CR3,PDE,PTE,TLB

最新推荐文章于 2024-10-01 10:05:10 发布
转载 最新推荐文章于 2024-10-01 10:05:10 发布 · 1.3k 阅读 · 0
文章标签:

#内存 #IA-32 #linux

本文详细解析了32位操作系统中虚拟地址到物理地址的转换过程,包括通过CR3寄存器获取页目录基地址、使用虚拟地址高位索引定位页表条目、依据虚拟地址中位获取页面地址等步骤,并介绍了TLB缓存的作用。

原文出处:http://www.cnblogs.com/zzSoftware/archive/2013/02/11/2908824.html

网上关于virtual address到physical address的转换的文章太多了,写在这里只为了给blog加点内容,以及自己整理下:

32bit OS每个进程有4G的寻址空间,一个32bit的virtual address怎么被映射到physical address上呢?

1.拿到CR3的值,代表PDE Base的物理地址,页目录下占用连续的4K物理内存,共有1k个PTE.

2.根据Virtual Address的Bit31--Bit22为index,PDE Base+ index指向的PTE就是virtual address对应的PTE Base.

3.每个PTE又占用连续的4K物理内存,存放1K个Page.

4.根据virtual address的Bit21--Bit12作为index, PTE base+index指向的Page就是virtual address对应的Page.

5.Page项中有Page的起始物理地址pStart,4K对齐,virtual address的低12bit为offset,pStart+offset就是virtual address对应的physical address了。

那么每个进程应该有连续的4K内存,存放PDE Table, 1K个连续4K内存的PTE Table,共1k*4K=4M,所以需要4K+4M的Memory来存放完整4G的地址转换相关的信息,这样占用的内存太多了。一般进程实际使用的地址只占4G的一小部分,所以OS对那些没用到的virtual address page不会生成对应的PTE Table,以节省内存。

TLB: translation lookaside buffer,是一块cache,cache, PDE, PTE的内容,使得寻址并不都需要访问两次Memory(PDE,PTE)。进程切换会导致TLB失效,这也是进程切换的一个开销。

