网硕互联帮助中心第0部分:背景
PFN_NUMBER FASTCALL MiRemoveZeroPage ( IN ULONG Color ) {
ASSERT (Color < MmSecondaryColors); Page = FreePagesByColor[Color].Flink;
if (Page != MM_EMPTY_LIST) {
// // Remove the first entry on the zeroed by color list. //
Page = MiRemovePageByColor (Page, Color);
第一部分:
1: kd> p nt!MiRemoveZeroPage+0x11a: 80ac89b6 e825e4ffff call nt!MiRemovePageByColor (80ac6de0) 1: kd> t nt!MiRemovePageByColor: 80ac6de0 55 push ebp 1: kd> kc # 00 nt!MiRemovePageByColor 01 nt!MiRemoveZeroPage 02 nt!MiPfPutPagesInTransition 03 nt!MmPrefetchPages 04 nt!CcPfPrefetchSections 05 nt!CcPfBootWorker 06 nt!PspSystemThreadStartup 07 nt!KiThreadStartup
1: kd> dv Page = 0x7b19b Color = 0x1b Next = 0 ListName = 0n-150603048 (No matching enumerant)
1: kd> dd 81000000+0x7b19b*18 81b8a688 0007b19a 001ec66c 0007b19c 00003000 81b8a698 0007b15b 03ffffff
第二部分:预分析1
+0x00c u3 : __unnamed +0x000 e1 : _MMPFNENTRY +0x000 Modified : Pos 0, 1 Bit +0x000 ReadInProgress : Pos 1, 1 Bit +0x000 WriteInProgress : Pos 2, 1 Bit +0x000 PrototypePte : Pos 3, 1 Bit +0x000 PageColor : Pos 4, 4 Bits 0000 +0x000 PageLocation : Pos 8, 3 Bits 000 ZeroedPageList (0)
1: kd> x nt!MmPageLocationList 80b14d04 nt!MmPageLocationList = struct _MMPFNLIST *[8] 1: kd> dx -r1 (*((ntkrnlmp!_MMPFNLIST * (*)[8])0x80b14d04)) (*((ntkrnlmp!_MMPFNLIST * (*)[8])0x80b14d04)) [Type: _MMPFNLIST * [8]] [0] : 0x80b14c94 [Type: _MMPFNLIST *] [1] : 0x80b14ca4 [Type: _MMPFNLIST *] [2] : 0x80b14cb4 [Type: _MMPFNLIST *] [3] : 0x80b14cc4 [Type: _MMPFNLIST *] [4] : 0x80b14cd4 [Type: _MMPFNLIST *] [5] : 0x80b14ce4 [Type: _MMPFNLIST *] [6] : 0x0 [Type: _MMPFNLIST *] [7] : 0x0 [Type: _MMPFNLIST *] 1: kd> dx -r1 ((ntkrnlmp!_MMPFNLIST *)0x80b14c94) ((ntkrnlmp!_MMPFNLIST *)0x80b14c94) : 0x80b14c94 [Type: _MMPFNLIST *] [+0x000] Total : 0x70e85 [Type: unsigned long] [+0x004] ListName : ZeroedPageList (0) [Type: _MMLISTS] [+0x008] Flink : 0xed7 [Type: unsigned long] [+0x00c] Blink : 0xa130 [Type: unsigned long]
第三部分:预分析2
1: kd> dd 81000000+0x7b19b*18 81b8a688 0007b19a 001ec66c 0007b19c 00003000 81b8a698 0007b15b 03ffffff
Next = Pfn1->u1.Flink; 0007b19a Pfn1->u1.Flink = 0; // Assumes Flink width is >= WsIndex width Previous = Pfn1->u2.Blink; 0007b19c Pfn1->u2.Blink = 0;
第四部分:预分析3
#define MM_EMPTY_LIST ((ULONG)0xFFFFFFFF) //
ColorHead->Flink = (PFN_NUMBER) Pfn1->OriginalPte.u.Long; if (ColorHead->Flink != MM_EMPTY_LIST) { MI_PFN_ELEMENT (ColorHead->Flink)->u4.PteFrame = MM_EMPTY_LIST; }
1: kd> dt _MMCOLOR_TABLES 0x81c00000+1b*c nt!_MMCOLOR_TABLES +0x000 Flink : 0x7b19b +0x004 Blink : 0x810f2688 Void +0x008 Count : 0x1c35
