当前位置: 首页 > news >正文

nt!MmMapViewInSystemCache函数分析PointerPte的填充

news 来源:原创 2025/5/30 12:31:50

第一部分:

1: kd> kc
 #
00 nt!MmMapViewInSystemCache
01 nt!CcGetVacbMiss
02 nt!CcGetVirtualAddress
03 nt!CcMapData
04 Ntfs!NtfsMapStream
05 Ntfs!NtfsReadBootSector
06 Ntfs!NtfsMountVolume
07 Ntfs!NtfsCommonFileSystemControl
08 Ntfs!NtfsFspDispatch
09 nt!ExpWorkerThread
0a nt!PspSystemThreadStartup
0b nt!KiThreadStartup


1: kd> p
nt!MmMapViewInSystemCache+0x32b:
80aaf01d 8b0e            mov     ecx,dword ptr [esi]
1: kd> dv
    SectionToMap = 0xe127a740
    CapturedBase = 0x89988000
   SectionOffset = 0xf78d6900 {-9175257283469246464}
CapturedViewSize = 0x00000040
       PteOffset = 0
       LastProto = 0x00000000
     PteContents = struct _MMPTE
         OldIrql = 0x00 ''
         LastPte = 0x89988000
   LastPteOffset = 0x40
          Waited = 1
        ProtoPte = 0xf78d6900
   NumberOfPages = 0x40


    if (PointerPte->u.List.NextEntry == MM_EMPTY_PTE_LIST) {


    if ((PointerPte + 1)->u.List.NextEntry == (KeReadTbFlushTimeStamp() & MM_FLUSH_COUNTER_MASK)) {
        KeFlushEntireTb (TRUE, TRUE);
    }

第二部分:

1: kd> p
nt!MmMapViewInSystemCache+0x355:
80aaf047 8b4e04          mov     ecx,dword ptr [esi+4]
1: kd> r
eax=00001314 ebx=898ff908 ecx=c10c0000 edx=00000000 esi=c0304200


1: kd> dd c0304200
c0304200  c10c0000 00000000 00000000 00000000

    //
    // Zero this explicitly now since the number of pages may be only 1.
    //

    (PointerPte + 1)->u.List.NextEntry = 0;

1: kd> p
nt!MmMapViewInSystemCache+0x36d:
80aaf05f 816604ff0f0000  and     dword ptr [esi+4],0FFFh

1: kd> r
eax=00001314 ebx=898ff908 ecx=00000000 edx=00000000 esi=c0304200 edi=00000000


第三部分:

    *CapturedBase = MiGetVirtualAddressMappedByPte (PointerPte);        c1080000

#define MiGetVirtualAddressMappedByPte(PTE) ((PVOID)((ULONG)(PTE) << 10))

c0304200

1100 0000 0011 0000 0100 0010 0000 0000
11 0000 0100 0010 0000 0000 00 0000 0000  

11 00    00 01    00 00    10 00    00 00    00 00 0000 0000
c1080000

1: kd> !pte c1080000
                 VA c1080000
PDE at C0300C10         PTE at C0304200
contains 0A03F963       contains C10C0000
pfn a03f  -G-DA--KWEV   not valid
                         Page has been freed


第四部分:

回顾PointerPte的由来:

    PointerPte = MmFirstFreeSystemCache;

    //
    // Update next free entry.
    //

    ASSERT (PointerPte->u.Hard.Valid == 0);

    MmFirstFreeSystemCache = MmSystemCachePteBase + PointerPte->u.List.NextEntry;
    ASSERT (MmFirstFreeSystemCache <= MiGetPteAddress (MmSystemCacheEnd));

1: kd> p
nt!MmMapViewInSystemCache+0x377:
80aaf069 8bc6            mov     eax,esi
1: kd> p
nt!MmMapViewInSystemCache+0x379:
80aaf06b c1e00a          shl     eax,0Ah
1: kd> r
eax=c0304200