ctrloep
关注
[VMM]虚拟地址到物理地址的三级或四级页表查找过程详解
元直的博客
05-31 1037
摘要:下面以 x86-64 的 4 级页表为例,详述虚拟地址到物理地址的三级或四级页表查找(page‐walk)过程,PDE/PTE 的相互关系及各字段含义,并说明页表级数与支持的页大小之间的对应。x86-64 采用 4 级页表,每级页表都是一个 4 KiB 大小的页,包含 512(2^9)个 8 B(64 bit)条目。:只有第 2/3PDE(PDPTE/PDE)含 PS(Page Size)字段,表示“大页”映射。注意:PML4(级 1)不能用于映射大页,它始终指向下一级 PDPT。
PDE,PTE,页目录表,页表的内存管理.docx
07-31
PDE,PTE,页目录表,页表的内存管理.docx
CR3 PDE PTE的一点理解
weixin_34233421的博客
06-25 467
以前总是把CR3,PDE,PTE理解不了, 有点乱. 现在总结一下: CR3: 寄存器 指向PDE数组的基址 PDE:(Page Directory) 只有一个,其中有1024项 每一项指向一个PTE(所以PTE有1024个) PTE:(Page Table):保存有Page的基址,一共有1024个. 可以打一个这样子的比方: CR3...
关于TLB
cykac1998的博客
08-17 597
TLB相当于PTETLB就是快速限号通道。
[windows内核]PDE&PTE
r250414958的博客
08-10 3604
Cr3 描述: 在所有的寄存器中,只有Cr3存储的是物理地址,其它寄存器存的都是线性地址 Cr3所存储的物理地址指向了一个页目录表(PDT) 在Windows中,一个页的大小通常为4KB,即一个页可以存储1024个页目录表项(PDE) 下面是手册中的描述在第3卷2.5 CONTROL REGISTERS 物理页结构图: 注意:但其实上面这种结构方式是错误的,这个以后再解释,先这样理解 PDE(页目录表项) 描述: 页目录表(PDT)的每一项元素称为页目录表项(PDE) 每个页目录表项指向一个页表(
#include <default_pmm.h> #include <defs.h> #include <error.h> #include <memlayout.h> #include <mmu.h> #include <pmm.h> #include <stdio.h> #include <string.h> #include <sync.h> #include <vmm.h> #include <sw.h> // virtual address of physical page array struct Page *pages; // amount of physical memory (in pages) size_t npage = 0; // The kernel image is mapped at VA=KERNBASE and PA=info.base uint_t va_pa_offset; // memory starts at 0x0 in SW const size_t nbase = DRAM_BASE / PGSIZE; // virtual address of boot-time page directory pde_t *boot_pgdir = NULL; // physical address of boot-time page directory uintptr_t boot_cr3; // physical memory management const struct pmm_manager *pmm_manager; static void check_alloc_page(void); static void check_pgdir(void); static void check_boot_pgdir(void); // init_pmm_manager - initialize a pmm_manager instance static void init_pmm_manager(void) { pmm_manager = &default_pmm_manager; cprintf("memory management: %s\n", pmm_manager->name); pmm_manager->init(); } // init_memmap - call pmm->init_memmap to build Page struct for free memory static void init_memmap(struct Page *base, size_t n) { pmm_manager->init_memmap(base, n); } // alloc_pages - call pmm->alloc_pages to allocate a continuous n*PAGESIZE // memory struct Page *alloc_pages(size_t n) { struct Page *page = NULL; bool intr_flag; local_intr_save(intr_flag); { page = pmm_manager->alloc_pages(n); } local_intr_restore(intr_flag); return page; } // free_pages - call pmm->free_pages to free a continuous n*PAGESIZE memory void free_pages(struct Page *base, size_t n) { bool intr_flag; local_intr_save(intr_flag); { pmm_manager->free_pages(base, n); } local_intr_restore(intr_flag); } // nr_free_pages - call pmm->nr_free_pages to get the size (nr*PAGESIZE) // of current free memory size_t nr_free_pages(void) { size_t ret; bool intr_flag; local_intr_save(intr_flag); { ret = pmm_manager->nr_free_pages(); } local_intr_restore(intr_flag); return ret; } /* page_init - initialize the physical memory management */ static void page_init(void) { va_pa_offset = PHYSICAL_MEMORY_OFFSET; uint64_t mem_begin = KERNEL_BEGIN_PADDR; uint64_t mem_size = PHYSICAL_MEMORY_END - KERNEL_BEGIN_PADDR; uint64_t mem_end = PHYSICAL_MEMORY_END; //硬编码取代 sbi_query_memory()接口 cprintf("membegin %llx memend %llx mem_size %llx\n",mem_begin, mem_end, mem_size); cprintf("physcial memory map:\n"); cprintf(" memory: 0x%08lx, [0x%08lx, 0x%08lx].\n", mem_size, mem_begin, mem_end - 1); uint64_t maxpa = mem_end; if (maxpa > KERNTOP) { maxpa = KERNTOP; } extern char end[]; npage = maxpa / PGSIZE; // BBL has put the initial page table at the first available page after the // kernel // so stay away from it by adding extra offset to end pages = (struct Page *)ROUNDUP((void *)end, PGSIZE); pages = KADDR(PADDR(pages)); for (size_t i = 0; i < npage - nbase; i++) { SetPageReserved(pages + i); } uintptr_t freemem = PADDR((uintptr_t)pages + sizeof(struct Page) * (npage - nbase)); mem_begin = ROUNDUP(freemem, PGSIZE); mem_end = ROUNDDOWN(mem_end-1, PGSIZE); if (freemem < mem_end) { init_memmap(pa2page(mem_begin), (mem_end - mem_begin) / PGSIZE); } } static void enable_paging(void) { lcr3(boot_cr3); } // boot_alloc_page - allocate one page using pmm->alloc_pages(1) // return value: the kernel virtual address of this allocated page // note: this function is used to get the memory for PDT(Page Directory // Table)&PT(Page Table) static void *boot_alloc_page(void) { struct Page *p = alloc_page(); if (p == NULL) { panic("boot_alloc_page failed.