nt!MiAddViewsForSection函数分析
第一部分:
NTSTATUS
MiAddViewsForSection (
IN PMSUBSECTION StartMappedSubsection,
IN UINT64 LastPteOffset OPTIONAL,
IN KIRQL OldIrql,
OUT PULONG Waited
)
1: kd> t
nt!MmMapViewInSystemCache+0x296:
80aaef88 e8bfa8feff call nt!MiAddViewsForSection (80a9984c)
1: kd> t
nt!MiAddViewsForSection:
80a9984c 55 push ebp
1: kd> kc
#
00 nt!MiAddViewsForSection
01 nt!MmMapViewInSystemCache
02 nt!CcGetVacbMiss
03 nt!CcGetVirtualAddress
04 nt!CcMapData
05 Ntfs!NtfsMapStream
06 Ntfs!NtfsReadBootSector
07 Ntfs!NtfsMountVolume
08 Ntfs!NtfsCommonFileSystemControl
09 Ntfs!NtfsFspDispatch
0a nt!ExpWorkerThread
0b nt!PspSystemThreadStartup
0c nt!KiThreadStartup
1: kd> dv
StartMappedSubsection = 0x898ff908
LastPteOffset = 0x40
OldIrql = 0x00 ''
Waited = 0xf78d692c
1: kd> dt subsection 898ff908
nt!SUBSECTION
+0x000 ControlArea : 0x898ff8d8 _CONTROL_AREA
+0x004 u : __unnamed
+0x008 StartingSector : 0
+0x00c NumberOfFullSectors : 0x100
+0x010 SubsectionBase : (null)
+0x014 UnusedPtes : 0
+0x018 PtesInSubsection : 0x100
+0x01c NextSubsection : (null)
+0x014 UnusedPtes : 0
+0x018 PtesInSubsection : 0x100
第二部分:
Size = (MappedSubsection->PtesInSubsection + MappedSubsection->UnusedPtes) * sizeof(MMPTE); edi=00000400
1: kd> p
nt!MiAddViewsForSection+0x159:
80a999a5 c1e702 shl edi,2
1: kd> p
nt!MiAddViewsForSection+0x15c:
80a999a8 7515 jne nt!MiAddViewsForSection+0x173 (80a999bf)
1: kd> r
eax=f78d692c ebx=00000000 ecx=00000000 edx=00000000 esi=898ff908 edi=00000400
第三部分:
ProtoPtes = (PMMPTE)ExAllocatePoolWithTag (PagedPool | POOL_MM_ALLOCATION,
Size,
MMSECT); =eax=e1009c00
1: kd> p
nt!MiAddViewsForSection+0x17f:
80a999cb e808190700 call nt!ExAllocatePoolWithTag (80b0b2d8)
1: kd> p
nt!MiAddViewsForSection+0x184:
80a999d0 8bd8 mov ebx,eax
1: kd> r
eax=e1009c00
第四部分:
//
// Fill in the prototype PTEs for this subsection.
