当前位置：首页 > news >正文

nt!MiAllocateWsle函数分析之设置Wsle[WorkingSetIndex]

news 来源：原创 2025/5/16 7:00:29

第一部分：

1: kd> p
nt!MiAddValidPageToWorkingSet+0xa9:
80a83c13 e8da9afcff      call    nt!MiAllocateWsle (80a4d6f2)
1: kd> t
nt!MiAllocateWsle:
80a4d6f2 55              push    ebp
1: kd> dv
         WsInfo = 0x8953a1f8
     PointerPte = 0xc01df8a8
           Pfn1 = 0x81bcd810
       WsleMask = 0x118
           Wsle = 0x00000008
WorkingSetIndex = 0x8953a1f8

第二部分：

1: kd> dx -r1 ((ntkrnlmp!_MMWSL *)0xc0503000)
((ntkrnlmp!_MMWSL *)0xc0503000) : 0xc0503000 [Type: _MMWSL *]
[+0x000] FirstFree : 0xc3 [Type: unsigned long]

WorkingSetIndex = WorkingSetList->FirstFree;
WorkingSetList->FirstFree = (WSLE_NUMBER)(Wsle[WorkingSetIndex].u1.Long >> MM_FREE_WSLE_SHIFT);

1: kd> dd 0xc0503698+c3*4
c05039a4 00000c40 00000c50 00000c60 00000c70

WorkingSetList->FirstFree=c4

    if (WorkingSetIndex > WorkingSetList->LastEntry) {
        WorkingSetList->LastEntry = WorkingSetIndex;
    }

1: kd> dx -r1 ((ntkrnlmp!_MMWSL *)0xc0503000)
((ntkrnlmp!_MMWSL *)0xc0503000)                 : 0xc0503000 [Type: _MMWSL *]
    [+0x000] FirstFree        : 0xc4 [Type: unsigned long]
    [+0x004] FirstDynamic     : 0x4 [Type: unsigned long]
    [+0x008] LastEntry        : 0xc3 [Type: unsigned long]

第三部分：

#define MiGetVirtualAddressMappedByPte(PTE) ((PVOID)((ULONG)(PTE) << 10))

PointerPte = 0xc01df8a8

1100 0000 0001 1101 1111 1000 1010 1000

01 11 01 11 11 10 00 10 10 10 00 00 0000 0000

77e2a000

参考后总结：得到的确实是虚拟地址，PTE左移10位得到虚拟地址前20位！！
虚拟地址右移10位+0xC000 0000 得到PTE

1: kd> dv
StoreInstruction = 0
FaultingAddress = 0x77e2a0c8

1: kd> !pte 0x77e2a0c8
                 VA 77e2a0c8
PDE at C030077C         PTE at C01DF8A8
contains 7B259867       contains 7DE56025
pfn 7b259 ---DA--UWEV   pfn 7de56 ----A--UREV

第四部分：

1: kd> t
nt!MiAllocateWsle+0x14d:
80a4d83f e80aaeffff call nt!MiUpdateWsle (80a4864e)
1: kd> t
nt!MiUpdateWsle:
80a4864e 55 push ebp
1: kd> kc
#
00 nt!MiUpdateWsle
01 nt!MiAllocateWsle
02 nt!MiAddValidPageToWorkingSet
03 nt!MiCompleteProtoPteFault
04 nt!MiResolveProtoPteFault
05 nt!MiDispatchFault
06 nt!MmAccessFault
07 nt!_KiTrap0E
08 nt!ObpCaptureObjectName
09 nt!ObpCaptureObjectCreateInformation
0a nt!ObOpenObjectByName
0b nt!NtOpenSection
0c nt!_KiSystemService
0d SharedUserData!SystemCallStub
0e ntdll!NtOpenSection
0f KERNEL32!OpenSection
10 KERNEL32!GetLocaleFileInfo
11 KERNEL32!NlsProcessInitialize
12 KERNEL32!NlsDllInitialize
13 KERNEL32!BaseDllInitialize
14 ntdll!LdrpCallInitRoutine
15 ntdll!LdrpRunInitializeRoutines
16 ntdll!LdrpLoadDll
17 ntdll!LdrLoadDll
18 CSRSRV!CsrLoadServerDll
19 CSRSRV!CsrParseServerCommandLine
1a CSRSRV!CsrServerInitialization
1b csrss!main
1c csrss!NtProcessStartup

