RE: Understanding the virtual to physical address translation rule in
- From: Anton Bassov <AntonBassov@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 4 Jul 2007 22:48:00 -0700
"Under Windows NT, page directory of currently running process is mapped to
the virtual address 0xC0300000. This information, combined with our
knowledge of virtual-to-physical address translation, leads us to two
conclusions:
1.. Under Windows NT, 0x300th entry of a page directory holds the physical
address of the page directory itself.
2.. Page table, corresponding to some virtual address, is accessible as
0xC0000000+((address>>10)&0x3FF000). With such translation page table,
corresponding to the address 0xC0300000, is 0xC0300000 itself. In other
words, page directory is also a page table that corresponds to the virtual
address of a page directory itself. "
How are these 2 conclusion generated?
I am afraid it is hard to explain it - you've got to think it over carefully.
Think about the binary layout of 0xC0300000 value, then recall how address
translation is done, and everything will (hopefully) become clear to you....
In the undocumented Win2000 book, I see the linear address can be used to
find its PTE by: (linear_address)>>12 * 4 +0xC0000000.
In actuality, the formula is slightly different. It stands as
physical address= ((linear_address>>10) & 0x3FFFFC) +0xC0000000, but the
idea is correct - both formulas describe the same underlying principle.
It seems that this rule is different from the one in the article.
Not at all....
The excerpt from "Undocumented Windows 2000" that you have quoted speaks
about getting the address of the *page* itself from PTE, but the one from my
article speaks about getting the address of a *page table* that describes the
target page from PDE. In other words, the excerpt from my article speaks
about the first level of address translation, while the one from
"Undocumented Windows 2000" speaks about the second one....
Which one is correct?
Both of them.....
Anton Bassov
"fudan boy" wrote:
I hope this newsgroup is suitable for this question. Thanks..
I am reading the article below:
http://www.codeproject.com/system/soviet_kernel_hack.asp
However, I found that I can not understand the conclusion below:
"Under Windows NT, page directory of currently running process is mapped to
the virtual address 0xC0300000. This information, combined with our
knowledge of virtual-to-physical address translation, leads us to two
conclusions:
1.. Under Windows NT, 0x300th entry of a page directory holds the physical
address of the page directory itself.
2.. Page table, corresponding to some virtual address, is accessible as
0xC0000000+((address>>10)&0x3FF000). With such translation page table,
corresponding to the address 0xC0300000, is 0xC0300000 itself. In other
words, page directory is also a page table that corresponds to the virtual
address of a page directory itself. "
How are these 2 conclusion generated?
In the undocumented Win2000 book, I see the linear address can be used to
find its PTE by: (linear_address)>>12 * 4 +0xC0000000. It seems that this
rule is different from the one in the article. Which one is correct?
I find myself a bit confusion regarding the principle.
Thanks in advanced!
- Follow-Ups:
- References:
- Prev by Date: Re: Help - Locking Kernel Thread
- Next by Date: Re: ZwMapViewOfSection returning a user mode address
- Previous by thread: Understanding the virtual to physical address translation rule in x86
- Next by thread: Re: Understanding the virtual to physical address translation rule in
- Index(es):
Relevant Pages
|