//
TempPte.u.Long = MiGetSubsectionAddressForPte (MappedSubsection); //关键地方1:
TempPte.u.Soft.Prototype = 1;
#define MiGetSubsectionAddressForPte(VA) \
(((ULONG)(VA) < (ULONG)MmSubsectionBase + 128*1024*1024) ? \
(((((ULONG)VA - (ULONG)MmSubsectionBase)>>2) & (ULONG)0x0000001E) | \
((((((ULONG)VA - (ULONG)MmSubsectionBase)<<4) & (ULONG)0x7ffff800)))| \
0x80000000) \
: \
(((((ULONG)MmNonPagedPoolEnd - (ULONG)VA)>>2) & (ULONG)0x0000001E) | \
((((((ULONG)MmNonPagedPoolEnd - (ULONG)VA)<<4) & (ULONG)0x7ffff800)))))
1: kd> x nt!MmSubsectionBase
80be3860 nt!MmSubsectionBase = 0x81c01000
1: kd> dt subsection 898ff908
nt!SUBSECTION
+0x000 ControlArea : 0x898ff8d8 _CONTROL_AREA
+0x004 u : __unnamed
+0x008 StartingSector : 0
+0x00c NumberOfFullSectors : 0x100
+0x010 SubsectionBase : (null)
+0x014 UnusedPtes : 0
+0x018 PtesInSubsection : 0x100
+0x01c NextSubsection : (null)
1: kd> ?898ff908-0x81c01000
Evaluate expression: 131066120 = 07cfe908
0111 1100 1111 1110 1001 0000 1000
0111 1100 1111 1110 1001 0000 10
01 11 11 00 11 11 11 10 10 0100 0010
0001 1110
0010
02
0x7ffff800
0111 1100 1111 1110 1001 0000 1000 0000
0111 1111 1111 1111 1111 1000
0111 1100 1111 1110 1001 0000 0000 0000
7cfe9000
fcfe9002
第五部分:
1: kd> p
nt!MiAddViewsForSection+0x193:
80a999df 8d8800000008 lea ecx,[eax+8000000h]
1: kd> r
eax=81c01000
1: kd> p
nt!MiAddViewsForSection+0x19d:
80a999e9 8bce mov ecx,esi
1: kd> r
eax=81c01000 ebx=e1009c00 ecx=89c01000 edx=00000001 esi=898ff908
1: kd> p
nt!MiAddViewsForSection+0x19f:
80a999eb 2bc8 sub ecx,eax
1: kd> r
eax=81c01000 ebx=e1009c00 ecx=898ff908
1: kd> p
nt!MiAddViewsForSection+0x1a1:
80a999ed 8bc1 mov eax,ecx
1: kd> r
eax=81c01000 ebx=e1009c00 ecx=07cfe908 edx=00000001 esi=898ff908 edi=00000400
eip=80a999ed esp=f78d68e8 ebp=f78d68f4 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
nt!MiAddViewsForSection+0x1a1:
80a999ed 8bc1 mov eax,ecx
1: kd> p
nt!MiAddViewsForSection+0x1a3:
80a999ef c1e004 shl eax,4
1: kd> r
eax=07cfe908 ebx=e1009c00 ecx=07cfe908
1: kd> r
eax=07cfe908 ebx=e1009c00 ecx=07cfe908 edx=00000001 esi=898ff908 edi=00000400
eip=80a999ef esp=f78d68e8 ebp=f78d68f4 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
nt!MiAddViewsForSection+0x1a3:
80a999ef c1e004 shl eax,4
1: kd> p
nt!MiAddViewsForSection+0x1a6:
80a999f2 c1e902 shr ecx,2
1: kd> p
nt!MiAddViewsForSection+0x1a9:
80a999f5 2500f8ffff and eax,0FFFFF800h
1: kd> r
eax=7cfe9080 ebx=e1009c00 ecx=01f3fa42
1: kd> p
nt!MiAddViewsForSection+0x1ae:
80a999fa 83e11e and ecx,1Eh
1: kd> r
eax=7cfe9000 ebx=e1009c00 ecx=01f3fa42
eax=7cfe9000
ecx=01f3fa42
0100 0010
1: kd> r
eax=7cfe9000 ebx=e1009c00 ecx=00000002 edx=00000001 esi=898ff908 edi=00000400
eip=80a999fd esp=f78d68e8 ebp=f78d68f4 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
nt!MiAddViewsForSection+0x1b1:
80a999fd 0bc1 or eax,ecx
1: kd> p
nt!MiAddViewsForSection+0x1b3:
80a999ff 0d00000080 or eax,80000000h
1: kd> r
eax=7cfe9002 ebx=e1009c00 ecx=00000002 edx=00000001 esi=898ff908 edi=00000400
eip=80a999ff esp=f78d68e8 ebp=f78d68f4 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
nt!MiAddViewsForSection+0x1b3:
80a999ff 0d00000080 or eax,80000000h
1: kd> p
nt!MiAddViewsForSection+0x1b8:
80a99a04 eb1a jmp nt!MiAddViewsForSection+0x1d4 (80a99a20)
1: kd> r
eax=fcfe9002 ebx=e1009c00 ecx=00000002
fcfe9002正确!!!
第六部分:
//
// Fill in the prototype PTEs for this subsection.
