\n \u5b9e\u9a8c\u73af\u5883:win7x64\n<\/p><\/blockquote>\n
\u5148\u6765\u4e00\u6bb5\u4ee3\u7801<\/h3>\n#include \"stdafx.h\"\n#include \"windows.h\"\nint main()\n{\n CHAR Buffer[] = \"Text\";\n printf(\"Buffer Addr : %p\\n\", Buffer);\n\n getchar();\n return 0;\n}\n<\/code><\/pre>\n![\"\"](\"http:\/\/www.sinkland.cn\/wp-content\/uploads\/2019\/08\/pte1.png\")
<\/p>\n
\u53ef\u4ee5\u770b\u5230\u865a\u62df\u5730\u57400x0028FE80<\/p>\n
windbg\u5207\u6362\u5230\u8fdb\u7a0bTest.exe<\/h3>\n0: kd> !process 0 0 Test.exe\nPROCESS fffffa80039250e0\n SessionId: 1 Cid: 08ec Peb: 7efdf000 ParentCid: 0940\n DirBase: 62e9a000 ObjectTable: fffff8a001dddce0 HandleCount: 12.\n Image: Test.exe\n\n0: kd> .process \/i \/p fffffa80039250e0\nYou need to continue execution (press 'g' <enter>) for the context\nto be switched. When the debugger breaks in again, you will be in\nthe new process context.\n0: kd> g\nBreak instruction exception - code 80000003 (first chance)\nnt!RtlpBreakWithStatusInstruction:\nfffff800`03e90490 cc int 3\n\n<\/code><\/pre>\n0: kd> r cr3\ncr3=0000000062e9a000\n<\/code><\/pre>\n\u53ef\u4ee5\u770b\u5230\u5207\u6362\u5230\u8be5\u8fdb\u7a0b\u540e,cr3\u4ee3\u8868\u548c\u8be5\u8fdb\u7a0bDirBase\u503c\u4e00\u81f4,\u4e5f\u5c31\u662fDirBase\u5c31\u662f\u8be5\u8fdb\u7a0b\u7684cr3\u5730\u5740\u3002<\/p>\n
\nX64\u7ebf\u6027\u5730\u5740\u7ed3\u6784<\/h3>\n
x64\u7ebf\u6027\u5730\u5740\u536064\u4f4d\uff0c\u5176\u4e2d\u4f4e48\u4f4d\u4ee3\u8868:<\/p>\n
\n\n\n47-39(9\u4f4d)<\/th>\n 38-30(9\u4f4d)<\/th>\n 29-21(9\u4f4d)<\/th>\n 20-12(9\u4f4d)<\/th>\n 11-0(12\u4f4d)<\/th>\n<\/tr>\n<\/thead>\n \n\nPML4E\u7d22\u5f15(PXE)<\/td>\n PDPTE\u7d22\u5f15(PPE)<\/td>\n PDE\u7d22\u5f15<\/td>\n PTE\u7d22\u5f15<\/td>\n \u9875\u5185\u504f\u79fb<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\u5176\u4e2d\u9ad816\u4f4d\u662f\u7b26\u53f7\u6269\u5c55\uff0c\u8981\u4e0d\u5168\u662f0\uff0c\u8981\u4e0d\u5168\u662f1\u3002
\n\u5728windows\u4e2d\u5168\u662f1\u4ee3\u8868\u5185\u6838\u5730\u5740\uff0c\u5168\u662f0\u4ee3\u8868\u7528\u6237\u6001\u5730\u5740\u3002<\/p>\n
\u865a\u62df\u5730\u57400x0028FE80\u5bf9\u5e942\u8fdb\u5236\u4e3a:<\/p>\n
\n\n\n000000000<\/th>\n 000000000<\/th>\n 000000001<\/th>\n 010001111<\/th>\n 1110 1000 0000<\/th>\n<\/tr>\n<\/thead>\n \n\nPXE(0x0)<\/td>\n PPE(0x0)<\/td>\n PDE(0x1)<\/td>\n PTE(0x8F)<\/td>\n \u504f\u79fb(0xE80)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\u6211\u4eec\u5df2\u7ecf\u8ba1\u7b97\u51fa\u8be5\u865a\u62df\u5730\u5740\u5bf9\u5e94\u7684\u504f\u79fb\u3002<\/p>\n
\u6211\u4eec\u770b\u4e0bcr3\u7269\u7406\u5730\u5740\u5bf9\u5e94\u7684\u5185\u5bb9:<\/p>\n
0: kd> !dq 62e9a000\n#62e9a000 00700000`6286e867 00000000`00000000\n<\/code><\/pre>\ncr3\u6307\u5411\u7684\u5730\u5740\u5b58\u653e\u7684\u662fpxe\u7684\u5185\u5bb9\uff1a<\/p>\n
