)proto_va - MmProtopte_Base) >> 1) & (ULONG)0x000000FE)   | \
    (((((ULONG)proto_va - MmProtopte_Base) << 2) & (ULONG)0xfffff800))) | \
    MM_PTE_PROTOTYPE_MASK)

#define MM_PTE_PROTOTYPE_MASK     0x400


#define MmProtopte_Base ((ULONG)MmPagedPoolStart)
1: kd> x nt!MmPagedPoolStart
80b15028          nt!MmPagedPoolStart = 0xe1000000

1: kd> !pte 0xe1009c00
                 VA e1009c00
PDE at C0300E10         PTE at C0384024
contains 0A1C0963       contains 0A1CD963
pfn a1c0  -G-DA--KWEV   pfn a1cd  -G-DA--KWEV

9c00

1001 1100 0000 0000
1001 1100 0000 000

1001 110    0 000    0 000
    1 111       1 110

1001 1100 0000 0000 00

10    01 11    00 00    00 00    00 00
27000


27400

第八部分:


        PteContents.u.Long = MiProtoAddressForKernelPte (ProtoPte);    //关键地方1:


1: kd> p
nt!MmMapViewInSystemCache+0x3ee:
80aaf0e0 8b4510          mov     eax,dword ptr [ebp+10h]
1: kd> p
nt!MmMapViewInSystemCache+0x3f1:
80aaf0e3 2b052850b180    sub     eax,dword ptr [nt!MmPagedPoolStart (80b15028)]
1: kd> r
eax=e1009c00


1: kd> p
nt!MmMapViewInSystemCache+0x411:
80aaf103 894d08          mov     dword ptr [ebp+8],ecx
1: kd> r
eax=00027000 ebx=898ff908 ecx=00027400

第九部分:

        MI_WRITE_INVALID_PTE (PointerPte, PteContents);    //关键地方2:

1: kd> p
nt!MmMapViewInSystemCache+0x506:
80aaf1f8 8906            mov     dword ptr [esi],eax
1: kd> r
eax=00027400 ebx=898ff908 ecx=f78d6920 edx=e7f77906 esi=c0304200 edi=80b79030

1: kd> dd 0xc0304200
c0304200  00027400 00000000 00000000 00000000
c0304210  00000000 00000000 00000000 00000000
c0304220  00000000 00000000 00000000 00000000
c0304230  00000000 00000000 00000000 00000000
c0304240  00000000 00000000 00000000 00000000
c0304250  00000000 00000000 00000000 00000000
c0304260  00000000 00000000 00000000 00000000
c0304270  00000000 00000000 00000000 00000000

1: kd> !pte 0xc0304200
                 VA c1080000
PDE at C0300C10         PTE at C0304200
contains 0A03F963       contains 00027400
pfn a03f  -G-DA--KWEV   not valid
                         Proto: E1009C00


第十部分:

1: kd> dd 0xc0304200
c0304200  00027400 00027402


1: kd> !pte 0xc0304204
                 VA c1081000
PDE at C0300C10         PTE at C0304204
contains 0A03F963       contains 00027402
pfn a03f  -G-DA--KWEV   not valid
                         Proto: E1009C04

        ProtoPte = 0xe1009c08

第十一部分:

1: kd> dd 0xc0304200
c0304200  00027400 00027402 00027404 00000000

1: kd> dd 0xc0304200
c0304200  00027400 00027402 00027404 00027406
c0304210  00027408 0002740a 0002740c 0002740e
c0304220  00027410 00027412 00027414 00027416
c0304230  00027418 0002741a 0002741c 0002741e
c0304240  00027420 00027422 00027424 00027426
c0304250  00027428 0002742a 0002742c 0002742e
c0304260  00027430 00027432 00027434 00027436
c0304270  00027438 0002743a 0002743c 0002743e

dv
        ProtoPte = 0xe1009c80

1: kd> dd 0xc0304200+80
c0304280  00027440 00027442 00027444 00027446
c0304290  00027448 0002744a 0002744c 0002744e
c03042a0  00027450 00027452 00027454 00027456
c03042b0  00027458 0002745a 0002745c 0002745e
c03042c0  00027460 00027462 00027464 00027466
c03042d0  00027468 0002746a 0002746c 0002746e
c03042e0  00027470 00027472 00027474 00027476
c03042f0  00027478 0002747a 0002747c 0002747e


        ProtoPte = 0xe1009cfc


1: kd> dd 0xe1009c00
e1009c00  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c10  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c20  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c30  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c40  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c50  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c60  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c70  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
1: kd> dd 0xe1009c00+80
e1009c80  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c90  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009ca0  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009cb0  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009cc0  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009cd0  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009ce0  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009cf0  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2


1: kd> p
nt!MmMapViewInSystemCache+0x50f:
80aaf201 3b750c          cmp     esi,dword ptr [ebp+0Ch]
1: kd> r
eax=0002747e ebx=898ff908 ecx=f78d6920 edx=e7f77906 esi=c0304300 edi=80b88f00
eip=80aaf201 esp=f78d6910 ebp=f78d6930 iopl=0         nv up ei ng nz ac pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000296
nt!MmMapViewInSystemCache+0x50f:
80aaf201 3b750c          cmp     esi,dword ptr [ebp+0Ch] ss:0010:f78d693c=c0304300
1: kd> dd f78d6930+c
f78d693c  c0304300

http://www.xdnf.cn/news/9677.html

相关文章:

  • AD/DA HAL库API
  • 内容中台的构建基础是什么?
  • King3399(ubuntu文件系统)iic(i2c)功能测试
  • MP4视频文件播放Demo(附源码)
  • 头歌之动手学人工智能-Pytorch 之autograd
  • 算法 Arrays.sort()函数自定义排序(Comparator 接口)
  • [网页五子棋][匹配模块]服务器开发、用户管理器(创建匹配请求/响应对象、处理连接成功、处理下线)
  • 根据jvm源码剖析类加载机制
  • Python爬虫实战:研究Tornado框架相关技术
  • [Vue组件]半环进度显示器
  • 小猴子摆玩具
  • 计算机网络第一章计算机网络概述(竟成)
  • 小白成长之路-Linux操作系统-进程管理
  • 【机器人编程基础】python中的常用数据类型
  • ElasticSearch查询指定时间内出现的次数/2秒内出现的次数
  • 我们来学mysql -- 输出一份“数据备份还原”sh脚本
  • 手写字魔法消除1:数据集说明(含下载链接)
  • Kruskal算法剖析与py/cpp/Java语言实现
  • linux中基础IO(上)
  • 浅谈 JavaScript 性能优化
  • 深度解析 Nginx 配置:从性能优化到 HTTPS 安全实践
  • YOLOv8性能提升:引入华为GhostNetv1特征提取网络
  • 第五章 宽松内存一致性模型 A Primer on Memory Consistency and Cache Coherence - 2nd Edition
  • Houdini learning Record
  • Python中的跨域资源共享(CORS)处理
  • CRTP学习笔记与指南
  • MySQL8.4主从复制
  • Mysql学习笔记之事务
  • 大数据未来发展的趋势与挑战
  • 深入详解(0020,0052) Frame of Reference UID在序列空间定位中的定义与作用