//
TempPte.u.Long = MiGetSubsectionAddressForPte (MappedSubsection); 0xfcfe9002 //关键地方1:
TempPte.u.Soft.Prototype = 1; 0xfcfe9402
+0x000 Soft : _MMPTE_SOFTWARE
+0x000 Valid : Pos 0, 1 Bit
+0x000 PageFileLow : Pos 1, 4 Bits
+0x000 Protection : Pos 5, 5 Bits
+0x000 Prototype : Pos 10, 1 Bit 1
+0x000 Transition : Pos 11, 1 Bit
+0x000 PageFileHigh : Pos 12, 20 Bits
0000 0000 0010
0100 1100 0010
TempPte.u.Soft.Protection = MappedSubsection->ControlArea->Segment->SegmentPteTemplate.u.Soft.Protection; 0xfcfe94c2
0100 0000 0010
1: kd> dx -r1 ((ntkrnlmp!_SEGMENT *)0xe138a388)
((ntkrnlmp!_SEGMENT *)0xe138a388) : 0xe138a388 [Type: _SEGMENT *]
[+0x000] ControlArea : 0x898ff8d8 [Type: _CONTROL_AREA *]
[+0x004] TotalNumberOfPtes : 0x100 [Type: unsigned long]
[+0x008] NonExtendedPtes : 0x100 [Type: unsigned long]
[+0x00c] WritableUserReferences : 0x0 [Type: unsigned long]
[+0x010] SizeOfSegment : 0x100000 [Type: unsigned __int64]
[+0x018] SegmentPteTemplate [Type: _MMPTE]
[+0x01c] NumberOfCommittedPages : 0x0 [Type: unsigned long]
[+0x020] ExtendInfo : 0x0 [Type: _MMEXTEND_INFO *]
[+0x024] SegmentFlags [Type: _SEGMENT_FLAGS]
[+0x028] BasedAddress : 0x0 [Type: void *]
[+0x02c] u1 [Type: __unnamed]
[+0x030] u2 [Type: __unnamed]
[+0x034] PrototypePte : 0x20207050 [Type: _MMPTE *]
[+0x038] ThePtes [Type: _MMPTE [1]]
1: kd> dx -r1 (*((ntkrnlmp!_MMPTE *)0xe138a3a0))
(*((ntkrnlmp!_MMPTE *)0xe138a3a0)) [Type: _MMPTE]
[+0x000] u [Type: __unnamed]
1: kd> dd 0xe138a3a0
e138a3a0 fcfe94c2
0100 1100 0010 00 110=0x6
1: kd> p
nt!MiAddViewsForSection+0x1e6:
80a99a32 0bc8 or ecx,eax
1: kd> pr
eax=fcfe9002 ebx=e1009c00 ecx=fcfe90c2
第七部分:MiFillMemoryPte函数填充内存
1: kd> pr
eax=fcfe9002 ebx=e1009c00 ecx=fcfe90c2 edx=00000001 esi=898ff908 edi=00000400
eip=80a99a34 esp=f78d68e8 ebp=f78d68f4 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282
nt!MiAddViewsForSection+0x1e8:
80a99a34 81c900040000 or ecx,400h
1: kd> p
eax=fcfe9002 ebx=e1009c00 ecx=fcfe94c2
MiFillMemoryPte (ProtoPtes, Size / sizeof (MMPTE), TempPte.u.Long);
0100 0000 0000
01 00 00 00 00
0x400=0x80*8
1000 0000
1000 0000 000
100 0 000 0 000
1: kd> dd e1009c00
e1009c00 00000000 00000000 00000000 00000000
e1009c10 00000000 00000000 00000000 00000000
e1009c20 00000000 00000000 00000000 00000000
e1009c30 00000000 00000000 00000000 00000000
e1009c40 00000000 00000000 00000000 00000000
e1009c50 00000000 00000000 00000000 00000000
e1009c60 00000000 00000000 00000000 00000000
e1009c70 00000000 00000000 00000000 00000000
1: kd> dd e1009c00
e1009c00 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c10 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c20 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c30 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c40 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c50 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c60 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c70 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
1: kd> dd e1009c00+80
e1009c80 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c90 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009ca0 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009cb0 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009cc0 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009cd0 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009ce0 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009cf0 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
1: kd> dd e1009c00+80*2
e1009d00 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009d10 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009d20 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009d30 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009d40 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009d50 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009d60 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009d70 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