\u4e5f\u5c31\u662fpxe=0x00700000`6286e867<\/p>\n
\u5176\u4e2dpxe\u4e2d\u768412-35\u4f4d\u4fdd\u5b58\u7684ppe\u768412-35\u4f4d,\u4f4e12\u4f4d\u7f6e0\u3002<\/p>\n
\u4e5f\u5c31\u662f\u8bf4ppe\u9996\u5730\u5740=0x0`6286e000<\/p>\n
: kd> !dq 0`6286e000\n#6286e000 03a00000`623f2867 00800000`62c6f867\n<\/code><\/pre>\n\u8ba1\u7b97\u5f97\u51fapde\u9996\u5730\u5740=0x0`623f2000<\/p>\n
\u4f46\u662fpde\u7684\u504f\u79fb\u662f1,\u6211\u4eec\u9700\u8981\u52a0\u4e0a\u76f8\u5e94\u504f\u79fb\u67e5\u770b:<\/p>\n
1: kd> !dq 0x0`623f2000 + (1 * 0x8)\n#623f2008 01600000`632fa867 08100000`61928867\n<\/code><\/pre>\n\u8ba1\u7b97\u5f97\u51fapte\u9996\u5730\u5740=0x0`632fa000<\/p>\n
pte\u7684\u504f\u79fb\u662f0x8f,\u6240\u4ee5\u67e5\u770b\u5bf9\u5e94\u504f\u79fb:<\/p>\n
1: kd> !dq 0x0`632fa000 + (0x8f * 0x8)\n#632fa478 8e000000`62120867 00000000`00000000\n<\/code><\/pre>\n\u6211\u4eec\u5f97\u51fa\u7269\u7406\u9875\u9996\u5730\u5740\u4e3a:0x0`62120000<\/p>\n
\u6211\u4eec\u76f4\u63a5\u52a0\u4e0a\u9875\u5185\u504f\u79fb0xE80<\/p>\n
1: kd> !db 0x0`62120000+e80\n#62120e80 54 65 78 74 00 cc cc cc-cc cc cc cc a0 78 2e 02 Text.........x..\n\n1: kd> db 0x0028fe80\n00000000`0028fe80 54 65 78 74 00 cc cc cc-cc cc cc cc a0 78 2e 02 Text.........x..\n<\/code><\/pre>\n\u53ef\u4ee5\u770b\u5230\u5df2\u7ecf\u6b63\u786e\u5b9a\u4f4d\u5230\u6211\u4eec\u7684\u5b57\u7b26\u4e32\u3002<\/p>\n
\u5982\u679c\u4e0d\u60f3\u8fd9\u4e48\u9ebb\u70e6\u7684\u8bdd,\u4e5f\u53ef\u4ee5\u4f7f\u7528\u547d\u4ee4:<\/p>\n
1: kd> !pte 0x0028fe80\n VA 000000000028fe80\nPXE at FFFFF6FB7DBED000 PPE at FFFFF6FB7DA00000 PDE at FFFFF6FB40000008 PTE at FFFFF68000001478\ncontains 007000006286E867 contains 03A00000623F2867 contains 01600000632FA867 contains 8E00000062120867\npfn 6286e ---DA--UWEV pfn 623f2 ---DA--UWEV pfn 632fa ---DA--UWEV pfn 62120 ---DA--UW-V\n<\/code><\/pre>\n
\n\u5c1d\u8bd5\u4fee\u6539PTE<\/h3>\n
\u6765\u770b\u4e0bpte\u7684\u7ed3\u6784\u4f53:<\/p>\n
typedef struct{\n unsigned __int64 Present:1;\n unsigned __int64 ReadWrite:1;\n unsigned __int64 UserSupervisor:1;\n unsigned __int64 WriteTrough:1;\n unsigned __int64 CacheDisabled:1;\n unsigned __int64 Accessed:1;\n unsigned __int64 Dirty:1;\n unsigned __int64 Reserved0:1;\n unsigned __int64 GlobalPage:1; \n unsigned __int64 Available:3;\n unsigned __int64 PageFrameNumber:24;\n unsigned __int64 Reserved:27;\n unsigned __int64 NxBit:1;\n}PTE, *PPTE;\n\n<\/code><\/pre>\n