\n"); } return page2kva(p); } // pmm_init - setup a pmm to manage physical memory, build PDT&PT to setup // paging mechanism // - check the correctness of pmm & paging mechanism, print PDT&PT void pmm_init(void) { // We need to alloc/free the physical memory (granularity is 4KB or other // size). // So a framework of physical memory manager (struct pmm_manager)is defined // in pmm.h // First we should init a physical memory manager(pmm) based on the // framework. // Then pmm can alloc/free the physical memory. // Now the first_fit/best_fit/worst_fit/buddy_system pmm are available. init_pmm_manager(); // detect physical memory space, reserve already used memory, // then use pmm->init_memmap to create free page list page_init(); // use pmm->check to verify the correctness of the alloc/free function in a // pmm check_alloc_page(); // create boot_pgdir, an initial page directory(Page Directory Table, PDT) extern char boot_page_table[]; boot_pgdir = (pte_t*)boot_page_table; boot_cr3 = PADDR(boot_pgdir); cprintf("nr_free_pages = %d\n",nr_free_pages()); check_pgdir(); static_assert(KERNBASE % PTSIZE == 0 && KERNTOP % PTSIZE == 0); enable_paging(); // now the basic virtual memory map(see memalyout.h) is established. // check the correctness of the basic virtual memory map. check_boot_pgdir(); } // get_pte - get pte and return the kernel virtual address of this pte for la // - if the PT contians this pte didn&#39;t exist, alloc a page for PT // parameter: // pgdir: the kernel virtual base address of PDT // la: the linear address need to map // create: a logical value to decide if alloc a page for PT // return vaule: the kernel virtual address of this pte pte_t *get_pte(pde_t *pgdir, uintptr_t la, bool create) { /* * If you need to visit a physical address, please use KADDR() * please read pmm.h for useful macros * * Maybe you want help comment, BELOW comments can help you finish the code * * Some Useful MACROs and DEFINEs, you can use them in below implementation. * MACROs or Functions: * PDX(la) = the index of page directory entry of VIRTUAL ADDRESS la. * KADDR(pa) : takes a physical address and returns the corresponding * kernel virtual address. * set_page_ref(page,1) : means the page be referenced by one time * page2pa(page): get the physical address of memory which this (struct * Page *) page manages * struct Page * alloc_page() : allocation a page * memset(void *s, char c, size_t n) : sets the first n bytes of the * memory area pointed by s * to the specified value c. * DEFINEs: * PTE_P 0x001 // page table/directory entry * flags bit : Present * PTE_W 0xc00 // page table/directory entry * flags bit : Writeable * PTE_U 0x8800 // page table/directory entry * flags bit : User can access */ pde_t *pdep2 = &pgdir[PDX2(la)]; if (!(*pdep2 & PTE_V)) { struct Page *page; if (!create || (page = alloc_page()) == NULL) { return NULL; } page_ref_inc(page); uintptr_t pa = page2pa(page); memset(KADDR(pa), 0, PGSIZE); *pdep2 = pte_create(page2ppn(page), PTE_U | PTE_V); } pde_t *pdep1 = &((pde_t *)KADDR(PDE_ADDR(*pdep2)))[PDX1(la)]; if (!(*pdep1 & PTE_V)) { struct Page *page; if (!create || (page = alloc_page()) == NULL) { return NULL; } page_ref_inc(page); uintptr_t pa = page2pa(page); memset(KADDR(pa), 0, PGSIZE); *pdep1 = pte_create(page2ppn(page), PTE_U | PTE_V); } pde_t *pdep0 = &((pde_t *)KADDR(PDE_ADDR(*pdep1)))[PDX0(la)]; if (!(*pdep0 & PTE_V)) { struct Page *page; if (!create || (page = alloc_page()) == NULL) { return NULL; } // page_ref_inc(page); uintptr_t pa = page2pa(page); memset(KADDR(pa), 0, PGSIZE); *pdep0 = pte_create(page2ppn(page), PTE_U | PTE_V); } return &((pte_t *)KADDR(PDE_ADDR(*pdep0)))[PTX(la)]; } // get_page - get related Page struct for linear address la using PDT pgdir struct Page *get_page(pde_t *pgdir, uintptr_t la, pte_t **ptep_store) { pte_t *ptep = get_pte(pgdir, la, 0); if (ptep_store != NULL) { *ptep_store = ptep; } if (ptep != NULL && *ptep & PTE_V) { return pte2page(*ptep); } return NULL; } // page_remove_pte - free an Page sturct which is related linear address la // - and clean(invalidate) pte which is related linear address la // note: PT is changed, so the TLB need to be invalidate static inline void page_remove_pte(pde_t *pgdir, uintptr_t la, pte_t *ptep) { /* * * Please check if ptep is valid, and tlb must be manually updated if * mapping is updated * * Maybe you want help comment, BELOW comments can help you finish the code * * Some Useful MACROs and DEFINEs, you can use them in below implementation. * MACROs or Functions: * struct Page *page pte2page(*ptep): get the according page from the * value of a ptep * free_page : free a page * page_ref_dec(page) : decrease page->ref. NOTICE: ff page->ref == 0 , * then this page should be free. * tlb_invalidate(pde_t *pgdir, uintptr_t la) : Invalidate a TLB entry, * but only if the page tables being * edited are the ones currently in use by the * processor. * DEFINEs: * PTE_P 0x001 // page table/directory entry * flags bit : Present */ if (*ptep & PTE_V) { //(1) check if this page table entry is struct Page *page = pte2page(*ptep); //(2) find corresponding page to pte page_ref_dec(page); //(3) decrease page reference if (page_ref(page) == 0) { //(4) and free this page when page reference reachs 0 free_page(page); } *ptep = 0; //(5) clear second page table entry tlb_invalidate(pgdir, la); //(6) flush tlb } } void page_remove_ptx(pde_t *pgdir, uintptr_t la) { pte_t *pte = &((pte_t *)KADDR(PDE_ADDR(*pgdir)))[PTX(la)]; if (!(*pte & PTE_V)){ return; } page_remove_pte(NULL, la, pte); //todo panic("Not Implemented!\n"); } void page_remove_pdx0(pde_t *pgdir, uintptr_t la) { pde_t *pdep0 = &((pde_t *)KADDR(PDE_ADDR(*pgdir)))[PDX0(la)]; if (!(*pdep0 & PTE_V)){ return; } page_remove_ptx(pdep0, la); //lab6 todo panic("Not Implemented!\n"); } void page_remove_pdx1(pde_t *pgdir, uintptr_t la) { pde_t *pdep1 = &((pde_t *)KADDR(PDE_ADDR(*pgdir)))[PDX1(la)]; if (!(*pdep1 & PTE_V)){ return; } page_remove_pdx0(pdep1, la); //lab6 todo panic("Not Implemented!\n"); } void page_remove_pdx2(pde_t *pgdir, uintptr_t la) { pde_t *pdep2 = &pgdir[PDX2(la)]; if (!(*pdep2 & PTE_V)){ return; } page_remove_pdx1(pdep2, la); //lab6 todo panic("Not Implemented!\n"); } // page_remove - free an Page which is related linear address la and has an // validated pte void page_remove(pde_t *pgdir, uintptr_t la) { page_remove_pdx2(pgdir,la); } // page_insert - build the map of phy addr of an Page with the linear addr la // paramemters: // pgdir: the kernel virtual base address of PDT // page: the Page which need to map // la: the linear address need to map // perm: the permission of this Page which is setted in related pte // return value: always 0 // note: PT is changed, so the TLB need to be invalidate int page_insert(pde_t *pgdir, struct Page *page, uintptr_t la, uint32_t perm) { pte_t *ptep = get_pte(pgdir, la, 1); if (ptep == NULL) { return -E_NO_MEM; } page_ref_inc(page); if (*ptep & PTE_V) { struct Page *p = pte2page(*ptep); if (p == page) { page_ref_dec(page); } else { page_remove_pte(pgdir, la, ptep); } } else{ page_ref_inc(kva2page(ptep)); } *ptep = pte_create(page2ppn(page), PTE_V | perm); tlb_invalidate(pgdir, la); return 0; } // invalidate a TLB entry, but only if the page tables being // edited are the ones currently in use by the processor. void tlb_invalidate(pde_t *pgdir, uintptr_t la) { flush_tlb(); } // pgdir_alloc_page - call alloc_page & page_insert functions to // - allocate a page size memory & setup an addr map // - pa<->la with linear address la and the PDT pgdir struct Page *pgdir_alloc_page(pde_t *pgdir, uintptr_t la, uint32_t perm) { struct Page *page = alloc_page(); if (page != NULL) { if (page_insert(pgdir, page, la, perm) != 0) { free_page(page); return NULL; } } return page; } static void check_alloc_page(void) { pmm_manager->check(); cprintf("check_alloc_page() succeeded!\n"); } static void check_pgdir(void) { // assert(npage <= KMEMSIZE / PGSIZE); size_t nr_free_pages_store = nr_free_pages(); assert(npage <= KERNTOP / PGSIZE); assert(boot_pgdir != NULL && (uint32_t)PGOFF(boot_pgdir) == 0); assert(get_page(boot_pgdir, 0x0, NULL) == NULL); struct Page *p1, *p2; p1 = alloc_page(); assert(page_insert(boot_pgdir, p1, 0x0, 0) == 0); pte_t *ptep; assert((ptep = get_pte(boot_pgdir, 0x0, 0)) != NULL); assert(pte2page(*ptep) == p1); assert(page_ref(p1) == 1); ptep = (pte_t *)KADDR(PDE_ADDR(boot_pgdir[0])); ptep = (pte_t *)KADDR(PDE_ADDR(ptep[0])); ptep = (pte_t *)KADDR(PDE_ADDR(ptep[0])) + 1; assert(get_pte(boot_pgdir, PGSIZE, 0) == ptep); p2 = alloc_page(); assert(page_insert(boot_pgdir, p2, PGSIZE, PTE_U | PTE_W) == 0); assert((ptep = get_pte(boot_pgdir, PGSIZE, 0)) != NULL); assert(*ptep & PTE_U); assert(*ptep & PTE_W); assert(boot_pgdir[0] & PTE_U); assert(page_ref(p2) == 1); assert(page_insert(boot_pgdir, p1, PGSIZE, 0) == 0); assert(page_ref(p1) == 2); assert(page_ref(p2) == 0); assert((ptep = get_pte(boot_pgdir, PGSIZE, 0)) != NULL); assert(pte2page(*ptep) == p1); assert((*ptep & PTE_U) == 0); cprintf(" page_remove 0 \n"); page_remove(boot_pgdir, 0x0); assert(page_ref(p1) == 1); assert(page_ref(p2) == 0); cprintf(" page_remove PGSIZE \n"); page_remove(boot_pgdir, PGSIZE); assert(page_ref(p1) == 0); assert(page_ref(p2) == 0); //assert(page_ref(pde2page(boot_pgdir[0])) == 1); assert(page_ref(pde2page(boot_pgdir[0])) == 0); #if 0 //free pgdir pte_t *ptep2 = (pte_t *)KADDR(PDE_ADDR(boot_pgdir[0])); pte_t *ptep1 = (pte_t *)KADDR(PDE_ADDR(ptep2[0])); pte_t *ptep0 = (pte_t *)KADDR(PDE_ADDR(ptep1[0])); free_page(kva2page((void *)ptep0)); free_page(kva2page((void *)ptep1)); free_page(kva2page((void *)ptep2)); boot_pgdir[0] = 0; #endif assert(nr_free_pages_store == nr_free_pages()); cprintf("check_pgdir() succeeded!