1: kd> dv
   DesiredIndex = 0xf704b9f0
VirtualAddress = 0x77e2a000
         WsInfo = 0x8953a1f8
            Pfn = 0x81bcd810
           Wsle = 0x80a4864e

第五部分：

WsleContents.u1.VirtualAddress = PAGE_ALIGN (VirtualAddress);
WsleContents.u1.e1.Valid = 1;

1: kd> dt mmwsle -r
nt!MMWSLE
   +0x000 u1               : __unnamed
      +0x000 VirtualAddress   : Ptr32 Void
      +0x000 Long             : Uint4B
      +0x000 e1               : _MMWSLENTRY
         +0x000 Valid            : Pos 0, 1 Bit
         +0x000 LockedInWs       : Pos 1, 1 Bit
         +0x000 LockedInMemory   : Pos 2, 1 Bit
         +0x000 Protection       : Pos 3, 5 Bits
         +0x000 SameProtectAsProto : Pos 8, 1 Bit
         +0x000 Direct           : Pos 9, 1 Bit
         +0x000 Age              : Pos 10, 2 Bits
         +0x000 VirtualPageNumber : Pos 12, 20 Bits

0x77e2a001

第六部分：

WorkingSetIndex = 0xc3

1: kd> dd 0x81bcd810
81bcd810 00000000 e13a9c10 00000001 00011608
81bcd820 f926946a 000007ec

   +0x00c u3               : __unnamed
      +0x000 e1               : _MMPFNENTRY
         +0x000 Modified         : Pos 0, 1 Bit
         +0x000 ReadInProgress   : Pos 1, 1 Bit
         +0x000 WriteInProgress : Pos 2, 1 Bit
         +0x000 PrototypePte     : Pos 3, 1 Bit   1

if (Pfn->u3.e1.PrototypePte == 0) {

}
else {

            OldValue = InterlockedCompareExchange ((PLONG)&Pfn->u1.Event,
                                                   WorkingSetIndex,
                                                   0);

1: kd> dd 0x81bcd810
81bcd810 000000c3 e13a9c10 00000001 00011608 //000000c3
81bcd820 f926946a 000007ec

第七部分：

if (OldValue == 0) {

WsleContents.u1.e1.Direct = 1; -->0x77e2a201

MI_LOG_WSLE_CHANGE (WorkingSetList, WorkingSetIndex, WsleContents);

Wsle[WorkingSetIndex] = WsleContents;

return;

0x77e2a001
0000 0000 0001
0010 0000 0001
0x77e2a201

1: kd> p
nt!MiUpdateWsle+0x178:
80a487c6 890c90 mov dword ptr [eax+edx*4],ecx
1: kd> r
eax=c0503698 ebx=77e2a001 ecx=77e2a201 edx=000000c3 esi=c0503000 edi=81bcd810

1: kd> dd c0503698+c3*4
c05039a4 00000c40 00000c50 00000c60 00000c70

Wsle[WorkingSetIndex] = WsleContents;

1: kd> dd c0503698+c3*4
c05039a4 77e2a201 00000c50 00000c60 00000c70

第八部分：返回到nt!MiAllocateWsle

1: kd> p
nt!MiAllocateWsle+0x15c:
80a4d84e 8b45fc mov eax,dword ptr [ebp-4]

    if (WsleMask != 0) {
        Wsle[WorkingSetIndex].u1.Long |= WsleMask;       //添加上掩码。
    }

WsleMask = 0x118

1: kd> dd c0503698+c3*4
c05039a4 77e2a201

0x77e2a201+0x118=0x77e2a319

1: kd> p
nt!MiAllocateWsle+0x15f:
80a4d851 8d04b8 lea eax,[eax+edi*4]
1: kd> p
nt!MiAllocateWsle+0x162:
80a4d854 0908 or dword ptr [eax],ecx
1: kd> r
eax=c05039a4 ebx=0fffffff ecx=00000118

Wsle[WorkingSetIndex].u1.Long |= WsleMask;之后

1: kd> dd c0503698+c3*4
c05039a4 77e2a319