1: kd> dv
    SectionToMap = 0xe127a740
    CapturedBase = 0x89988000

1: kd> dx -r1 ((ntkrnlmp!void * *)0x89988000)
((ntkrnlmp!void * *)0x89988000)                 : 0x89988000 [Type: void * *]
    0xc1080000

1: kd> !pte 0xc1080000
                 VA c1080000
PDE at C0300C10         PTE at C0304200
contains 0A03F963       contains C10C0000
pfn a03f  -G-DA--KWEV   not valid
                         Page has been freed


1: kd> x nt!MmFirstFreeSystemCache
80b23594          nt!MmFirstFreeSystemCache = 0xc0304300


1: kd> dd 0xc0304200        //0xc0304200下一个是0xc0304300
c0304200  c10c0000

304300
0011 0000 0100 0011 0000 0000
0011 0000 0100 0011 0000 00
00    11 00    00 01    00 00    11 00    00 00
c10c0        //正确

1: kd> dd 0xc0304200
c0304200  c10c0000 00000000 00000000 00000000
c0304210  00000000 00000000 00000000 00000000


第五部分:

1: kd> dt subsection 0x898ff8d8+30
nt!SUBSECTION
   +0x000 ControlArea      : 0x898ff8d8 _CONTROL_AREA
   +0x004 u                : __unnamed
   +0x008 StartingSector   : 0
   +0x00c NumberOfFullSectors : 0x100
   +0x010 SubsectionBase   : 0xe1009c00 _MMPTE
   +0x014 UnusedPtes       : 0
   +0x018 PtesInSubsection : 0x100
   +0x01c NextSubsection   : (null)

       PteOffset = 0

    ProtoPte = &Subsection->SubsectionBase[PteOffset];        =0xe1009c00

1: kd> dd 0xe1009c00
e1009c00  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c10  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c20  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c30  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2

1: kd> p
nt!MmMapViewInSystemCache+0x384:
80aaf076 8d0c88          lea     ecx,[eax+ecx*4]
1: kd> r
eax=e1009c00 ebx=898ff908 ecx=00000000 edx=00000000 esi=c0304200 edi=00000000
eip=80aaf076 esp=f78d6910 ebp=f78d6930 iopl=0         nv up ei ng nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000286
nt!MmMapViewInSystemCache+0x384:
80aaf076 8d0c88          lea     ecx,[eax+ecx*4]
1: kd> p
nt!MmMapViewInSystemCache+0x387:
80aaf079 894d10          mov     dword ptr [ebp+10h],ecx
1: kd> r
eax=e1009c00 ebx=898ff908 ecx=e1009c00 edx=00000000 esi=c0304200 edi=00000000


1: kd> dv
    SectionToMap = 0xe127a740
 
        ProtoPte = 0xe1009c00        //正确

第六部分:


    LastProto = &Subsection->SubsectionBase[Subsection->PtesInSubsection];


   +0x018 PtesInSubsection : 0x100

0xe1009c00+0x100*4=

1: kd> ?0xe1009c00+0x100*4
Evaluate expression: -520052736 = e100a000

1: kd> dv
    SectionToMap = 0xe127a740

       LastProto = 0xe100a000


    LastPte = PointerPte + NumberOfPages;    eax=c0304300

0xc0304200+0x40*4=
1: kd> ?0xc0304200+0x40*4
Evaluate expression: -1070578944 = c0304300

1: kd> p
nt!MmMapViewInSystemCache+0x396:
80aaf088 8d0486          lea     eax,[esi+eax*4]
1: kd> r
eax=00000040 ebx=898ff908 ecx=00000100 edx=00000000 esi=c0304200 edi=00000000
eip=80aaf088 esp=f78d6910 ebp=f78d6930 iopl=0         nv up ei ng nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000286
nt!MmMapViewInSystemCache+0x396:
80aaf088 8d0486          lea     eax,[esi+eax*4]
1: kd> p
nt!MmMapViewInSystemCache+0x399:
80aaf08b 8d7e08          lea     edi,[esi+8]
1: kd> r
eax=c0304300

