第一部分：

1: kd> p
nt!MiAddValidPageToWorkingSet+0xa9:
80a83c13 e8da9afcff????? call??? nt!MiAllocateWsle (80a4d6f2)
1: kd> t
nt!MiAllocateWsle:
80a4d6f2 55????????????? push??? ebp
1: kd> dv
???????? WsInfo = 0x8953a1f8
???? PointerPte = 0xc01df8a8
?????????? Pfn1 = 0x81bcd810
?????? WsleMask = 0x118
?????????? Wsle = 0x00000008
WorkingSetIndex = 0x8953a1f8

第二部分：

1: kd> dx -r1 ((ntkrnlmp!_MMWSL *)0xc0503000)
((ntkrnlmp!_MMWSL *)0xc0503000)???????????????? : 0xc0503000 [Type: _MMWSL *]
??? [+0x000] FirstFree??????? : 0xc3 [Type: unsigned long]

?? WorkingSetIndex = WorkingSetList->FirstFree;
??? WorkingSetList->FirstFree = (WSLE_NUMBER)(Wsle[WorkingSetIndex].u1.Long >> MM_FREE_WSLE_SHIFT);

1: kd> dd 0xc0503698+c3*4
c05039a4? 00000c40 00000c50 00000c60 00000c70

WorkingSetList->FirstFree=c4

??? if (WorkingSetIndex > WorkingSetList->LastEntry) {
??????? WorkingSetList->LastEntry = WorkingSetIndex;
??? }

1: kd> dx -r1 ((ntkrnlmp!_MMWSL *)0xc0503000)
((ntkrnlmp!_MMWSL *)0xc0503000)???????????????? : 0xc0503000 [Type: _MMWSL *]
??? [+0x000] FirstFree??????? : 0xc4 [Type: unsigned long]
??? [+0x004] FirstDynamic???? : 0x4 [Type: unsigned long]
??? [+0x008] LastEntry??????? : 0xc3 [Type: unsigned long]

第三部分：

#define MiGetVirtualAddressMappedByPte(PTE) ((PVOID)((ULONG)(PTE) << 10))

???? PointerPte = 0xc01df8a8

1100 0000 0001 1101 1111 1000 1010 1000

01 11? 01 11? 11 10? 00 10? 10 10? 00 00 0000 0000

77e2a000

參考后總結：得到的確實是虛擬地址，PTE左移10位 得到虛擬地址前20位！！
虛擬地址右移10位+0xC000 0000 得到PTE

1: kd> dv
StoreInstruction = 0
?FaultingAddress = 0x77e2a0c8

1: kd> !pte 0x77e2a0c8
???????????????? VA 77e2a0c8
PDE at C030077C???????? PTE at C01DF8A8
contains 7B259867?????? contains 7DE56025
pfn 7b259 ---DA--UWEV?? pfn 7de56 ----A--UREV

第四部分：

1: kd> t
nt!MiAllocateWsle+0x14d:
80a4d83f e80aaeffff????? call??? nt!MiUpdateWsle (80a4864e)
1: kd> t
nt!MiUpdateWsle:
80a4864e 55????????????? push??? ebp
1: kd> kc
?#
00 nt!MiUpdateWsle
01 nt!MiAllocateWsle
02 nt!MiAddValidPageToWorkingSet
03 nt!MiCompleteProtoPteFault
04 nt!MiResolveProtoPteFault
05 nt!MiDispatchFault
06 nt!MmAccessFault
07 nt!_KiTrap0E
08 nt!ObpCaptureObjectName
09 nt!ObpCaptureObjectCreateInformation
0a nt!ObOpenObjectByName
0b nt!NtOpenSection
0c nt!_KiSystemService
0d SharedUserData!SystemCallStub
0e ntdll!NtOpenSection
0f KERNEL32!OpenSection
10 KERNEL32!GetLocaleFileInfo
11 KERNEL32!NlsProcessInitialize
12 KERNEL32!NlsDllInitialize
13 KERNEL32!BaseDllInitialize
14 ntdll!LdrpCallInitRoutine
15 ntdll!LdrpRunInitializeRoutines
16 ntdll!LdrpLoadDll
17 ntdll!LdrLoadDll
18 CSRSRV!CsrLoadServerDll
19 CSRSRV!CsrParseServerCommandLine
1a CSRSRV!CsrServerInitialization
1b csrss!main
1c csrss!NtProcessStartup