\n\u6700\u5927\u7269\u7406\u5730\u5740<\/h3>\n\n \u5728Intel\u4e2d\u4f7f\u7528MAXPHYADDR<\/strong>\u6765\u8868\u793a\u6700\u5927\u7684\u7269\u7406\u5730\u5740,\u53ef\u4ee5\u901a\u8fc7CPUID\u7684\u6307\u4ee4\u83b7\u53d6\n<\/p><\/blockquote>\n\n\n\nMAXPHYADDR<\/th>\n \u5bfb\u5740\u7a7a\u95f4<\/th>\n \u4e0b\u4e00\u7ea7table\u6709\u6548\u4f4d<\/th>\n \u5907\u6ce8<\/th>\n<\/tr>\n<\/thead>\n \n\n36\u4f4d<\/td>\n 64G<\/td>\n 12-35\u4f4d\u63d0\u4f9b\u4e0b\u4e00\u7ea7table\u7269\u7406\u57fa\u5730\u5740\u7684\u9ad824\u4f4d\uff0c36-51\u662f\u4fdd\u7559\u4f4d<\/td>\n PC 32\u4f4d\u673a\u7684PAE\u6a21\u5f0f<\/td>\n<\/tr>\n \n40\u4f4d<\/td>\n 1TB<\/td>\n 12-39\u4f4d\u63d0\u4f9b\u4e0b\u4e00\u7ea7table\u7269\u7406\u57fa\u5730\u5740\u7684\u9ad828\u4f4d\uff0c40-51\u662f\u4fdd\u7559\u4f4d<\/td>\n \u670d\u52a1\u5668\u4ea7\u54c1<\/td>\n<\/tr>\n \n52\u4f4d<\/td>\n \u6682\u672a\u5b9e\u73b0<\/td>\n 12-51\u4f4d\u63d0\u4f9b\u4e0b\u4e00\u7ea7table\u7269\u7406\u57fa\u5730\u5740\u7684\u9ad840\u4f4d\uff0c\u4f4e12\u4f4d\u8865\u96f6<\/td>\n <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\u7ed3\u6784\u4f53PTE<\/strong>\u4e2d\u6210\u5458PageFrameNumber<\/strong>\u7684\u957f\u5ea6\u5c31\u662f\u6839\u636eMAXPHYADDR<\/strong>\u6765\u786e\u5b9a\u7684<\/p>\n
\n\u5f00\u4e00\u4e2a\u65b0\u8fdb\u7a0b<\/h3>\n#include \"stdafx.h\"\n#include \"windows.h\"\nint main()\n{\n CHAR Buffer[] = \"ABCD\";\n printf(\"Buffer :%s Addr : %p\\n\", Buffer, Buffer);\n\n getchar();\n return 0;\n}\n\n<\/code><\/pre>\n![\"image\"](\"http:\/\/www.sinkland.cn\/wp-content\/uploads\/2019\/08\/pte2.png\")
<\/p>\n
\n\u83b7\u53d6Test2.exe Buffer\u865a\u62df\u5730\u5740pte<\/h3>\n0: kd> !pte 0024febc\n VA 000000000024febc\nPXE at FFFFF6FB7DBED000 PPE at FFFFF6FB7DA00000 PDE at FFFFF6FB40000008 PTE at FFFFF68000001278\ncontains 007000005F769867 contains 03A000005EB6D867 contains 016000005F076867 contains 920000005ED1C867\npfn 5f769 ---DA--UWEV pfn 5eb6d ---DA--UWEV pfn 5f076 ---DA--UWEV pfn 5ed1c ---DA--UW-V\n\n<\/code><\/pre>\n
\n\u6211\u4eec\u5c1d\u8bd5\u628aTest.exe\u8fdb\u7a0b\u4e2d\u7684Buffer\u5730\u5740\u66ff\u6362\u6210Test2.exe\u8fdb\u7a0b\u4e2d\u7684\u5730\u5740<\/h3>\n\n- \u5207\u6362\u56deTest.exe\u67e5\u770b\u9700\u8981\u66ff\u6362\u7684Buffer<\/li>\n<\/ul>\n
0: kd> db 0x0028FE80\n00000000`0028fe80 54 65 78 74 00 cc cc cc-cc cc cc cc a0 78 2e 02 Text.........x..\n<\/code><\/pre>\n\u55ef\uff0c\u6ca1\u9519\uff0c\u662f\u6211\u4eec\u7684\u5730\u5740<\/p>\n
\n- \u5c1d\u8bd5\u66ff\u6362PTE<\/li>\n<\/ul>\n
\n \u53ea\u6709\u7269\u7406\u5730\u5740\u662f\u4e0d\u80fd\u76f4\u63a5\u4fee\u6539\u5185\u5b58\u7684,\u6240\u4ee5\u6211\u4eec\u9700\u8981\u83b7\u5f97PTE\u9879\u7684\u865a\u62df\u5730\u5740<\/p>\n
\u4e0d\u8fc7PTE\u9879\u9996\u5730\u5740\u5728windows\u4e0b\u662f\u56fa\u5b9a\u7684:<\/p>\n
Windows x64\u4e0b\u662f:0xFFFFF68000000000<\/p>\n
Windows x86\u4e0b\u662f:0xC0000000<\/p>\n
\u865a\u62df\u5730\u5740\u5bf9\u5e94\u7684PTE\u5730\u5740=(\u865a\u62df\u5730\u5740>>12)+PTE\u9879\u9996\u5730\u5740\n<\/p><\/blockquote>\n
