Hello All
I was trying to do a manual Virtual Address to PTE Address conversion using
the formula below on a x86 (PAE- Kernel). On a Windows 2003 SP2 when I am
using this formula then I notice that we have two different values for
PTE_BASE based on the address Ranges. It seems that for VA below C0600000 we
have a PTE_BASE C0400000. I am trying to understand why we have two
different PTE_BASE?
*PTE Address * = *(VA / PAGE_SIZE ) * PTE_SIZE + PTE_BASE*
PTE_SIZE = 8 Bytes
PTE_BASE = C0400000 (Vista)
PAGE_SIZE = 0x1000
Here is what I see.
*From Win2K3 Sp2 (PAE Enabled)*
kd> !process 0 0 Explorer.exe
PROCESS 82521988 SessionId: 0 Cid: 0480 Peb: 7ffd6000 ParentCid: 0460
DirBase: 16cf71a0 ObjectTable: e1793688 HandleCount: 294.
Image: explorer.exe
kd> !address 82521988
81981000 - 00e7f000
Usage KernelSpaceUsageNonPagedPool
kd> !address e1793688
e1000000 - 0fe00000
Usage KernelSpaceUsagePagedPool
kd> !pte 82521988
VA 82521988
PDE at 00000000C0602090 PTE at *00000000C0412908* *//Here the above
formula yield right result if PTE_BASE = C0400000
*contains 00000000024001E3 contains 0000000000000000
pfn 2400 -GLDA--KWEV LARGE PAGE pfn 2521
kd> !pte e1793688
VA e1793688
PDE at 00000000C0603858 PTE at *00000000C070BC98 //Here the above
formula would yield right result if PTE_BASE = C0600000*
contains 000000001F54C063 contains 000000001722E163
pfn 1f54c ---DA--KWEV pfn 1722e -G-DA--KWEV
*Thanks & Regards
Pushkar Prasad *
That doesn’t seem right to me. If I perform the calculations I get different
results:
kd> ?(0`82521988/1000)*@@(sizeof(nt!_MMPTE_HARDWARE))
Evaluate expression: 4270344 = 00412908
From your output: PTE at 00000000C0412908
kd> ?(0`e1793688/1000)*@@(sizeof(nt!_MMPTE_HARDWARE))
Evaluate expression: 7388312 = 0070bc98
From your output: PTE at 00000000C070BC98
Where did you get a PTE_BASE of C0400000?
-scott
–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com
“Pushkar Prasad” wrote in message
news:xxxxx@windbg…
Hello All
I was trying to do a manual Virtual Address to PTE Address conversion using
the formula below on a x86 (PAE- Kernel). On a Windows 2003 SP2 when I am
using this formula then I notice that we have two different values for
PTE_BASE based on the address Ranges. It seems that for VA below C0600000 we
have a PTE_BASE C0400000. I am trying to understand why we have two
different PTE_BASE?
PTE Address = (VA / PAGE_SIZE ) * PTE_SIZE + PTE_BASE
PTE_SIZE = 8 Bytes
PTE_BASE = C0400000 (Vista)
PAGE_SIZE = 0x1000
Here is what I see.
From Win2K3 Sp2 (PAE Enabled)
=========================
kd> !process 0 0 Explorer.exe
PROCESS 82521988 SessionId: 0 Cid: 0480 Peb: 7ffd6000 ParentCid: 0460
DirBase: 16cf71a0 ObjectTable: e1793688 HandleCount: 294.
Image: explorer.exe
kd> !address 82521988
81981000 - 00e7f000
Usage KernelSpaceUsageNonPagedPool
kd> !address e1793688
e1000000 - 0fe00000
Usage KernelSpaceUsagePagedPool
kd> !pte 82521988
VA 82521988
PDE at 00000000C0602090 PTE at 00000000C0412908 //Here the above formula
yield right result if PTE_BASE = C0400000
contains 00000000024001E3 contains 0000000000000000
pfn 2400 -GLDA–KWEV LARGE PAGE pfn 2521
kd> !pte e1793688
VA e1793688
PDE at 00000000C0603858 PTE at 00000000C070BC98 //Here the above formula
would yield right result if PTE_BASE = C0600000
contains 000000001F54C063 contains 000000001722E163
pfn 1f54c —DA–KWEV pfn 1722e -G-DA–KWEV
Thanks & Regards
Pushkar Prasad
Pushkar Prasad wrote:
I was trying to do a manual Virtual Address to PTE Address conversion
using the formula below on a x86 (PAE- Kernel). On a Windows 2003 SP2
when I am using this formula then I notice that we have two different
values for PTE_BASE based on the address Ranges. It seems that for VA
below C0600000 we have a PTE_BASE C0400000. I am trying to understand
why we have two different PTE_BASE?