\n"); } static void check_boot_pgdir(void) { pte_t *ptep; int i; assert(boot_pgdir[0] == 0); size_t nr_free_pages_store = nr_free_pages(); struct Page *p; p = alloc_page(); assert(page_insert(boot_pgdir, p, 0x100, PTE_W | PTE_R) == 0); assert(page_ref(p) == 1); assert(page_insert(boot_pgdir, p, 0x100 + PGSIZE, PTE_W | PTE_R) == 0); assert(page_ref(p) == 2); const char *str = "ucore: Hello world!!"; strcpy((void *)0x100, str); assert(strcmp((void *)0x100, (void *)(0x100 + PGSIZE)) == 0); *(char *)(page2kva(p) + 0x100) = &#39;\0&#39;; assert(strlen((const char *)0x100) == 0); page_remove(boot_pgdir, 0x100); page_remove(boot_pgdir, 0x100 + PGSIZE); #if 0 //free pgdir pte_t *ptep2 = (pte_t *)KADDR(PDE_ADDR(boot_pgdir[0])); pte_t *ptep1 = (pte_t *)KADDR(PDE_ADDR(ptep2[0])); pte_t *ptep0 = (pte_t *)KADDR(PDE_ADDR(ptep1[0])); free_page(kva2page((void *)ptep0)); free_page(kva2page((void *)ptep1)); free_page(kva2page((void *)ptep2)); boot_pgdir[0] = 0; #endif assert(nr_free_pages_store == nr_free_pages()); cprintf("check_boot_pgdir() succeeded!\n"); } void *kmalloc(size_t n) { void *ptr = NULL; struct Page *base = NULL; assert(n > 0 && n < 1024 * 0124); int num_pages = (n + PGSIZE - 1) / PGSIZE; base = alloc_pages(num_pages); assert(base != NULL); ptr = page2kva(base); return ptr; } void kfree(void *ptr, size_t n) { assert(n > 0 && n < 1024 * 0124); assert(ptr != NULL); struct Page *base = NULL; int num_pages = (n + PGSIZE - 1) / PGSIZE; base = kva2page(ptr); free_pages(base, num_pages); } pmm.c的代码如上,根据实验给我要修改的地方
最新发布
11-02
pte_t *pt = (pte_t *)KADDR(PDE_ADDR(*pdep0)); pte_t *pte = &pt[PTX(la)]; if (!(*pte & PTE_V)) { return; } // 执行移除操作(内部会减引用) page_remove_pte(pgdir, la, pte); // 获取当前页表页...
[讨论][转帖][讨论][原创]windows Hook内核api,能过win10 22H2的pg 发表于: 2023-12-6 17:35 12260 举报 最近一直在思考如何hook内核函数而不触发pg,于是我在看雪找到一篇文章讲解如何hook内核函数不触发pg,链接:https://bbs.kanxue.com/thread-266781.htm。 文章并没有讲解思路,直接贴上代码,在看完他的代码后,我理解了其思路,发现代码有点冗长,存在一些多余的操作,不过这也给了我过pg的思路。 windows64位系统内核中内核函数线性地址对应的物理地址是pte里面的物理地址,是不是可以修改pte里面物理地址从而改变线性地址对应的物理地址,但是内核中的函数的pte里面的物理地址是全局的,只要一修改,其他进程也会受到影响。好在我们通过进程的Cr3找到进程的内核函数地址对应的PXE,这个PXE不是全局的,如果修改了PXE里面的值,该进程内核函数对应的物理地址也就变了,但是不会影响的其他进程。于是我们可以重构页表,通过修改PXE,PDPTEPDEPTE来修改该进程内核函数对应的物理地址,从而可以对该内核函数进行hook而不触发pg。大致做法如下图: 图片描述 图片描述 图片描述 我们可以通过映射物理内存到虚拟内存的方法来修改PXE,PDPTEPDEPTE。 这里一共两份源码,一份win7,一份win10,win10的源码针对2Mb大页的。 下面是源码: 支持win7 #include<ntifs.h> ULONG_PTR pPhyAddr[5] = { 0 }; typedef struct _HARDWARE_PTE { ULONG64 Valid : 1; ULONG64 Write : 1; ULONG64 Owner : 1; ULONG64 WriteThrough : 1; ULONG64 CacheDisable : 1; ULONG64 Accessed : 1; ULONG64 Dirty : 1; ULONG64 LargePage : 1; ULONG64 Global : 1; ULONG64 CopyOnWrite : 1; ULONG64 Prototype : 1; ULONG64 reserved0 : 1; ULONG64 PageFrameNumber : 36; ULONG64 reserved1 : 4; ULONG64 SoftwareWsIndex : 11; ULONG64 NoExecute : 1; } HARDWARE_PTE, *PHARDWARE_PTE; BOOLEAN InitHook(ULONG_PTR VirtualAddress_s, ULONG Pid, ULONG_PTR offset) { //1获取虚拟内存的PXE PDPTE pdepte的索引 ULONG PxeIndex = (VirtualAddress_s >> 0x27) & 0x1FF; UINT32 PPEIndex = (VirtualAddress_s >> 0x1E) & 0x1FF; //PPEIndex UINT32 PDEIndex = (VirtualAddress_s >> 0x15) & 0x1FF; //PDEIndex UINT32 PTEIndex = (VirtualAddress_s >> 0xC) & 0x1FF; 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 //DbgBreakPoint(); //2 获取要hook进程的CR3 PEPROCESS pEprocess = NULL; NTSTATUS status = PsLookupProcessByProcessId(Pid, &pEprocess); if (!NT_SUCCESS(status)) { return 0; } ULONG_PTR Cr3PhyAddr = *(PULONG64)((ULONG64)pEprocess + KERNEL_CR3_OFFSET); PHYSICAL_ADDRESS Cr3 = { 0 }; Cr3.QuadPart = Cr3PhyAddr; ULONG_PTR VirtualAddresss = MmMapIoSpace(Cr3, PAGE_SIZE, MmNonCached);//由于Cr3是物理地址我们需要映射到虚拟内存中去 if (!VirtualAddresss) { return 0; } //3 构建页表 //*(PULONG64)(VirtualAddresss + PxeIndex * 8) |= 70; PHYSICAL_ADDRESS Low = { 0 }; PHYSICAL_ADDRESS High = { MAXULONG64 }; //ppe pPhyAddr[0] = (ULONG_PTR)MmAllocateContiguousMemorySpecifyCache(PAGE_SIZE, Low, High, Low, MmCached); ULONG_PTR newPPEphy = MmGetPhysicalAddress(pPhyAddr[0]).QuadPart; ULONG_PTR PPEPhyAddr = (ULONG_PTR)(((PHARDWARE_PTE)(VirtualAddresss + PxeIndex * 8))->PageFrameNumber) * 0x1000; PHYSICAL_ADDRESS temp = { 0 }; temp.QuadPart = PPEPhyAddr; ULONG_PTR VirtualAddress_PPE= MmMapIoSpace(temp, PAGE_SIZE, MmNonCached); memcpy(pPhyAddr[0], VirtualAddress_PPE, PAGE_SIZE); //pde pPhyAddr[1] = (ULONG_PTR)MmAllocateContiguousMemorySpecifyCache(PAGE_SIZE, Low, High, Low, MmCached); ULONG_PTR newPDEphy= MmGetPhysicalAddress(pPhyAddr[1]).QuadPart; ULONG_PTR pdePhy= (ULONG_PTR)(((PHARDWARE_PTE)(VirtualAddress_PPE + PPEIndex * 8))->PageFrameNumber) * 0x1000; temp.QuadPart = pdePhy; ULONG_PTR VirtualAddress_PDE = MmMapIoSpace(temp,PAGE_SIZE, MmNonCached); memcpy(pPhyAddr[1], VirtualAddress_PDE, PAGE_SIZE); //pte pPhyAddr[2] = (ULONG_PTR)MmAllocateContiguousMemorySpecifyCache(PAGE_SIZE, Low, High, Low, MmCached); ULONG_PTR newPTEphy = MmGetPhysicalAddress(pPhyAddr[2]).QuadPart; ULONG_PTR ptePhy = (ULONG_PTR)(((PHARDWARE_PTE)(VirtualAddress_PDE + PDEIndex * 8))->PageFrameNumber) * 0x1000; temp.QuadPart = ptePhy; ULONG_PTR VirtualAddress_PTE = MmMapIoSpace(temp, PAGE_SIZE, MmNonCached); memcpy(pPhyAddr[2], VirtualAddress_PTE, PAGE_SIZE); //物理内存 pPhyAddr[3] = (ULONG_PTR)MmAllocateContiguousMemorySpecifyCache(PAGE_SIZE, Low, High, Low, MmCached); ULONG_PTR newphy = MmGetPhysicalAddress(pPhyAddr[3]).QuadPart; ULONG_PTR Phy = (ULONG_PTR)(((PHARDWARE_PTE)(VirtualAddress_PTE + PTEIndex * 8))->PageFrameNumber) * 0x1000; temp.QuadPart = Phy; ULONG_PTR VirtualAddress_PHY = MmMapIoSpace(temp, PAGE_SIZE, MmNonCached); memcpy(pPhyAddr[3], VirtualAddress_PHY, PAGE_SIZE); //ULONG_PTR ss3 = pPhyAddr[3]; //ULONG_PTR ss1 = pPhyAddr[1]; //ULONG_PTR ss2 = pPhyAddr[2]; //DbgBreakPoint(); //4 修改PXE PPE PDE PTE从而改变 ((PHARDWARE_PTE)(VirtualAddresss + PxeIndex * 8))->PageFrameNumber = newPPEphy >> 12; ((PHARDWARE_PTE)(pPhyAddr[0] + PPEIndex * 8))->PageFrameNumber = newPDEphy >> 12; ((PHARDWARE_PTE)(pPhyAddr[1] + PDEIndex * 8))->PageFrameNumber = newPTEphy >> 12; ((PHARDWARE_PTE)(pPhyAddr[2] + PTEIndex * 8))->PageFrameNumber = newphy >> 12; ((PHARDWARE_PTE)(pPhyAddr[2] + PTEIndex * 8))->Write = 1; *(PUCHAR)(pPhyAddr[3] + offset + 0x27) = 0x90; *(PUCHAR)(pPhyAddr[3] + offset + 0x28) = 0x90; *(PUCHAR)(pPhyAddr[3] + offset + 0x29) = 0xc3; return TRUE; } VOID unstallHook() { 1 2 3 4 MmFreeContiguousMemory(pPhyAddr[0]); MmFreeContiguousMemory(pPhyAddr[1]); MmFreeContiguousMemory(pPhyAddr[2]); MmFreeContiguousMemory(pPhyAddr[3]); } VOID DriverUnload(PDRIVER_OBJECT pDriver) { unstallHook(); } NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pRes) { pDriver->DriverUnload = DriverUnload; UNICODE_STRING ss = { 0 }; RtlInitUnicodeString(&ss, L"NtOpenProcess"); ULONG_PTR NtOpenAddr = MmGetSystemRoutineAddress(&ss); ULONG_PTR funcVir = NtOpenAddr & ~(0xfff); ULONG_PTR funcOffset = NtOpenAddr & 0xfff; InitHook(funcVir, 2280, funcOffset); //SetPTEHook(ssz); return STATUS_SUCCESS; } 当我附加到被我下钩子的进程,NtOpenProcess的结果在内存中是这样的: 图片描述 附加到我们没有HOOK的其他进程: 图片描述 在win7 64位系统中存在了5小时未发生pg。 我的这份源码纯粹是为了实验,封装的不太好,请谅解。 由于我刚学习64位系统内核没多久,可能文章会有一些错误,希望各位大佬能够指正。 对于win10,由于不能像win7用同样的方法映射页表的物理内存,我换了一种方式,且这次是2Mb的大页,细节有很多发生了变化,但思路还是一样的,我没有完善卸载函数,卸载的时候会蓝屏。 下面是源码: ULONG_PTR pPhyAddr[5] = { 0 }; ULONG IsPdeLager = 0; ULONG_PTR newPPEphy = 0; //ULONG_PTR pPhyAddr[5] = { 0 }; ULONG_PTR newPDEphy = 0; ULONG_PTR newPTEphy = 0; ULONG_PTR newphy = 0; typedef struct _HARDWARE_PTE { ULONG64 Valid : 1; ULONG64 Write : 1; ULONG64 Owner : 1; ULONG64 WriteThrough : 1; ULONG64 CacheDisable : 1; ULONG64 Accessed : 1; ULONG64 Dirty : 1; ULONG64 LargePage : 1; ULONG64 Global : 1; ULONG64 CopyOnWrite : 1; ULONG64 Prototype : 1; ULONG64 reserved0 : 1; ULONG64 PageFrameNumber : 36; ULONG64 reserved1 : 4; ULONG64 SoftwareWsIndex : 11; ULONG64 NoExecute : 1; } HARDWARE_PTE, *PHARDWARE_PTE; BOOLEAN InitHook(ULONG_PTR VirtualAddress_s, ULONG Pid, ULONG_PTR offset) { 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 //1获取虚拟内存的PXE PDPTE pdepte的索引 ULONG PxeIndex = (VirtualAddress_s >> 0x27) & 0x1FF; UINT32 PPEIndex = (VirtualAddress_s >> 0x1E) & 0x1FF; //PPEIndex UINT32 PDEIndex = (VirtualAddress_s >> 0x15) & 0x1FF; //PDEIndex UINT32 PTEIndex = (VirtualAddress_s >> 0xC) & 0x1FF; //DbgBreakPoint(); //2 获取要hook进程的CR3 PEPROCESS pEprocess = NULL; NTSTATUS status = PsLookupProcessByProcessId(Pid, &pEprocess); if (!NT_SUCCESS(status)) { return 0; } HANDLE hMemory = NULL; UNICODE_STRING unName = { 0 }; RtlInitUnicodeString(&unName, L"\\Device\\PhysicalMemory"); OBJECT_ATTRIBUTES obj; InitializeObjectAttributes(&obj, &unName, OBJ_CASE_INSENSITIVE, NULL, NULL); status = ZwOpenSection(&hMemory, SECTION_ALL_ACCESS, &obj); if (!NT_SUCCESS(status)) { return 0; } SIZE_T sizeView = PAGE_SIZE; PVOID sectionObj = NULL; status = ObReferenceObjectByHandle(hMemory, SECTION_ALL_ACCESS, NULL, KernelMode, &sectionObj, NULL); if (!NT_SUCCESS(status)) { return status; } ULONG_PTR Cr3PhyAddr = *(PULONG64)((ULONG64)pEprocess + KERNEL_CR3_OFFSET)&~(0xf); PHYSICAL_ADDRESS Cr3 = { 0 }; Cr3.QuadPart = Cr3PhyAddr; ULONG_PTR VirtualAddresss = NULL; status = ZwMapViewOfSection(hMemory, NtCurrentProcess(), &VirtualAddresss, 0, PAGE_SIZE, &Cr3, &sizeView, ViewUnmap, MEM_TOP_DOWN, PAGE_READWRITE); //ULONG_PTR VirtualAddresss = MmMapIoSpace(Cr3, PAGE_SIZE, MmNonCached);//由于Cr3是物理地址我们需要映射到虚拟内存中去 if (!NT_SUCCESS(status)) { return 0; } //3 构建页表 //*(PULONG64)(VirtualAddresss + PxeIndex * 8) |= 70; PHYSICAL_ADDRESS Low = { 0 }; PHYSICAL_ADDRESS High = { MAXULONG64 }; //ppe do { pPhyAddr[0] = (ULONG_PTR)MmAllocateContiguousMemorySpecifyCache(PAGE_SIZE, Low, High, Low, MmCached); newPPEphy = MmGetPhysicalAddress(pPhyAddr[0]).QuadPart; ULONG_PTR PPEPhyAddr = (ULONG_PTR)(((PHARDWARE_PTE)(VirtualAddresss + PxeIndex * 8))->PageFrameNumber) * 0x1000; PHYSICAL_ADDRESS temp = { 0 }; temp.QuadPart = PPEPhyAddr; ULONG_PTR VirtualAddress_PPE = NULL; ZwMapViewOfSection(hMemory, NtCurrentProcess(), &VirtualAddress_PPE, 0, PAGE_SIZE, &temp, &sizeView, ViewUnmap, MEM_TOP_DOWN, PAGE_READWRITE); memcpy(pPhyAddr[0], VirtualAddress_PPE, PAGE_SIZE); //pde pPhyAddr[1] = (ULONG_PTR)MmAllocateContiguousMemorySpecifyCache(PAGE_SIZE, Low, High, Low, MmCached); newPDEphy = MmGetPhysicalAddress(pPhyAddr[1]).QuadPart; ULONG_PTR pdePhy = (ULONG_PTR)(((PHARDWARE_PTE)(VirtualAddress_PPE + PPEIndex * 8))->PageFrameNumber) * 0x1000; temp.QuadPart = pdePhy; ULONG_PTR VirtualAddress_PDE = NULL; ZwMapViewOfSection(hMemory, NtCurrentProcess(), &VirtualAddress_PDE, 0, PAGE_SIZE, &temp, &sizeView, ViewUnmap, MEM_TOP_DOWN, PAGE_READWRITE); memcpy(pPhyAddr[1], VirtualAddress_PDE, PAGE_SIZE); //pte ULONG_PTR ptePhy = (ULONG_PTR)(((PHARDWARE_PTE)(VirtualAddress_PDE + PDEIndex * 8))->PageFrameNumber) * 0x1000; temp.QuadPart = ptePhy; if (((PHARDWARE_PTE)(VirtualAddress_PDE + PDEIndex * 8))->LargePage == 1) { pPhyAddr[2] = (ULONG_PTR)MmAllocateContiguousMemorySpecifyCache(PAGE_SIZE* 1024, Low, High, Low, MmCached); memset(pPhyAddr[2], 0, PAGE_SIZE * 1024); ULONG_PTR Real = MmGetPhysicalAddress(pPhyAddr[2]).QuadPart; ULONG_PTR Real1 = Real; ULONG_PTR Realtemp = 0; if (Real == 0) { MmFreeContiguousMemory(pPhyAddr[0]); MmFreeContiguousMemory(pPhyAddr[1]); MmFreeContiguousMemory(pPhyAddr[2]); return FALSE; } ULONG i = 0; for (i = 0; i < 1024; i++) { Real += PAGE_SIZE; //Real &= 0x1fffff; Realtemp = Real & 0x1fffff; if (!Realtemp) break; } DbgBreakPoint(); pPhyAddr[2] += PAGE_SIZE * (i+1); newPTEphy = MmGetPhysicalAddress(pPhyAddr[2]).QuadPart; ULONG_PTR VirtualAddress_PTE = NULL; sizeView = PAGE_SIZE * 0x200; ZwMapViewOfSection(hMemory, NtCurrentProcess(), &VirtualAddress_PTE, 0, PAGE_SIZE, &temp, &sizeView, ViewUnmap, MEM_TOP_DOWN, PAGE_READWRITE); memcpy(pPhyAddr[2], VirtualAddress_s &~(0x1fffff), PAGE_SIZE*0x200); ((PHARDWARE_PTE)(pPhyAddr[0] + PPEIndex * 8))->PageFrameNumber = newPDEphy >> 12; ((PHARDWARE_PTE)(pPhyAddr[1] + PDEIndex * 8))->PageFrameNumber = newPTEphy >> 12; //((PHARDWARE_PTE)(pPhyAddr[2] + PTEIndex * 8))->Write = 1; ULONG_PTR newOffset = (VirtualAddress_s & 0x1ff000) + offset; //((PHARDWARE_PTE)(pPhyAddr[1] + PTEIndex * 8))->Write = 1; *(PUCHAR)(pPhyAddr[2] + newOffset + 0x27) = 0x90; *(PUCHAR)(pPhyAddr[2] + newOffset + 0x28) = 0x90; *(PUCHAR)(pPhyAddr[2] + newOffset + 0x29) = 0xc3; ULONG_PTR ss = pPhyAddr[2]; ULONG_PTR ss2 = VirtualAddress_s & ~(0x1fffff); IsPdeLager = 1; break; } pPhyAddr[2] = (ULONG_PTR)MmAllocateContiguousMemorySpecifyCache(PAGE_SIZE, Low, High, Low, MmCached); newPTEphy = MmGetPhysicalAddress(pPhyAddr[2]).QuadPart; ULONG_PTR VirtualAddress_PTE = NULL; ZwMapViewOfSection(hMemory, NtCurrentProcess(), &VirtualAddress_PTE, 0, PAGE_SIZE, &temp, &sizeView, ViewUnmap, MEM_TOP_DOWN, PAGE_READWRITE); memcpy(pPhyAddr[2], VirtualAddress_PTE, PAGE_SIZE); //物理内存 pPhyAddr[3] = (ULONG_PTR)MmAllocateContiguousMemorySpecifyCache(PAGE_SIZE, Low, High, Low, MmCached); newphy = MmGetPhysicalAddress(pPhyAddr[3]).QuadPart; ULONG_PTR Phy = (ULONG_PTR)(((PHARDWARE_PTE)(VirtualAddress_PTE + PTEIndex * 8))->PageFrameNumber) * 0x1000; temp.QuadPart = Phy; ULONG_PTR VirtualAddress_PHY = NULL; ZwMapViewOfSection(hMemory, NtCurrentProcess(), &VirtualAddress_PHY, 