\n\u6240\u4ee50x0028FE80 \u5bf9\u5e94PTE\u5730\u5740\u662f:<\/h3>\n0: kd> ? 0x0028FE80 >> c\nEvaluate expression: 655 = 00000000`0000028f\n\n0: kd> dq 0xFFFFF68000000000 + (0x28f * 8)\nfffff680`00001478 8e000000`62120867 00000000`00000000\n\n<\/code><\/pre>\n\u679c\u7136\u548c\u4e0a\u9762\u5f97\u51fa\u6765PTE\u7684\u4e00\u6837\u3002<\/p>\n
\n\u76f4\u63a5\u66ff\u6362Test2\u7684Buffer PTE\u5730\u5740<\/h3>\neq fffff680`00001478 8e000000`5ED1C867\n1: kd> dq fffff680`00001478\nfffff680`00001478 8e000000`5ed1c867 \n\n(5ED1C\u662fTest2.exe\u7684Buffer pfn)\n<\/code><\/pre>\n\n- \u7136\u540e\u6211\u4eec\u518d\u6b21\u5207\u6362\u56deTest.exe,\u53ef\u80fd\u662f\u56e0\u4e3acpu\u7f13\u5b58\u539f\u56e0,\u76f4\u63a5\u67e5\u770b\u5730\u57400x0028FE80 \u4f1a\u6ca1\u6709\u53d8\u5316\u3002<\/p>\n<\/li>\n
- \n
\u518d\u6b21\u67e5\u770b<\/p>\n<\/li>\n<\/ul>\n
1: kd> db 0x0028FE80\n00000000`0028fe80 cc cc cc cc cc cc cc cc-cc cc cc cc cc cc cc cc ................\n00000000`0028fe90 cc cc cc cc cc cc cc cc-cc cc cc cc cc cc cc cc ................\n00000000`0028fea0 cc cc cc cc cc cc cc cc-cc cc cc cc cc cc cc cc ................\n00000000`0028feb0 cc cc cc cc cc cc cc cc-cc cc cc cc 41 42 43 44 ............ABCD\n00000000`0028fec0 00 cc cc cc cc cc cc cc-9e 1c 8d 39 e0 fe 24 00 ...........9..$.\n<\/code><\/pre>\n\u6211\u4eec\u53ea\u80fd\u66ff\u6362\u8be5\u7269\u7406\u9875\u5730\u5740\uff0c\u56e0\u4e3a\u504f\u79fb\u539f\u56e0\u6211\u4eec\u5728\u540e\u9762\u770b\u5230\u4e86\"ABCD\"\u3002ok\uff0c\u4ee3\u8868\u66ff\u6362\u6210\u529f\u3002<\/p>\n
\u6e29\u99a8\u63d0\u793a:\u867d\u7136\u5df2\u7ecf\u4fee\u6539\u6210\u529f\uff0c\u4f46\u662f\u5982\u679c\u6211\u4eec\u4e0d\u5c06\u6b63\u786ePTE\u6539\u56de\u6765\u7684\u8bdd\u3002\u3002\u4f1a\u5728\u8fdb\u7a0b\u9000\u51fa\u7684\u65f6\u5019\u84dd\u5c4f\u54e6\u3002<\/strong><\/h4>\n","protected":false},"excerpt":{"rendered":"\u8fd9\u7bc7\u6587\u7ae0\u4f1a\u4ecb\u7ecd\u4e00\u4e0b\uff0c\u5982\u4f55\u66f4\u6362\u8fdb\u7a0b\u7684pte\u4ee5\u53ca\u865a\u62df\u5730\u5740\u5230\u7269\u7406\u5730\u5740\u8f6c\u6362\u7684\u76f8\u5173\u77e5\u8bc6 \u5b9e\u73b0\u4e86\u628a\u81ea\u5df1\u8fdb\u7a0b\u4e2d\u7684\u865a\u62df\u5730\u5740\u6307\u5411 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"_links":{"self":[{"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=\/wp\/v2\/posts\/86"}],"collection":[{"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=86"}],"version-history":[{"count":50,"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=\/wp\/v2\/posts\/86\/revisions"}],"predecessor-version":[{"id":219,"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=\/wp\/v2\/posts\/86\/revisions\/219"}],"wp:attachment":[{"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=86"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=86"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=86"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