/PTE Address / = /(VA / PAGE_SIZE ) * PTE_SIZE + PTE_BASE/
PTE_SIZE = 8 Bytes
PTE_BASE = C0400000 (Vista)
Where did you get that?
kd> !process 0 0 Explorer.exe
PROCESS 82521988 SessionId: 0 Cid: 0480 Peb: 7ffd6000 ParentCid:
0460
DirBase: 16cf71a0 ObjectTable: e1793688 HandleCount: 294.
Image: explorer.exe
…
kd> !pte 82521988
VA 82521988
PDE at 00000000C0602090 PTE at *00000000C0412908* *//Here the
above formula yield right result if PTE_BASE = C0400000
*contains 00000000024001E3 contains 0000000000000000
pfn 2400 -GLDA–KWEV LARGE PAGE pfn 2521
In hex, 82521 x 8 = 412908, not 12908.
kd> !pte e1793688
VA e1793688
PDE at 00000000C0603858 PTE at *00000000C070BC98 //Here the above
formula would yield right result if PTE_BASE = C0600000*
contains 000000001F54C063 contains 000000001722E163
In hex, E1793 x 8 = 70BC98. Looks to me like PTE_BASE = C0000000, not
C0400000.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Thanks Scott & Tim
I was a bit confused, acutally I tried the bit conversion scheme as per the
diagram in Windows Internals and hence I was stripping off the 1st 2 MSB of
the Binary pattern of those VA and did the calculation and somehow C0400000
and C0600000 seems to compensate for my stupidity and it was yielding
the desired results as given by !pte output. I was acting totally stupid
here 
Thanks for the guidance
Regards
Pushkar Prasad
On Wed, Jun 10, 2009 at 7:16 PM, Scott Noone wrote:
> That doesn’t seem right to me. If I perform the calculations I get
> different
> results:
>
> kd> ?(082521988/1000)*@@(sizeof(nt!_MMPTE_HARDWARE))<br>> Evaluate expression: 4270344 = 00412908<br>><br>> From your output: PTE at 00000000C0412908<br>><br>> kd> ?(0e1793688/1000)*@@(sizeof(nt!_MMPTE_HARDWARE))
> Evaluate expression: 7388312 = 0070bc98
>
> From your output: PTE at 00000000C070BC98
>
> Where did you get a PTE_BASE of C0400000?
>
> -scott
>
> –
> Scott Noone
> Consulting Associate
> OSR Open Systems Resources, Inc.
> http://www.osronline.com
>
>
> “Pushkar Prasad” wrote in message
> news:xxxxx@windbg…
> Hello All
>
> I was trying to do a manual Virtual Address to PTE Address conversion using
> the formula below on a x86 (PAE- Kernel). On a Windows 2003 SP2 when I am
> using this formula then I notice that we have two different values for
> PTE_BASE based on the address Ranges. It seems that for VA below C0600000
> we
> have a PTE_BASE C0400000. I am trying to understand why we have two
> different PTE_BASE?
>
> PTE Address = (VA / PAGE_SIZE ) * PTE_SIZE + PTE_BASE
> PTE_SIZE = 8 Bytes
> PTE_BASE = C0400000 (Vista)
> PAGE_SIZE = 0x1000
>
> Here is what I see.
>
> From Win2K3 Sp2 (PAE Enabled)
> =========================
> kd> !process 0 0 Explorer.exe
> PROCESS 82521988 SessionId: 0 Cid: 0480 Peb: 7ffd6000 ParentCid: 0460
> DirBase: 16cf71a0 ObjectTable: e1793688 HandleCount: 294.
> Image: explorer.exe
>
> kd> !address 82521988
> 81981000 - 00e7f000
> Usage KernelSpaceUsageNonPagedPool
>
> kd> !address e1793688
> e1000000 - 0fe00000
> Usage KernelSpaceUsagePagedPool
>
>
> kd> !pte 82521988
> VA 82521988
> PDE at 00000000C0602090 PTE at 00000000C0412908 //Here the above
> formula
> yield right result if PTE_BASE = C0400000
> contains 00000000024001E3 contains 0000000000000000
> pfn 2400 -GLDA–KWEV LARGE PAGE pfn 2521
>
> kd> !pte e1793688
> VA e1793688
> PDE at 00000000C0603858 PTE at 00000000C070BC98 //Here the above
> formula
> would yield right result if PTE_BASE = C0600000
> contains 000000001F54C063 contains 000000001722E163
> pfn 1f54c —DA–KWEV pfn 1722e -G-DA–KWEV
>
>
> Thanks & Regards
> Pushkar Prasad
>
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
–
Thanks & Regards
Pushkar Prasad | Email: xxxxx@eccellente-it.com | URL:
http://www.eccellente-it.com |
?A positive attitude may not solve all your problems, but it will annoy
enough people to make it worth the effort.? -Herm Albright