nt!MiRemovePageByColor函数分析之脱链和刷新颜色表
第0部分:背景
PFN_NUMBER
FASTCALL
MiRemoveZeroPage (
IN ULONG Color
)
{
ASSERT (Color < MmSecondaryColors);
Page = FreePagesByColor[Color].Flink;
if (Page != MM_EMPTY_LIST) {
//
// Remove the first entry on the zeroed by color list.
//
Page = MiRemovePageByColor (Page, Color);
第一部分:
1: kd> p
nt!MiRemoveZeroPage+0x11a:
80ac89b6 e825e4ffff call nt!MiRemovePageByColor (80ac6de0)
1: kd> t
nt!MiRemovePageByColor:
80ac6de0 55 push ebp
1: kd> kc
#
00 nt!MiRemovePageByColor
01 nt!MiRemoveZeroPage
02 nt!MiPfPutPagesInTransition
03 nt!MmPrefetchPages
04 nt!CcPfPrefetchSections
05 nt!CcPfBootWorker
06 nt!PspSystemThreadStartup
07 nt!KiThreadStartup
1: kd> dv
Page = 0x7b19b
Color = 0x1b
Next = 0
ListName = 0n-150603048 (No matching enumerant)
1: kd> dd 81000000+0x7b19b*18
81b8a688 0007b19a 001ec66c 0007b19c 00003000
81b8a698 0007b15b 03ffffff
第二部分:预分析1
+0x00c u3 : __unnamed
+0x000 e1 : _MMPFNENTRY
+0x000 Modified : Pos 0, 1 Bit
+0x000 ReadInProgress : Pos 1, 1 Bit
+0x000 WriteInProgress : Pos 2, 1 Bit
+0x000 PrototypePte : Pos 3, 1 Bit
+0x000 PageColor : Pos 4, 4 Bits 0000
+0x000 PageLocation : Pos 8, 3 Bits 000 ZeroedPageList (0)
1: kd> x nt!MmPageLocationList
80b14d04 nt!MmPageLocationList = struct _MMPFNLIST *[8]
1: kd> dx -r1 (*((ntkrnlmp!_MMPFNLIST * (*)[8])0x80b14d04))
(*((ntkrnlmp!_MMPFNLIST * (*)[8])0x80b14d04)) [Type: _MMPFNLIST * [8]]
[0] : 0x80b14c94 [Type: _MMPFNLIST *]
[1] : 0x80b14ca4 [Type: _MMPFNLIST *]
[2] : 0x80b14cb4 [Type: _MMPFNLIST *]
[3] : 0x80b14cc4 [Type: _MMPFNLIST *]
[4] : 0x80b14cd4 [Type: _MMPFNLIST *]
[5] : 0x80b14ce4 [Type: _MMPFNLIST *]
[6] : 0x0 [Type: _MMPFNLIST *]
[7] : 0x0 [Type: _MMPFNLIST *]
1: kd> dx -r1 ((ntkrnlmp!_MMPFNLIST *)0x80b14c94)
((ntkrnlmp!_MMPFNLIST *)0x80b14c94) : 0x80b14c94 [Type: _MMPFNLIST *]
[+0x000] Total : 0x70e85 [Type: unsigned long]
[+0x004] ListName : ZeroedPageList (0) [Type: _MMLISTS]
[+0x008] Flink : 0xed7 [Type: unsigned long]
[+0x00c] Blink : 0xa130 [Type: unsigned long]
第三部分:预分析2
1: kd> dd 81000000+0x7b19b*18
81b8a688 0007b19a 001ec66c 0007b19c 00003000
81b8a698 0007b15b 03ffffff
Next = Pfn1->u1.Flink; 0007b19a
Pfn1->u1.Flink = 0; // Assumes Flink width is >= WsIndex width
Previous = Pfn1->u2.Blink; 0007b19c
Pfn1->u2.Blink = 0;
第四部分:预分析3
#define MM_EMPTY_LIST ((ULONG)0xFFFFFFFF) //
ColorHead->Flink = (PFN_NUMBER) Pfn1->OriginalPte.u.Long;
if (ColorHead->Flink != MM_EMPTY_LIST) {
MI_PFN_ELEMENT (ColorHead->Flink)->u4.PteFrame = MM_EMPTY_LIST;
}
1: kd> dt _MMCOLOR_TABLES 0x81c00000+1b*c
nt!_MMCOLOR_TABLES
+0x000 Flink : 0x7b19b