#include \"stdafx.h\"\n#include \"windows.h\"\nint main()\n{\n CHAR Buffer[] = \"Text\";\n printf(\"Buffer Addr : %p\\n\", Buffer);\n\n getchar();\n return 0;\n}\n<\/code><\/pre>\n<\/p>\n
\u53ef\u4ee5\u770b\u5230\u865a\u62df\u5730\u57400x0028FE80<\/p>\n
windbg\u5207\u6362\u5230\u8fdb\u7a0bTest.exe<\/h3>\n0: kd> !process 0 0 Test.exe\nPROCESS fffffa80039250e0\n SessionId: 1 Cid: 08ec Peb: 7efdf000 ParentCid: 0940\n DirBase: 62e9a000 ObjectTable: fffff8a001dddce0 HandleCount: 12.\n Image: Test.exe\n\n0: kd> .process \/i \/p fffffa80039250e0\nYou need to continue execution (press 'g' <enter>) for the context\nto be switched. When the debugger breaks in again, you will be in\nthe new process context.\n0: kd> g\nBreak instruction exception - code 80000003 (first chance)\nnt!RtlpBreakWithStatusInstruction:\nfffff800`03e90490 cc int 3\n\n<\/code><\/pre>\n0: kd> r cr3\ncr3=0000000062e9a000\n<\/code><\/pre>\n\u53ef\u4ee5\u770b\u5230\u5207\u6362\u5230\u8be5\u8fdb\u7a0b\u540e,cr3\u4ee3\u8868\u548c\u8be5\u8fdb\u7a0bDirBase\u503c\u4e00\u81f4,\u4e5f\u5c31\u662fDirBase\u5c31\u662f\u8be5\u8fdb\u7a0b\u7684cr3\u5730\u5740\u3002<\/p>\n
\nX64\u7ebf\u6027\u5730\u5740\u7ed3\u6784<\/h3>\n
x64\u7ebf\u6027\u5730\u5740\u536064\u4f4d\uff0c\u5176\u4e2d\u4f4e48\u4f4d\u4ee3\u8868:<\/p>\n
\n\n\n47-39(9\u4f4d)<\/th>\n 38-30(9\u4f4d)<\/th>\n 29-21(9\u4f4d)<\/th>\n 20-12(9\u4f4d)<\/th>\n 11-0(12\u4f4d)<\/th>\n<\/tr>\n<\/thead>\n \n\nPML4E\u7d22\u5f15(PXE)<\/td>\n PDPTE\u7d22\u5f15(PPE)<\/td>\n PDE\u7d22\u5f15<\/td>\n PTE\u7d22\u5f15<\/td>\n \u9875\u5185\u504f\u79fb<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\u5176\u4e2d\u9ad816\u4f4d\u662f\u7b26\u53f7\u6269\u5c55\uff0c\u8981\u4e0d\u5168\u662f0\uff0c\u8981\u4e0d\u5168\u662f1\u3002
\n\u5728windows\u4e2d\u5168\u662f1\u4ee3\u8868\u5185\u6838\u5730\u5740\uff0c\u5168\u662f0\u4ee3\u8868\u7528\u6237\u6001\u5730\u5740\u3002<\/p>\n
\u865a\u62df\u5730\u57400x0028FE80\u5bf9\u5e942\u8fdb\u5236\u4e3a:<\/p>\n
\n\n\n000000000<\/th>\n 000000000<\/th>\n 000000001<\/th>\n 010001111<\/th>\n 1110 1000 0000<\/th>\n<\/tr>\n<\/thead>\n \n\nPXE(0x0)<\/td>\n PPE(0x0)<\/td>\n PDE(0x1)<\/td>\n PTE(0x8F)<\/td>\n \u504f\u79fb(0xE80)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\u6211\u4eec\u5df2\u7ecf\u8ba1\u7b97\u51fa\u8be5\u865a\u62df\u5730\u5740\u5bf9\u5e94\u7684\u504f\u79fb\u3002<\/p>\n
\u6211\u4eec\u770b\u4e0bcr3\u7269\u7406\u5730\u5740\u5bf9\u5e94\u7684\u5185\u5bb9:<\/p>\n
0: kd> !dq 62e9a000\n#62e9a000 00700000`6286e867 00000000`00000000\n<\/code><\/pre>\ncr3\u6307\u5411\u7684\u5730\u5740\u5b58\u653e\u7684\u662fpxe\u7684\u5185\u5bb9\uff1a<\/p>\n