第七部分:


    while (PointerPte < LastPte) {

        if (ProtoPte >= LastProto) {

            //
            // Handle extended subsections.
            //

            Subsection = Subsection->NextSubsection;
            ProtoPte = Subsection->SubsectionBase;
            LastProto = &Subsection->SubsectionBase[
                                        Subsection->PtesInSubsection];
        }
        PteContents.u.Long = MiProtoAddressForKernelPte (ProtoPte);
        MI_WRITE_INVALID_PTE (PointerPte, PteContents);

        ASSERT (((ULONG_PTR)PointerPte & (MM_COLOR_MASK << PTE_SHIFT)) ==
                 (((ULONG_PTR)ProtoPte & (MM_COLOR_MASK << PTE_SHIFT))));

        PointerPte += 1;
        ProtoPte += 1;
    }

    ProtoPte = &Subsection->SubsectionBase[PteOffset];        =0xe1009c00

#define MiProtoAddressForKernelPte(proto_va)  MiProtoAddressForPte(proto_va)

#define MiProtoAddressForPte(proto_va)  \
   ((((((ULONG)proto_va - MmProtopte_Base) >> 1) & (ULONG)0x000000FE)   | \
    (((((ULONG)proto_va - MmProtopte_Base) << 2) & (ULONG)0xfffff800))) | \
    MM_PTE_PROTOTYPE_MASK)

#define MM_PTE_PROTOTYPE_MASK     0x400


#define MmProtopte_Base ((ULONG)MmPagedPoolStart)
1: kd> x nt!MmPagedPoolStart
80b15028          nt!MmPagedPoolStart = 0xe1000000

1: kd> !pte 0xe1009c00
                 VA e1009c00
PDE at C0300E10         PTE at C0384024
contains 0A1C0963       contains 0A1CD963
pfn a1c0  -G-DA--KWEV   pfn a1cd  -G-DA--KWEV

9c00

1001 1100 0000 0000
1001 1100 0000 000

1001 110    0 000    0 000
    1 111       1 110

1001 1100 0000 0000 00

10    01 11    00 00    00 00    00 00
27000


27400

第八部分:


        PteContents.u.Long = MiProtoAddressForKernelPte (ProtoPte);    //关键地方1:


1: kd> p
nt!MmMapViewInSystemCache+0x3ee:
80aaf0e0 8b4510          mov     eax,dword ptr [ebp+10h]
1: kd> p
nt!MmMapViewInSystemCache+0x3f1:
80aaf0e3 2b052850b180    sub     eax,dword ptr [nt!MmPagedPoolStart (80b15028)]
1: kd> r
eax=e1009c00


1: kd> p
nt!MmMapViewInSystemCache+0x411:
80aaf103 894d08          mov     dword ptr [ebp+8],ecx
1: kd> r
eax=00027000 ebx=898ff908 ecx=00027400

第九部分:

        MI_WRITE_INVALID_PTE (PointerPte, PteContents);    //关键地方2:

1: kd> p
nt!MmMapViewInSystemCache+0x506:
80aaf1f8 8906            mov     dword ptr [esi],eax
1: kd> r
eax=00027400 ebx=898ff908 ecx=f78d6920 edx=e7f77906 esi=c0304200 edi=80b79030

1: kd> dd 0xc0304200
c0304200  00027400 00000000 00000000 00000000
c0304210  00000000 00000000 00000000 00000000
c0304220  00000000 00000000 00000000 00000000
c0304230  00000000 00000000 00000000 00000000
c0304240  00000000 00000000 00000000 00000000
c0304250  00000000 00000000 00000000 00000000
c0304260  00000000 00000000 00000000 00000000
c0304270  00000000 00000000 00000000 00000000

1: kd> !pte 0xc0304200
                 VA c1080000
PDE at C0300C10         PTE at C0304200
contains 0A03F963       contains 00027400
pfn a03f  -G-DA--KWEV   not valid
                         Proto: E1009C00


第十部分:

1: kd> dd 0xc0304200
c0304200  00027400 00027402


1: kd> !pte 0xc0304204
                 VA c1081000
PDE at C0300C10         PTE at C0304204
contains 0A03F963       contains 00027402
pfn a03f  -G-DA--KWEV   not valid
                         Proto: E1009C04