1: kd> dd e1009c00+80*3
e1009d80 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009d90 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009da0 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009db0 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009dc0 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009dd0 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009de0 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009df0 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
1: kd> dd e1009c00+80*4
e1009e00 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009e10 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009e20 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009e30 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009e40 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009e50 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009e60 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009e70 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
1: kd> dd e1009c00+80*5
e1009e80 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009e90 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009ea0 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009eb0 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009ec0 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009ed0 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009ee0 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009ef0 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
1: kd> dd e1009c00+80*6
e1009f00 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009f10 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009f20 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009f30 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009f40 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009f50 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009f60 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009f70 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
1: kd> dd e1009c00+80*7
e1009f80 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009f90 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009fa0 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009fb0 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009fc0 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009fd0 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009fe0 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009ff0 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
1: kd> dd e1009c00+80*8
e100a000 00000000 00000000 00000000 00000000
e100a010 00000000 00000000 00000000 00000000
e100a020 00000000 00000000 00000000 00000000
第九部分:
if (MappedSubsection->SubsectionBase == NULL) {
ASSERT (MappedSubsection->NumberOfMappedViews == 1);
MappedSubsection->SubsectionBase = ProtoPtes;
1: kd> dx -r1 ((ntkrnlmp!_MSUBSECTION *)0x898ff908)
((ntkrnlmp!_MSUBSECTION *)0x898ff908) : 0x898ff908 [Type: _MSUBSECTION *]
[+0x000] ControlArea : 0x898ff8d8 [Type: _CONTROL_AREA *]
[+0x004] u [Type: __unnamed]
[+0x008] StartingSector : 0x0 [Type: unsigned long]
[+0x00c] NumberOfFullSectors : 0x100 [Type: unsigned long]
[+0x010] SubsectionBase : 0x0 [Type: _MMPTE *]
[+0x014] UnusedPtes : 0x0 [Type: unsigned long]
[+0x018] PtesInSubsection : 0x100 [Type: unsigned long]
[+0x01c] NextSubsection : 0x0 [Type: _SUBSECTION *]
[+0x020] DereferenceList [Type: _LIST_ENTRY]
[+0x028] NumberOfMappedViews : 0x1 [Type: unsigned long]
[+0x02c] u2 [Type: __unnamed]
1: kd> dt subsection 0x898ff8d8+30
nt!SUBSECTION
+0x000 ControlArea : 0x898ff8d8 _CONTROL_AREA
+0x004 u : __unnamed
+0x008 StartingSector : 0
+0x00c NumberOfFullSectors : 0x100
+0x010 SubsectionBase : (null)
+0x014 UnusedPtes : 0
+0x018 PtesInSubsection : 0x100
+0x01c NextSubsection : (null)
Subsection和PTE的互转公式:
#define MiGetSubsectionAddress(lpte) \
(((lpte)->u.Long & 0x80000000) ? \