\u4e5f\u5c31\u662fpxe=0x00700000`6286e867<\/p>\n
\u5176\u4e2dpxe\u4e2d\u768412-35\u4f4d\u4fdd\u5b58\u7684ppe\u768412-35\u4f4d,\u4f4e12\u4f4d\u7f6e0\u3002<\/p>\n
\u4e5f\u5c31\u662f\u8bf4ppe\u9996\u5730\u5740=0x0`6286e000<\/p>\n
: kd> !dq 0`6286e000\n#6286e000 03a00000`623f2867 00800000`62c6f867\n<\/code><\/pre>\n\u8ba1\u7b97\u5f97\u51fapde\u9996\u5730\u5740=0x0`623f2000<\/p>\n
\u4f46\u662fpde\u7684\u504f\u79fb\u662f1,\u6211\u4eec\u9700\u8981\u52a0\u4e0a\u76f8\u5e94\u504f\u79fb\u67e5\u770b:<\/p>\n
1: kd> !dq 0x0`623f2000 + (1 * 0x8)\n#623f2008 01600000`632fa867 08100000`61928867\n<\/code><\/pre>\n\u8ba1\u7b97\u5f97\u51fapte\u9996\u5730\u5740=0x0`632fa000<\/p>\n
pte\u7684\u504f\u79fb\u662f0x8f,\u6240\u4ee5\u67e5\u770b\u5bf9\u5e94\u504f\u79fb:<\/p>\n
1: kd> !dq 0x0`632fa000 + (0x8f * 0x8)\n#632fa478 8e000000`62120867 00000000`00000000\n<\/code><\/pre>\n\u6211\u4eec\u5f97\u51fa\u7269\u7406\u9875\u9996\u5730\u5740\u4e3a:0x0`62120000<\/p>\n
\u6211\u4eec\u76f4\u63a5\u52a0\u4e0a\u9875\u5185\u504f\u79fb0xE80<\/p>\n
1: kd> !db 0x0`62120000+e80\n#62120e80 54 65 78 74 00 cc cc cc-cc cc cc cc a0 78 2e 02 Text.........x..\n\n1: kd> db 0x0028fe80\n00000000`0028fe80 54 65 78 74 00 cc cc cc-cc cc cc cc a0 78 2e 02 Text.........x..\n<\/code><\/pre>\n\u53ef\u4ee5\u770b\u5230\u5df2\u7ecf\u6b63\u786e\u5b9a\u4f4d\u5230\u6211\u4eec\u7684\u5b57\u7b26\u4e32\u3002<\/p>\n
\u5982\u679c\u4e0d\u60f3\u8fd9\u4e48\u9ebb\u70e6\u7684\u8bdd,\u4e5f\u53ef\u4ee5\u4f7f\u7528\u547d\u4ee4:<\/p>\n
1: kd> !pte 0x0028fe80\n VA 000000000028fe80\nPXE at FFFFF6FB7DBED000 PPE at FFFFF6FB7DA00000 PDE at FFFFF6FB40000008 PTE at FFFFF68000001478\ncontains 007000006286E867 contains 03A00000623F2867 contains 01600000632FA867 contains 8E00000062120867\npfn 6286e ---DA--UWEV pfn 623f2 ---DA--UWEV pfn 632fa ---DA--UWEV pfn 62120 ---DA--UW-V\n<\/code><\/pre>\n
\n\u5c1d\u8bd5\u4fee\u6539PTE<\/h3>\n
\u6765\u770b\u4e0bpte\u7684\u7ed3\u6784\u4f53:<\/p>\n
typedef struct{\n unsigned __int64 Present:1;\n unsigned __int64 ReadWrite:1;\n unsigned __int64 UserSupervisor:1;\n unsigned __int64 WriteTrough:1;\n unsigned __int64 CacheDisabled:1;\n unsigned __int64 Accessed:1;\n unsigned __int64 Dirty:1;\n unsigned __int64 Reserved0:1;\n unsigned __int64 GlobalPage:1; \n unsigned __int64 Available:3;\n unsigned __int64 PageFrameNumber:24;\n unsigned __int64 Reserved:27;\n unsigned __int64 NxBit:1;\n}PTE, *PPTE;\n\n<\/code><\/pre>\n