1: kd> dd 81000000+0007b15b*18 81b8a088 0007b15a 001ec56c 0007b15c 00003000 81b8a098 0007b11b 0007b19b
第五部分:调试
Pfn1 = MI_PFN_ELEMENT (Page);81b8a688 NodeColor = Pfn1->u3.e1.PageColor;
1: kd> p nt!MiRemovePageByColor+0x48: 80ac6e28 8b7e0c mov edi,dword ptr [esi+0Ch] 1: kd> r eax=001714d1 ebx=0000001b ecx=81000000 edx=0000001b esi=81b8a688
1: kd> dd 81b8a688 81b8a688 0007b19a 001ec66c 0007b19c 00003000 81b8a698 0007b15b 03ffffff
ListHead = MmPageLocationList[Pfn1->u3.e1.PageLocation]; 0 ListName = ListHead->ListName; ZeroedPageList (0)
1: kd> p nt!MiRemovePageByColor+0x88: 80ac6e68 83e007 and eax,7 1: kd> p nt!MiRemovePageByColor+0x8b: 80ac6e6b 8b0485044db180 mov eax,dword ptr nt!MmPageLocationList (80b14d04)[eax*4] 1: kd> r eax=00000000
1: kd> x nt!MmPageLocationList 80b14d04 nt!MmPageLocationList = struct _MMPFNLIST *[8] 1: kd> dx -r1 (*((ntkrnlmp!_MMPFNLIST * (*)[8])0x80b14d04)) (*((ntkrnlmp!_MMPFNLIST * (*)[8])0x80b14d04)) [Type: _MMPFNLIST * [8]] [0] : 0x80b14c94 [Type: _MMPFNLIST *] [1] : 0x80b14ca4 [Type: _MMPFNLIST *] [2] : 0x80b14cb4 [Type: _MMPFNLIST *] [3] : 0x80b14cc4 [Type: _MMPFNLIST *] [4] : 0x80b14cd4 [Type: _MMPFNLIST *] [5] : 0x80b14ce4 [Type: _MMPFNLIST *] [6] : 0x0 [Type: _MMPFNLIST *] [7] : 0x0 [Type: _MMPFNLIST *] 1: kd> dx -r1 ((ntkrnlmp!_MMPFNLIST *)0x80b14c94) ((ntkrnlmp!_MMPFNLIST *)0x80b14c94) : 0x80b14c94 [Type: _MMPFNLIST *] [+0x000] Total : 0x70e85 [Type: unsigned long] [+0x004] ListName : ZeroedPageList (0) [Type: _MMLISTS] [+0x008] Flink : 0xed7 [Type: unsigned long] [+0x00c] Blink : 0xa130 [Type: unsigned long]
第六部分:
1: kd> p nt!MiRemovePageByColor+0x95: 80ac6e75 ff08 dec dword ptr [eax] 1: kd> r eax=80b14c94
ListHead->Total -= 1;
1: kd> dx -r1 ((ntkrnlmp!_MMPFNLIST *)0x80b14c94) ((ntkrnlmp!_MMPFNLIST *)0x80b14c94) : 0x80b14c94 [Type: _MMPFNLIST *] [+0x000] Total : 0x70e84 [Type: unsigned long] [+0x004] ListName : ZeroedPageList (0) [Type: _MMLISTS] [+0x008] Flink : 0xed7 [Type: unsigned long] [+0x00c] Blink : 0xa130 [Type: unsigned long]
第七部分:
Next = Pfn1->u1.Flink; Pfn1->u1.Flink = 0; // Assumes Flink width is >= WsIndex width Previous = Pfn1->u2.Blink; Pfn1->u2.Blink = 0;
1: kd> dd 81b8a688 81b8a688 00000000 001ec66c 00000000 00003000 81b8a698 0007b15b 03ffffff
else { Pfn2 = MI_PFN_ELEMENT(Next); Pfn2->u2.Blink = Previous; }
1: kd> dd 81000000+0x7b19a*18 81b8a670 0007b199 001ec668 0007b19b 00003000 81b8a680 0007b15a 0007b1da
else { Pfn2 = MI_PFN_ELEMENT(Next); Pfn2->u2.Blink = Previous; } 1: kd> dd 81000000+0x7b19a*18 81b8a670 0007b199 001ec668 0007b19c 00003000 81b8a680 0007b15a 0007b1da