0, PAGE_SIZE, &temp, &sizeView, ViewUnmap, MEM_TOP_DOWN, PAGE_READWRITE); memcpy(pPhyAddr[3], VirtualAddress_PHY, PAGE_SIZE); } while (0); //ULONG_PTR ss3 = pPhyAddr[3]; //ULONG_PTR ss1 = pPhyAddr[1]; //ULONG_PTR ss2 = pPhyAddr[2]; //DbgBreakPoint(); //4 修改PXE PPE PDE PTE从而改变 if (IsPdeLager) { ((PHARDWARE_PTE)(VirtualAddresss + PxeIndex * 8))->PageFrameNumber = newPPEphy >> 12; return TRUE; } ((PHARDWARE_PTE)(VirtualAddresss + PxeIndex * 8))->PageFrameNumber = newPPEphy >> 12; ((PHARDWARE_PTE)(pPhyAddr[0] + PPEIndex * 8))->PageFrameNumber = newPDEphy >> 12; ((PHARDWARE_PTE)(pPhyAddr[1] + PDEIndex * 8))->PageFrameNumber = newPTEphy >> 12; ((PHARDWARE_PTE)(pPhyAddr[2] + PTEIndex * 8))->PageFrameNumber = newphy >> 12; return TRUE; }; VOID unstallHook() { if (IsPdeLager) { MmFreeContiguousMemory(pPhyAddr[0]); MmFreeContiguousMemory(pPhyAddr[1]); MmFreeContiguousMemory(pPhyAddr[2]); return; } 1 2 3 4 //MmFreeContiguousMemory(pPhyAddr[0]); //MmFreeContiguousMemory(pPhyAddr[1]); //MmFreeContiguousMemory(pPhyAddr[2]); //MmFreeContiguousMemory(pPhyAddr[3]); } VOID DriverUnload(PDRIVER_OBJECT pDriver) { unstallHook(); } NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pRes) { pDriver->DriverUnload = DriverUnload; PKLDR_DATA_TABLE_ENTRY pKldr = (PKLDR_DATA_TABLE_ENTRY)pDriver->DriverSection; pKldr->Flags |= 0x20; //NTSTATUS status = PsSetCreateProcessNotifyRoutine(ProcessNotifyRoutine, FALSE); UNICODE_STRING ss = { 0 }; RtlInitUnicodeString(&ss, L"NtOpenProcess"); ULONG_PTR NtOpenAddr = MmGetSystemRoutineAddress(&ss); ULONG_PTR funcVir = NtOpenAddr & ~(0xfff); ULONG_PTR funcOffset = NtOpenAddr & 0xfff; InitHook(funcVir, 8568, funcOffset); //SetPTEHook(ssz); return STATUS_SUCCESS; }根据这个帖子,把上面的win10代码完整的抄下来
07-16
刷新TLB的方法:重新加载CR3(将目标进程的CR3重新写入CR3寄存器)会刷新整个TLB。我们可以通过KeStackAttachProcess附加到目标进程,然后执行__writecr3(__readcr3()),但这样会刷新整个TLB,影响性能,但安全。 ...
bool fn_isolation_pagetable(UINT64 cr3_val, void* replace_align_addr, void* split_pde_ptr) bool fn_pte_inline_hook_bp_pg(HANDLE process_id, _Inout_ void** ori_addr, void* hk_addr) 完整修复代码写完整一遍
06-26
2.在`fn_pte_inline_hook_bp_pg`中,确保在目标进程的CR3下进行Hook的写入,并刷新TLB。同时,我们还需要补充之前缺失的`PaToVaWithCr3`函数,并修正`FlushTlbAllCores`函数(使用静态函数代替lambda)。下面给出...
X86_64 CR3详解
weixin_41430055的博客
06-15 3161
X86_64 CR3控制寄存器详解
12.PDEPTE
My classmates
10-13 1850
页表:一个大小为 1024 个元素的数组,用来保存页索引号。数组中的每个元素的高20 bit 用来保存页索引号,低 12 bit 保存页属性。每个元素的大小是 32 bit,也就是 4 字节。 一个页表本身占用一页(4KB) 页目录:页表本身既然也占用一页,那页表本身这个物理页也是有索引号的。所以保存这种物理页索引号的页表,叫一级页表,也叫页目录。 PTE可以指向物理页,也可以...
CPU Study - TLB
weixin_43948262的博客
10-01 1408
参考来源:《超标量处理器设计》—— 姚永斌。
驱动开发:内核解析内存四级页表
LYSHARK
05-29 1万+
当今操作系统普遍采用64位架构,CPU最大寻址能力虽然达到了64位,但其实仅仅只是用到了48位进行寻址,其内存管理采用了。这段代码完整版如下所示,代码可动态定位到PTE内存地址,然后将其取出;运行如上代码可动态获取到当前系统的PTE地址,然后将PTE填入到。中,即可实现解析系统内的四个标志位,完整解析代码如下所示;字节,PTE结构的解析非常容易,打开WinDBG输入。即可解析,如下所示,当前地址0位置处的PTE基址是。由于PTE是动态变化的,找到该地址的关键就在于通过。,由于PTE的一个页大小是。
驱动开发:内核CR3切换读写内存
热门推荐
LYSHARK
09-25 2万+
首先CR3是什么,CR3是一个寄存器,该寄存器内保存有页目录表物理地址(PDBR地址),其实CR3内部存放的就是页目录表的内存基地址,运用CR3切换可实现对特定进程内存地址的强制读写操作,此类读写属于有痕读写,多数驱动保护都会将这个地址改为无效,此时CR3读写就失效了,当然如果能找到CR3的正确地址,此方式也是靠谱的一种读写机制。至于进程将CR3改掉了读取不到该寄存器该如何处理,这里我找到了一段参考代码,可以实现寻找CR3地址这个功能。结构,查找结构的方法也很简单,依次遍历进程并对比进程名称即可得到。
linux内存管理总结之内存分配
赶路
09-26 1378
1.伙伴系统     伙伴系统规定,无论是已分配内存块和空闲内存块,其大小都是2的k次幂个页面的大小,k的取值范围是0到MAX_ORDER 。当需要分配一个 大小为n个页面大小的内存块时,先计算一个i值,使2^i-1 ,然后在空闲内存块页面大小为2^i的链表中查找,若无符合要求的块,则在 2^i+1的链表中查找......,这种情况下这样一个大的内存块便被分为了两部分,两部分彼此成为了伙伴,
理解Computer中Address space\MMU\PTE\TLB\Page table\Page out
漫步量化
06-15 1306
address space wikipedia An address space defines a range of discrete addresses, each of which may corresond to a nerwork host, peripheral device, disk sector, a memory cell or other logical or physical entity. Memory management unit (MMU) wikipedia ..
(实验)修改PDEPTE属性读取高2G地址
qq_50242229的博客
04-18 409
在代码中直接读取高2G的内存地址会报错,当然我们可以通过调用门、中断门等提权读取,不过今天我们直接修改页的属性,物理页偏移 (0x00C)
Linux kernel和TLB
kickxxx的专栏
03-29 5904
TLB - translation lookaside buffer 快表,直译为旁路快表缓冲,也可以理解为页表缓冲,地址变换高速缓存。 由于页表存放在主存中,因此程序每次访存至少需要两次:一次访存获取物理地址,第二次访存才获得数据。提高访存性能的关键在于依靠页表的访问局部性。当一个转换的虚拟页号被使用时,它可能在不久的将来再次被使用到,。 TLB是一种高速缓存,内存管理硬件使用它来改善
进程挂靠 详解
寻梦&之璐
02-15 4103
1.进程与线程的关系: 一个进程可以包含多个线程 一个进程至少要有一个线程 进程为线程提供资源,也就是提供Cr3的值,Cr3中存储的是页目录表基址,Cr3确定了,线程能访问的内存也就确定了 线程代码: mov eax,dword ptr ds:[0x12345678] CPU会如何解析这个0x12345678这个地址呢? 1.CPU解析线性地址时通过页目录表来找对应的物理页,页目录表基址存在Cr3寄存器中 2.当前的Cr3的值来源于当前的进程(_KPROCESS.Directory TableBase(+0
不刷新tlb会怎么样
08-10
我们之前讨论了KeInvalidatePage函数和TLB刷新问题。现在用户问“不刷新TLB会怎么样”... 修改PTE/PDE中的任何位 > 2. 切换CR3寄存器(地址空间) > 3. 修改内存类型(如WC/WB切换) > 4. 涉及APIC中断重映射的操作
评论
成就一亿技术人!
拼手气红包6.0元
还能输入1000个字符
 
红包 添加红包
表情包 插入表情
表情包 代码片
 条评论被折叠 查看
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值