\n\u6700\u5927\u7269\u7406\u5730\u5740<\/h3>\n\n \u5728Intel\u4e2d\u4f7f\u7528MAXPHYADDR<\/strong>\u6765\u8868\u793a\u6700\u5927\u7684\u7269\u7406\u5730\u5740,\u53ef\u4ee5\u901a\u8fc7CPUID\u7684\u6307\u4ee4\u83b7\u53d6\n<\/p><\/blockquote>\n\n\n\nMAXPHYADDR<\/th>\n \u5bfb\u5740\u7a7a\u95f4<\/th>\n \u4e0b\u4e00\u7ea7table\u6709\u6548\u4f4d<\/th>\n \u5907\u6ce8<\/th>\n<\/tr>\n<\/thead>\n \n\n36\u4f4d<\/td>\n 64G<\/td>\n 12-35\u4f4d\u63d0\u4f9b\u4e0b\u4e00\u7ea7table\u7269\u7406\u57fa\u5730\u5740\u7684\u9ad824\u4f4d\uff0c36-51\u662f\u4fdd\u7559\u4f4d<\/td>\n PC 32\u4f4d\u673a\u7684PAE\u6a21\u5f0f<\/td>\n<\/tr>\n \n40\u4f4d<\/td>\n 1TB<\/td>\n 12-39\u4f4d\u63d0\u4f9b\u4e0b\u4e00\u7ea7table\u7269\u7406\u57fa\u5730\u5740\u7684\u9ad828\u4f4d\uff0c40-51\u662f\u4fdd\u7559\u4f4d<\/td>\n \u670d\u52a1\u5668\u4ea7\u54c1<\/td>\n<\/tr>\n \n52\u4f4d<\/td>\n \u6682\u672a\u5b9e\u73b0<\/td>\n 12-51\u4f4d\u63d0\u4f9b\u4e0b\u4e00\u7ea7table\u7269\u7406\u57fa\u5730\u5740\u7684\u9ad840\u4f4d\uff0c\u4f4e12\u4f4d\u8865\u96f6<\/td>\n <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\u7ed3\u6784\u4f53PTE<\/strong>\u4e2d\u6210\u5458PageFrameNumber<\/strong>\u7684\u957f\u5ea6\u5c31\u662f\u6839\u636eMAXPHYADDR<\/strong>\u6765\u786e\u5b9a\u7684<\/p>\n
\n\u5f00\u4e00\u4e2a\u65b0\u8fdb\u7a0b<\/h3>\n#include \"stdafx.h\"\n#include \"windows.h\"\nint main()\n{\n CHAR Buffer[] = \"ABCD\";\n printf(\"Buffer :%s Addr : %p\\n\", Buffer, Buffer);\n\n getchar();\n return 0;\n}\n\n<\/code><\/pre>\n<\/p>\n
\n\u83b7\u53d6Test2.exe Buffer\u865a\u62df\u5730\u5740pte<\/h3>\n0: kd> !pte 0024febc\n VA 000000000024febc\nPXE at FFFFF6FB7DBED000 PPE at FFFFF6FB7DA00000 PDE at FFFFF6FB40000008 PTE at FFFFF68000001278\ncontains 007000005F769867 contains 03A000005EB6D867 contains 016000005F076867 contains 920000005ED1C867\npfn 5f769 ---DA--UWEV pfn 5eb6d ---DA--UWEV pfn 5f076 ---DA--UWEV pfn 5ed1c ---DA--UW-V\n\n<\/code><\/pre>\n
\n\u6211\u4eec\u5c1d\u8bd5\u628aTest.exe\u8fdb\u7a0b\u4e2d\u7684Buffer\u5730\u5740\u66ff\u6362\u6210Test2.exe\u8fdb\u7a0b\u4e2d\u7684\u5730\u5740<\/h3>\n\n- \u5207\u6362\u56deTest.exe\u67e5\u770b\u9700\u8981\u66ff\u6362\u7684Buffer<\/li>\n<\/ul>\n
0: kd> db 0x0028FE80\n00000000`0028fe80 54 65 78 74 00 cc cc cc-cc cc cc cc a0 78 2e 02 Text.........x..\n<\/code><\/pre>\n\u55ef\uff0c\u6ca1\u9519\uff0c\u662f\u6211\u4eec\u7684\u5730\u5740<\/p>\n
\n- \u5c1d\u8bd5\u66ff\u6362PTE<\/li>\n<\/ul>\n
\n \u53ea\u6709\u7269\u7406\u5730\u5740\u662f\u4e0d\u80fd\u76f4\u63a5\u4fee\u6539\u5185\u5b58\u7684,\u6240\u4ee5\u6211\u4eec\u9700\u8981\u83b7\u5f97PTE\u9879\u7684\u865a\u62df\u5730\u5740<\/p>\n
\u4e0d\u8fc7PTE\u9879\u9996\u5730\u5740\u5728windows\u4e0b\u662f\u56fa\u5b9a\u7684:<\/p>\n
Windows x64\u4e0b\u662f:0xFFFFF68000000000<\/p>\n
Windows x86\u4e0b\u662f:0xC0000000<\/p>\n
\u865a\u62df\u5730\u5740\u5bf9\u5e94\u7684PTE\u5730\u5740=(\u865a\u62df\u5730\u5740>>12)+PTE\u9879\u9996\u5730\u5740\n<\/p><\/blockquote>\n