else { Pfn2 = MI_PFN_ELEMENT(Previous); Pfn2->u1.Flink = Next; }
1: kd> dd 81000000+0x7b19c*18 81b8a6a0 0007b19a 001ec670 0007b19d 00003000 81b8a6b0 0007b15c 0007b1dc
u1和u2脱链完成。
第八部分:
Pfn1->u3.e2.ShortFlags = 0; Pfn1->u3.e1.PageColor = NodeColor; Pfn1->u3.e1.CacheAttribute = MiNotMapped;
typedef enum _MI_PFN_CACHE_ATTRIBUTE { MiNonCached, 0 MiCached, 1 MiWriteCombined, 2 MiNotMapped 3 } MI_PFN_CACHE_ATTRIBUTE, *PMI_PFN_CACHE_ATTRIBUTE;
1: kd> dd 81000000+0x7b19b*18 81b8a688 00000000 001ec66c 00000000 00003000 81b8a698 0007b15b 03ffffff
+0x00c u3 : __unnamed +0x000 e1 : _MMPFNENTRY +0x000 Modified : Pos 0, 1 Bit +0x000 ReadInProgress : Pos 1, 1 Bit +0x000 WriteInProgress : Pos 2, 1 Bit +0x000 PrototypePte : Pos 3, 1 Bit +0x000 PageColor : Pos 4, 4 Bits +0x000 PageLocation : Pos 8, 3 Bits +0x000 RemovalRequested : Pos 11, 1 Bit +0x000 CacheAttribute : Pos 12, 2 Bits 11=3
第九部分:
// // Update the color lists. //
ASSERT (Color < MmSecondaryColors);
ColorHead = &MmFreePagesByColor[ListName][Color]; ASSERT (ColorHead->Count >= 1); ColorHead->Flink = (PFN_NUMBER) Pfn1->OriginalPte.u.Long; if (ColorHead->Flink != MM_EMPTY_LIST) { MI_PFN_ELEMENT (ColorHead->Flink)->u4.PteFrame = MM_EMPTY_LIST; }
1: kd> dt _MMCOLOR_TABLES 0x81c00000+1b*c nt!_MMCOLOR_TABLES +0x000 Flink : 0x7b19b +0x004 Blink : 0x810f2688 Void +0x008 Count : 0x1c35
1: kd> p nt!MiRemovePageByColor+0x181: 80ac6f61 8d3c81 lea edi,[ecx+eax*4] 1: kd> pr eax=00000051 ebx=0000001b ecx=81c00000 edx=81000000 esi=81b8a688 edi=81c00144
1: kd> dd 0x81c00000+1b*c 81c00144 0007b19b 810f2688 00001c35
ColorHead->Flink = (PFN_NUMBER) Pfn1->OriginalPte.u.Long; =0007b15b
1: kd> dd 81000000+0x7b19b*18 81b8a688 00000000 001ec66c 00000000 00003000 81b8a698 0007b15b 03ffffff
1: kd> dt _MMCOLOR_TABLES 0x81c00000+1b*c nt!_MMCOLOR_TABLES +0x000 Flink : 0x7b15b +0x004 Blink : 0x810f2688 Void +0x008 Count : 0x1c35
1: kd> dd 81000000+0x7b15b*18 81b8a088 0007b15a 001ec56c 0007b15c 00003000 81b8a098 0007b11b 0007b19b
if (ColorHead->Flink != MM_EMPTY_LIST) { MI_PFN_ELEMENT (ColorHead->Flink)->u4.PteFrame = MM_EMPTY_LIST; } 1: kd> dd 81000000+0x7b15b*18 81b8a088 0007b15a 001ec56c 0007b15c 00003000 81b8a098 0007b11b 03ffffff
第十部分:
ColorHead->Count -= 1;
1: kd> dt _MMCOLOR_TABLES 0x81c00000+1b*c nt!_MMCOLOR_TABLES +0x000 Flink : 0x7b15b +0x004 Blink : 0x810f2688 Void +0x008 Count : 0x1c34
第十一部分:
1: kd> p nt!MiRemovePageByColor+0x213: 80ac6ff3 c9 leave 1: kd> r eax=0007b19b
1: kd> dd 81000000+0x7b19b*18 81b8a688 00000000 001ec66c 00000000 00003000 81b8a698 0007b15b 03ffffff
评论前必须登录!
注册