Hi dear all,
We know in paging mode , all memory access must be translated by the paging table , so , I think to read a physical address , windbg will map the physical address to a linear address in paging table then read from the linear address . Is this description right ? many thanks!!!
kd> du /c 100 ( windbg + 67d0)
00f867d0 “Software\Microsoft\Windbg\Workspaces%s”
kd> !vtop 0 00f867d0
X86VtoP: Virt 0000000000f867d0, pagedir 000000007e28d640
X86VtoP: PAE PDPE 000000007e28d640 - 0000000052e97801
X86VtoP: PAE PDE 0000000052e97038 - 0000000057ba6867
X86VtoP: PAE PTE 0000000057ba6c30 - 000000003182b025
X86VtoP: PAE Mapped phys 000000003182b7d0
Virtual address f867d0 translates to physical address 3182b7d0.
kd> !du 3182b7d0 l30
#3182b7d0 “Software\Microsoft\Windbg\Workspaces%s”
I’m trying to read the PML4 table at the very early stage of Win10 booting as follow
kd> r @cr3
cr3=00000000001aa002
kd> !dq 1aa000
Physical memory read at 1aa000 failed
If you know the caching attributes used for the memory,
try specifying [c], [uc] or [wc], as in !dd [c] .
WARNING: Incorrect use of these flags will cause unpredictable
processor corruption. This may immediately (or at any time in
the future until reboot) result in a system hang, incorrect data
being displayed or other strange crashes and corruption.
does this mean physical address 1aa000 is not mapped ?
i dont think you can read cr3 with !dq
cr3 should contain Directory Base
ie EPROCESS Pcb.DirectoryTableBase
without the trailing three bytes it represents the PageFrameNumber
ie 0000xxx1aa is the PageFrame Number in your post
you can use that in !vtop command to get the physical page
like !vtop pfn va
when you have broken in windbg you cant expect cr3 to point to current
process DirectoryTableBase (the cr3 which you printed might point to
System Process (pid 0)
kd> r cr3
cr3=00185000
kd> ?? @$proc->Pcb.DirectoryTableBase
unsigned long 0xd08b000
kd> ?? (char *)@$proc->ImageFileName
char * 0x840ed19c
“explorer.exe”
kd> ?? (( nt!_EPROCESS *) @@masm(0x83f30368))->Pcb.DirectoryTableBase
unsigned long 0x185000
kd> ?? (char *)(( nt!_EPROCESS *) @@masm(0x83f30368))->ImageFileName
char * 0x83f304d4
“System”
ys wrote:
We know in paging mode , all memory access must be translated by the paging table , so , I think to read a physical , windbg will map the physical address to a linear address in paging table then read from the linear address . Is this description right ?
Correct. EVERY address that an x86 processor uses is a virtual
address. The ONLY way to play with a physical address is to create a
page table entry and use the associated virtual address. Note that, in
the windbg case, those physical addresses usually have other virtual
mappings that already exist. This is why windbg wants you to specify
the caching mode. Caching is done with virtual addresses, and it’s
problematic to have two virtual-to-physical mappings to the same address
with different cache attributes.