\n\u6240\u4ee50x0028FE80 \u5bf9\u5e94PTE\u5730\u5740\u662f:<\/h3>\n0: kd> ? 0x0028FE80 >> c\nEvaluate expression: 655 = 00000000`0000028f\n\n0: kd> dq 0xFFFFF68000000000 + (0x28f * 8)\nfffff680`00001478 8e000000`62120867 00000000`00000000\n\n<\/code><\/pre>\n\u679c\u7136\u548c\u4e0a\u9762\u5f97\u51fa\u6765PTE\u7684\u4e00\u6837\u3002<\/p>\n
\n\u76f4\u63a5\u66ff\u6362Test2\u7684Buffer PTE\u5730\u5740<\/h3>\neq fffff680`00001478 8e000000`5ED1C867\n1: kd> dq fffff680`00001478\nfffff680`00001478 8e000000`5ed1c867 \n\n(5ED1C\u662fTest2.exe\u7684Buffer pfn)\n<\/code><\/pre>\n\n- \u7136\u540e\u6211\u4eec\u518d\u6b21\u5207\u6362\u56deTest.exe,\u53ef\u80fd\u662f\u56e0\u4e3acpu\u7f13\u5b58\u539f\u56e0,\u76f4\u63a5\u67e5\u770b\u5730\u57400x0028FE80 \u4f1a\u6ca1\u6709\u53d8\u5316\u3002<\/p>\n<\/li>\n
- \n
\u518d\u6b21\u67e5\u770b<\/p>\n<\/li>\n<\/ul>\n
1: kd> db 0x0028FE80\n00000000`0028fe80 cc cc cc cc cc cc cc cc-cc cc cc cc cc cc cc cc ................\n00000000`0028fe90 cc cc cc cc cc cc cc cc-cc cc cc cc cc cc cc cc ................\n00000000`0028fea0 cc cc cc cc cc cc cc cc-cc cc cc cc cc cc cc cc ................\n00000000`0028feb0 cc cc cc cc cc cc cc cc-cc cc cc cc 41 42 43 44 ............ABCD\n00000000`0028fec0 00 cc cc cc cc cc cc cc-9e 1c 8d 39 e0 fe 24 00 ...........9..$.\n<\/code><\/pre>\n\u6211\u4eec\u53ea\u80fd\u66ff\u6362\u8be5\u7269\u7406\u9875\u5730\u5740\uff0c\u56e0\u4e3a\u504f\u79fb\u539f\u56e0\u6211\u4eec\u5728\u540e\u9762\u770b\u5230\u4e86\"ABCD\"\u3002ok\uff0c\u4ee3\u8868\u66ff\u6362\u6210\u529f\u3002<\/p>\n
\u6e29\u99a8\u63d0\u793a:\u867d\u7136\u5df2\u7ecf\u4fee\u6539\u6210\u529f\uff0c\u4f46\u662f\u5982\u679c\u6211\u4eec\u4e0d\u5c06\u6b63\u786ePTE\u6539\u56de\u6765\u7684\u8bdd\u3002\u3002\u4f1a\u5728\u8fdb\u7a0b\u9000\u51fa\u7684\u65f6\u5019\u84dd\u5c4f\u54e6\u3002<\/strong><\/h4>\n","protected":false},"excerpt":{"rendered":"\u8fd9\u7bc7\u6587\u7ae0\u4f1a\u4ecb\u7ecd\u4e00\u4e0b\uff0c\u5982\u4f55\u66f4\u6362\u8fdb\u7a0b\u7684pte\u4ee5\u53ca\u865a\u62df\u5730\u5740\u5230\u7269\u7406\u5730\u5740\u8f6c\u6362\u7684\u76f8\u5173\u77e5\u8bc6 \u5b9e\u73b0\u4e86\u628a\u81ea\u5df1\u8fdb\u7a0b\u4e2d\u7684\u865a\u62df\u5730\u5740\u6307\u5411 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"_links":{"self":[{"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=\/wp\/v2\/posts\/86"}],"collection":[{"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=86"}],"version-history":[{"count":50,"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=\/wp\/v2\/posts\/86\/revisions"}],"predecessor-version":[{"id":219,"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=\/wp\/v2\/posts\/86\/revisions\/219"}],"wp:attachment":[{"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=86"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=86"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=86"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}