Shared page prototype PTE

NTDEV
1

Hi all,

I’m currently trying to understand the relationship between a shared memory page, a prototype PTE, and the processes that share the page.

Here’s my current example.

At physical address 0x1df1f000 is a 4KB page containing some text, “This is the contents of the file”. This file is currently open in Notepad.exe.

If I view the PFN database entry for the file, I see this:

lkd> !pfn 1df1f
PFN 0001DF1F at address FFFFFA800059D5D0
flink 00016C41 blink / share count 00025CBF pteaddress FFFFF8A001BD6E00
reference count 0000 used entry count 0000 Cached color 0 Priority 5
restore pte FA80027E6F9004C0 containing page 02BDA9 Standby P
Shared

If I’m understanding this correctly, the ‘P’ flag, and ‘Shared’ indicate this is a shared page, and therefore the ‘pteaddress’ value will point to a prototype PTE at 0xFFFFF8A001BD6E00. I can confirm this by running the !pool command:

lkd> !pool FFFFF8A001BD6E00 2
Pool page fffff8a001bd6e00 region is Paged pool
*fffff8a001bd6df0 size: 210 previous size: 210 (Allocated) *MmSt
Pooltag MmSt : Mm section object prototype ptes, Binary : nt!mm

I believe I’m correct in saying that the ‘MmSt’ pool tag is used for prototype PTEs in the paged pool.

I am however a little confused as how this prototype PTE can be used to track the data.

Here’s the output from WinDBG showing the PTE and the data at that page is describes:

lkd> !pte FFFFF8A001BD6E00
VA fffff8a001bd6e00
PXE at FFFFF6FB7DBEDF88 PPE at FFFFF6FB7DBF1400 PDE at FFFFF6FB7E280068 PTE at FFFFF6FC5000DEB0
contains 000000003D0C4863 contains 000000000309F863 contains 000000002CD6C863 contains ACD000002BDA9943
pfn 3d0c4 —DA–KWEV pfn 309f —DA–KWEV pfn 2cd6c —DA–KWEV pfn 2bda9 -G-D—KW-V

lkd> !dd 2bda9e00
#2bda9e00 1df1f8c0 00000000 18e218c0 00000000
#2bda9e10 18ee28c0 00000000 1b0e38c0 00000000
#2bda9e20 6f9004c0 fa80027e 6f9004c0 fa80027e
#2bda9e30 6f9004c0 fa80027e 6f9004c0 fa80027e
#2bda9e40 6f9004c0 fa80027e 6f9004c0 fa80027e
#2bda9e50 6f9004c0 fa80027e 6f9004c0 fa80027e
#2bda9e60 6f9004c0 fa80027e 6f9004c0 fa80027e
#2bda9e70 6f9004c0 fa80027e 6f9004c0 fa80027e

I’m not entirely sure what’ I’m looking at here, I thought it might be a _SECTION_OBJECT, but I’m not entirely sure, any ideas?

Essentially, what I’m trying to do is determine all of the virtual addresses that correspond to a single physical page, which is mentioned here: https://channel9.msdn.com/Forums/TechOff/Windows-Memory-Management-question

So what I’d like to do is to find any virtual addresses that have accessed the shared page at 0x1df1f000.

I’m guessing that the address of this prototype PTE should be somewhere within Notepad’s page tables, is that correct?

As the page is now on the standby list, it is possible to restore this, of soft-fault it back into the processes working set, however, I’m not sure how the memory manager determines which working set it originally came from. The is an OriginalPte element within the _MMPFN structure, but it doesn’t seem to contain a valid virtual address.

Any advice or input would be appreciated.

Thanks

2

What problem are you trying to solve with that information?

3

The problem I’m trying to solve is simply that _FILE_OBJECTS in memory cannot be tied back to their process, unless they are present in the VAD tree, or within the object handle database.

Some programs, such as Notepad, use memory mapping to load the data into their private address space. I wanted to see if it was possible to determine that notepad had opened the file by using the PFN and prototype PTE of the shared file.

4

I’ll ask the question one more time: what problem are you trying to solve by finding the association between FILE_OBJECT and process?

5

There is no problem. I want to know how the data gets from the file object to the process. That is all.

There is no underlying need, there’s nothing overarching objective here, I’m not a virus writer, I’m just curious as to how it all works.

I can see data in notepad, I can’t see a handle for it, and I can’t see it in the VAD mapping. I was just poking around using VMMap and Rammap as I have a curiosity in how these things work.

6

> I believe I’m correct in saying that the ‘MmSt’ pool tag is used for prototype PTEs in the paged pool.

I think yes.

I am however a little confused as how this prototype PTE can be used to track the data.

PPTE has a physical address of the page, or some file/pagefile offset if the page is really not in memory.

When the usual PTEs are made invalid, the are switched to point to the PPTE.

If the page is shared (i.e. several PTEs), then in the end you will have all usual PTEs in the state of “invalid, the reference to PPTE”, and also a PPTE.

Resolving a page fault on such a PTE is just making it valid (using the physaddr from the PPTE) and bumping the page’s refcount.

If several PTEs are faulted on, then they will use the same physaddr (from the PPTE), so the page is really shared.

In order to support the PTE valid->invalid transition, the PFN entry for a PPTE-referenced page contains the pointer to the PPTE (to be put to PTE when it is invalidated).

I’m not entirely sure what’ I’m looking at here, I thought it might be a _SECTION_OBJECT, but I’m not

SECTION_OBJECT is just a) access rights flags b) a ref to Control Area (MmCa for usual sections, MmCi for PE binary SEC_IMAGE sections).

Control Area keeps a list of MmSt “segments” (PPTE tables).

Also, each file’s FCB has SECTION_OBJECT_POINTERS, where the pointers to MmCa and MmCi are stored. This allows the FSD to guarantee 1 and not more then 1 MmCa for any on-disk file.


Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

7

I think you are trying to solve an impossible problem. All you can say is
that there is a mapped data segment. Lots of programs besides NotePad map
data segments; I do it frequently. So knowing the segment is mapped is
not an interesting factoid to say that NotePad had opened it. In fact,
you can’t even know if it IS NotePad, or a program /called/ “NOTEPAD.EXE”.
So what are you going to do with this information once you have it? Note
that the process may not exist even though there are pages that represent
some mapping that had previously existed, and are now waiting to be paged
out. While it may be amusing to think about what is going on, and
informative to understand Windows at greater depth, this idea of focusing
on segments that NotePad has opened sounds unhealthy.
joe

The problem I’m trying to solve is simply that _FILE_OBJECTS in memory
cannot be tied back to their process, unless they are present in the VAD
tree, or within the object handle database.

Some programs, such as Notepad, use memory mapping to load the data into
their private address space. I wanted to see if it was possible to
determine that notepad had opened the file by using the PFN and prototype
PTE of the shared file.

NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

8

Then you want to know about *section* objects.
These exist in addition to *file* objects.
– pa

On 19-Feb-2014 23:54, xxxxx@outlook.com wrote:

There is no problem. I want to know how the data gets from the file object to the process. That is all.

There is no underlying need, there’s nothing overarching objective here, I’m not a virus writer, I’m just curious as to how it all works.

I can see data in notepad, I can’t see a handle for it, and I can’t see it in the VAD mapping. I was just poking around using VMMap and Rammap as I have a curiosity in how these things work.