((PSUBSECTION)((PCHAR)MmSubsectionBase + \
((((lpte)->u.Long & 0x7ffff800) >> 4) | \
(((lpte)->u.Long<<2) & 0x78)))) \
: \
((PSUBSECTION)((PCHAR)MmNonPagedPoolEnd - \
(((((lpte)->u.Long)>>11)<<7) | \
(((lpte)->u.Long<<2) & 0x78)))))
#define MiGetSubsectionAddressForPte(VA) \
(((ULONG)(VA) < (ULONG)MmSubsectionBase + 128*1024*1024) ? \
(((((ULONG)VA - (ULONG)MmSubsectionBase)>>2) & (ULONG)0x0000001E) | \
((((((ULONG)VA - (ULONG)MmSubsectionBase)<<4) & (ULONG)0x7ffff800)))| \
0x80000000) \
: \
(((((ULONG)MmNonPagedPoolEnd - (ULONG)VA)>>2) & (ULONG)0x0000001E) | \
((((((ULONG)MmNonPagedPoolEnd - (ULONG)VA)<<4) & (ULONG)0x7ffff800)))))
1: kd> x nt!MmSubsectionBase
80be3860 nt!MmSubsectionBase = 0x81c01000
第十部分:
if (MappedSubsection->SubsectionBase == NULL) {
ASSERT (MappedSubsection->NumberOfMappedViews == 1);
MappedSubsection->SubsectionBase = ProtoPtes; //关键地方2:
}
1: kd> p
nt!MiAddViewsForSection+0x256:
80a99aa2 895e10 mov dword ptr [esi+10h],ebx
1: kd> p
nt!MiAddViewsForSection+0x259:
80a99aa5 e9f1000000 jmp nt!MiAddViewsForSection+0x34f (80a99b9b)
1: kd> r
eax=00000001 ebx=e1009c00 ecx=00000001 edx=00000000 esi=898ff908
1: kd> dt subsection 0x898ff8d8+30
nt!SUBSECTION
+0x000 ControlArea : 0x898ff8d8 _CONTROL_AREA
+0x004 u : __unnamed
+0x008 StartingSector : 0
+0x00c NumberOfFullSectors : 0x100
+0x010 SubsectionBase : 0xe1009c00 _MMPTE
+0x014 UnusedPtes : 0
+0x018 PtesInSubsection : 0x100
+0x01c NextSubsection : (null)
1: kd> dd 0xe1009c00
e1009c00 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c10 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c20 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c30 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c40 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c50 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c60 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c70 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
LastPteOffset = 0x40
1: kd> dt subsection 0x898ff8d8+30
nt!SUBSECTION
+0x000 ControlArea : 0x898ff8d8 _CONTROL_AREA
+0x004 u : __unnamed
+0x008 StartingSector : 0
+0x00c NumberOfFullSectors : 0x100
+0x010 SubsectionBase : 0xe1009c00 _MMPTE
+0x014 UnusedPtes : 0
+0x018 PtesInSubsection : 0x100
+0x01c NextSubsection : (null)
MappedSubsection = (PMSUBSECTION) MappedSubsection->NextSubsection;
} while (MappedSubsection != NULL);
第十一部分:
参数回顾:
NTSTATUS
MmMapViewInSystemCache (
IN PVOID SectionToMap,
OUT PVOID *CapturedBase,
IN OUT PLARGE_INTEGER SectionOffset,
IN OUT PULONG CapturedViewSize
)
1: kd> dv
SectionToMap = 0xe127a740
CapturedBase = 0x89988000
SectionOffset = 0xf78d695c {0} SectionOffset = 0xf78d695c {0}
CapturedViewSize = 0xf78d6954 CapturedViewSize = 0xf78d6954 0x40000
PteOffset = 0xf78d6930
LastProto = 0x00000008
PteContents = struct _MMPTE
OldIrql = 0x5c '\'
LastPte = 0x89988000
LastPteOffset = 0x00000008`80aaecf5
Waited = 0x346
ProtoPte = 0xf78d695c
NumberOfPages = 0xf78d6954
1: kd> dx -r1 ((ntkrnlmp!unsigned long *)0xf78d6954)
((ntkrnlmp!unsigned long *)0xf78d6954) : 0xf78d6954 : 0x40000 [Type: unsigned long *]
0x40000 [Type: unsigned long]
第十二部分:nt!MiAddViewsForSection函数总结
1: kd> dt subsection 898ff908
nt!SUBSECTION
+0x000 ControlArea : 0x898ff8d8 _CONTROL_AREA
+0x004 u : __unnamed
+0x008 StartingSector : 0
+0x00c NumberOfFullSectors : 0x100
+0x010 SubsectionBase : 0xe1009c00 _MMPTE
+0x014 UnusedPtes : 0
+0x018 PtesInSubsection : 0x100
+0x01c NextSubsection : (null)
1: kd> dd 0xe1009c00
e1009c00 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c10 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c20 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c30 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c40 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c50 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c60 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c70 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
fcfe94c2和0x898ff908可以互相转化!!!