        ProtoPte = 0xe1009c08

第十一部分:

1: kd> dd 0xc0304200
c0304200  00027400 00027402 00027404 00000000

1: kd> dd 0xc0304200
c0304200  00027400 00027402 00027404 00027406
c0304210  00027408 0002740a 0002740c 0002740e
c0304220  00027410 00027412 00027414 00027416
c0304230  00027418 0002741a 0002741c 0002741e
c0304240  00027420 00027422 00027424 00027426
c0304250  00027428 0002742a 0002742c 0002742e
c0304260  00027430 00027432 00027434 00027436
c0304270  00027438 0002743a 0002743c 0002743e

dv
        ProtoPte = 0xe1009c80

1: kd> dd 0xc0304200+80
c0304280  00027440 00027442 00027444 00027446
c0304290  00027448 0002744a 0002744c 0002744e
c03042a0  00027450 00027452 00027454 00027456
c03042b0  00027458 0002745a 0002745c 0002745e
c03042c0  00027460 00027462 00027464 00027466
c03042d0  00027468 0002746a 0002746c 0002746e
c03042e0  00027470 00027472 00027474 00027476
c03042f0  00027478 0002747a 0002747c 0002747e


        ProtoPte = 0xe1009cfc


1: kd> dd 0xe1009c00
e1009c00  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c10  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c20  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c30  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c40  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c50  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c60  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c70  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
1: kd> dd 0xe1009c00+80
e1009c80  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c90  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009ca0  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009cb0  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009cc0  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009cd0  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009ce0  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009cf0  fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2


1: kd> p
nt!MmMapViewInSystemCache+0x50f:
80aaf201 3b750c          cmp     esi,dword ptr [ebp+0Ch]
1: kd> r
eax=0002747e ebx=898ff908 ecx=f78d6920 edx=e7f77906 esi=c0304300 edi=80b88f00
eip=80aaf201 esp=f78d6910 ebp=f78d6930 iopl=0         nv up ei ng nz ac pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000296
nt!MmMapViewInSystemCache+0x50f:
80aaf201 3b750c          cmp     esi,dword ptr [ebp+0Ch] ss:0010:f78d693c=c0304300
1: kd> dd f78d6930+c
f78d693c  c0304300

相关文章:

  • 使用Vue + Element Plus实现可多行编辑的分页表格
  • APL Photonics封面成果:KAUST用五边形激光腔刷新物理随机数生成极限——800Gb/s!
  • Ovito建模并正交化方法
  • webstrorm 提示(This file does not belong to the project)此文件不属于该项目
  • MVCC原理解析
  • 扩展摩尔投票法:找出出现次数超过 n/3 的元素
  • DAY 36神经网络加速器easy
  • 网络协议之办公室网络是怎样的?
  • 实验设计与分析(第6版,Montgomery)第3章单因子实验:方差分析3.11思考题3.7 R语言解题
  • 卸载 Office PLUS
  • ZYNQ-PS与PL端BRAM数据交互
  • PortSwigger-03-点击劫持
  • 链路追踪神器zipkin安装详细教程教程
  • Redis击穿,穿透和雪崩详解以及解决方案
  • Polar编译码(SCL译码)和LDPC编译码(BP译码)的matlab性能仿真,并对比香浓限
  • BEVDepth- Acquisition of Reliable Depth for Multi-view 3D Object Detection
  • 数据库管理与高可用-MySQL数据库操作
  • C# Datatable筛选过滤各方式详解
  • 智变与重构:AI 赋能基础教育教学的范式转型研究报告
  • jmeter对数据库进行单独压测
  • 西安网络公司排名前十名/正版搜索引擎优化
  • 大良网站建设基本流程/青岛seo服务
  • 网络设计方案书主要包括哪些内容/优化网站seo策略
  • 化工课设代做网站/宁波seo排名优化培训
  • 手机网站制作哪家便宜/百度seo排名优化软件化
  • 西安网站制作公司怎么选/超级推荐的关键词怎么优化