+0x004 Blink : 0x810f2688 Void
+0x008 Count : 0x1c35
1: kd> dd 81000000+0007b15b*18
81b8a088 0007b15a 001ec56c 0007b15c 00003000
81b8a098 0007b11b 0007b19b
第五部分:调试
Pfn1 = MI_PFN_ELEMENT (Page);81b8a688
NodeColor = Pfn1->u3.e1.PageColor;
1: kd> p
nt!MiRemovePageByColor+0x48:
80ac6e28 8b7e0c mov edi,dword ptr [esi+0Ch]
1: kd> r
eax=001714d1 ebx=0000001b ecx=81000000 edx=0000001b esi=81b8a688
1: kd> dd 81b8a688
81b8a688 0007b19a 001ec66c 0007b19c 00003000
81b8a698 0007b15b 03ffffff
ListHead = MmPageLocationList[Pfn1->u3.e1.PageLocation]; 0
ListName = ListHead->ListName; ZeroedPageList (0)
1: kd> p
nt!MiRemovePageByColor+0x88:
80ac6e68 83e007 and eax,7
1: kd> p
nt!MiRemovePageByColor+0x8b:
80ac6e6b 8b0485044db180 mov eax,dword ptr nt!MmPageLocationList (80b14d04)[eax*4]
1: kd> r
eax=00000000
1: kd> x nt!MmPageLocationList
80b14d04 nt!MmPageLocationList = struct _MMPFNLIST *[8]
1: kd> dx -r1 (*((ntkrnlmp!_MMPFNLIST * (*)[8])0x80b14d04))
(*((ntkrnlmp!_MMPFNLIST * (*)[8])0x80b14d04)) [Type: _MMPFNLIST * [8]]
[0] : 0x80b14c94 [Type: _MMPFNLIST *]
[1] : 0x80b14ca4 [Type: _MMPFNLIST *]
[2] : 0x80b14cb4 [Type: _MMPFNLIST *]
[3] : 0x80b14cc4 [Type: _MMPFNLIST *]
[4] : 0x80b14cd4 [Type: _MMPFNLIST *]
[5] : 0x80b14ce4 [Type: _MMPFNLIST *]
[6] : 0x0 [Type: _MMPFNLIST *]
[7] : 0x0 [Type: _MMPFNLIST *]
1: kd> dx -r1 ((ntkrnlmp!_MMPFNLIST *)0x80b14c94)
((ntkrnlmp!_MMPFNLIST *)0x80b14c94) : 0x80b14c94 [Type: _MMPFNLIST *]
[+0x000] Total : 0x70e85 [Type: unsigned long]
[+0x004] ListName : ZeroedPageList (0) [Type: _MMLISTS]
[+0x008] Flink : 0xed7 [Type: unsigned long]
[+0x00c] Blink : 0xa130 [Type: unsigned long]
第六部分:
1: kd> p
nt!MiRemovePageByColor+0x95:
80ac6e75 ff08 dec dword ptr [eax]
1: kd> r
eax=80b14c94
ListHead->Total -= 1;
1: kd> dx -r1 ((ntkrnlmp!_MMPFNLIST *)0x80b14c94)
((ntkrnlmp!_MMPFNLIST *)0x80b14c94) : 0x80b14c94 [Type: _MMPFNLIST *]
[+0x000] Total : 0x70e84 [Type: unsigned long]
[+0x004] ListName : ZeroedPageList (0) [Type: _MMLISTS]
[+0x008] Flink : 0xed7 [Type: unsigned long]
[+0x00c] Blink : 0xa130 [Type: unsigned long]
第七部分:
Next = Pfn1->u1.Flink;
Pfn1->u1.Flink = 0; // Assumes Flink width is >= WsIndex width
Previous = Pfn1->u2.Blink;
Pfn1->u2.Blink = 0;
1: kd> dd 81b8a688
81b8a688 00000000 001ec66c 00000000 00003000
81b8a698 0007b15b 03ffffff
else {
Pfn2 = MI_PFN_ELEMENT(Next);
Pfn2->u2.Blink = Previous;
}
1: kd> dd 81000000+0x7b19a*18
81b8a670 0007b199 001ec668 0007b19b 00003000
81b8a680 0007b15a 0007b1da
else {
Pfn2 = MI_PFN_ELEMENT(Next);
Pfn2->u2.Blink = Previous;
}
1: kd> dd 81000000+0x7b19a*18
81b8a670 0007b199 001ec668 0007b19c 00003000
81b8a680 0007b15a 0007b1da
else {
Pfn2 = MI_PFN_ELEMENT(Previous);
Pfn2->u1.Flink = Next;
}
1: kd> dd 81000000+0x7b19c*18
81b8a6a0 0007b19a 001ec670 0007b19d 00003000
81b8a6b0 0007b15c 0007b1dc
u1和u2脱链完成。
第八部分:
Pfn1->u3.e2.ShortFlags = 0;
Pfn1->u3.e1.PageColor = NodeColor;
Pfn1->u3.e1.CacheAttribute = MiNotMapped;
typedef enum _MI_PFN_CACHE_ATTRIBUTE {
MiNonCached, 0
MiCached, 1
MiWriteCombined, 2
MiNotMapped 3
} MI_PFN_CACHE_ATTRIBUTE, *PMI_PFN_CACHE_ATTRIBUTE;
1: kd> dd 81000000+0x7b19b*18
81b8a688 00000000 001ec66c 00000000 00003000
81b8a698 0007b15b 03ffffff
+0x00c u3 : __unnamed
+0x000 e1 : _MMPFNENTRY
+0x000 Modified : Pos 0, 1 Bit
+0x000 ReadInProgress : Pos 1, 1 Bit
+0x000 WriteInProgress : Pos 2, 1 Bit
+0x000 PrototypePte : Pos 3, 1 Bit
+0x000 PageColor : Pos 4, 4 Bits
+0x000 PageLocation : Pos 8, 3 Bits
+0x000 RemovalRequested : Pos 11, 1 Bit
+0x000 CacheAttribute : Pos 12, 2 Bits 11=3
第九部分:
//
// Update the color lists.
//
ASSERT (Color < MmSecondaryColors);
ColorHead = &MmFreePagesByColor[ListName][Color];
ASSERT (ColorHead->Count >= 1);
ColorHead->Flink = (PFN_NUMBER) Pfn1->OriginalPte.u.Long;
if (ColorHead->Flink != MM_EMPTY_LIST) {
MI_PFN_ELEMENT (ColorHead->Flink)->u4.PteFrame = MM_EMPTY_LIST;
}
1: kd> dt _MMCOLOR_TABLES 0x81c00000+1b*c
nt!_MMCOLOR_TABLES
+0x000 Flink : 0x7b19b
+0x004 Blink : 0x810f2688 Void
+0x008 Count : 0x1c35
1: kd> p
nt!MiRemovePageByColor+0x181:
80ac6f61 8d3c81 lea edi,[ecx+eax*4]
1: kd> pr
eax=00000051 ebx=0000001b ecx=81c00000 edx=81000000 esi=81b8a688 edi=81c00144
1: kd> dd 0x81c00000+1b*c
81c00144 0007b19b 810f2688 00001c35
ColorHead->Flink = (PFN_NUMBER) Pfn1->OriginalPte.u.Long; =0007b15b
1: kd> dd 81000000+0x7b19b*18
81b8a688 00000000 001ec66c 00000000 00003000
81b8a698 0007b15b 03ffffff
1: kd> dt _MMCOLOR_TABLES 0x81c00000+1b*c
nt!_MMCOLOR_TABLES
+0x000 Flink : 0x7b15b
+0x004 Blink : 0x810f2688 Void
+0x008 Count : 0x1c35
1: kd> dd 81000000+0x7b15b*18
81b8a088 0007b15a 001ec56c 0007b15c 00003000
81b8a098 0007b11b 0007b19b
if (ColorHead->Flink != MM_EMPTY_LIST) {
MI_PFN_ELEMENT (ColorHead->Flink)->u4.PteFrame = MM_EMPTY_LIST;
}
1: kd> dd 81000000+0x7b15b*18
81b8a088 0007b15a 001ec56c 0007b15c 00003000
81b8a098 0007b11b 03ffffff
第十部分:
ColorHead->Count -= 1;
1: kd> dt _MMCOLOR_TABLES 0x81c00000+1b*c
nt!_MMCOLOR_TABLES
+0x000 Flink : 0x7b15b
+0x004 Blink : 0x810f2688 Void
+0x008 Count : 0x1c34
第十一部分:
1: kd> p
nt!MiRemovePageByColor+0x213:
80ac6ff3 c9 leave
1: kd> r
eax=0007b19b
1: kd> dd 81000000+0x7b19b*18
81b8a688 00000000 001ec66c 00000000 00003000
81b8a698 0007b15b 03ffffff