1: kd> dv
?? DesiredIndex = 0xf704b9f0
?VirtualAddress = 0x77e2a000
???????? WsInfo = 0x8953a1f8
??????????? Pfn = 0x81bcd810
?????????? Wsle = 0x80a4864e

第五部分：

??? WsleContents.u1.VirtualAddress = PAGE_ALIGN (VirtualAddress);
??? WsleContents.u1.e1.Valid = 1;

1: kd> dt mmwsle -r
nt!MMWSLE
?? +0x000 u1?????????????? : __unnamed
????? +0x000 VirtualAddress?? : Ptr32 Void
????? +0x000 Long???????????? : Uint4B
????? +0x000 e1?????????????? : _MMWSLENTRY
???????? +0x000 Valid??????????? : Pos 0, 1 Bit
???????? +0x000 LockedInWs?????? : Pos 1, 1 Bit
???????? +0x000 LockedInMemory?? : Pos 2, 1 Bit
???????? +0x000 Protection?????? : Pos 3, 5 Bits
???????? +0x000 SameProtectAsProto : Pos 8, 1 Bit
???????? +0x000 Direct?????????? : Pos 9, 1 Bit
???????? +0x000 Age????????????? : Pos 10, 2 Bits
???????? +0x000 VirtualPageNumber : Pos 12, 20 Bits

0x77e2a001

第六部分：

WorkingSetIndex = 0xc3

1: kd> dd 0x81bcd810
81bcd810? 00000000 e13a9c10 00000001 00011608
81bcd820? f926946a 000007ec

?? +0x00c u3?????????????? : __unnamed
????? +0x000 e1?????????????? : _MMPFNENTRY
???????? +0x000 Modified???????? : Pos 0, 1 Bit
???????? +0x000 ReadInProgress?? : Pos 1, 1 Bit
???????? +0x000 WriteInProgress? : Pos 2, 1 Bit
???????? +0x000 PrototypePte???? : Pos 3, 1 Bit?? ?1

??????? if (Pfn->u3.e1.PrototypePte == 0) {

??????? }
??????? else {

??????????? OldValue = InterlockedCompareExchange ((PLONG)&Pfn->u1.Event,
?????????????????????????????????????????????????? WorkingSetIndex,
?????????????????????????????????????????????????? 0);

1: kd> dd 0x81bcd810
81bcd810? 000000c3 e13a9c10 00000001 00011608?? ??? ?//000000c3
81bcd820? f926946a 000007ec

第七部分：

??????? if (OldValue == 0) {

??????????? WsleContents.u1.e1.Direct = 1;?? ??? ?-->0x77e2a201

??????????? MI_LOG_WSLE_CHANGE (WorkingSetList, WorkingSetIndex, WsleContents);

??????????? Wsle[WorkingSetIndex] = WsleContents;

??????????? return;

1: kd> dt mmwsle -r
nt!MMWSLE
?? +0x000 u1?????????????? : __unnamed
????? +0x000 VirtualAddress?? : Ptr32 Void
????? +0x000 Long???????????? : Uint4B
????? +0x000 e1?????????????? : _MMWSLENTRY
???????? +0x000 Valid??????????? : Pos 0, 1 Bit
???????? +0x000 LockedInWs?????? : Pos 1, 1 Bit
???????? +0x000 LockedInMemory?? : Pos 2, 1 Bit
???????? +0x000 Protection?????? : Pos 3, 5 Bits
???????? +0x000 SameProtectAsProto : Pos 8, 1 Bit
???????? +0x000 Direct?????????? : Pos 9, 1 Bit

0x77e2a001
0000 0000 0001
0010 0000 0001
0x77e2a201

1: kd> p
nt!MiUpdateWsle+0x178:
80a487c6 890c90????????? mov???? dword ptr [eax+edx*4],ecx
1: kd> r
eax=c0503698 ebx=77e2a001 ecx=77e2a201 edx=000000c3 esi=c0503000 edi=81bcd810

1: kd> dd c0503698+c3*4
c05039a4? 00000c40 00000c50 00000c60 00000c70

Wsle[WorkingSetIndex] = WsleContents;

1: kd> dd c0503698+c3*4
c05039a4? 77e2a201 00000c50 00000c60 00000c70

第八部分：返回到nt!MiAllocateWsle

1: kd> p
nt!MiAllocateWsle+0x15c:
80a4d84e 8b45fc????????? mov???? eax,dword ptr [ebp-4]

??? if (WsleMask != 0) {
??????? Wsle[WorkingSetIndex].u1.Long |= WsleMask;?? ??? ?//添加上掩碼。
??? }

?????? WsleMask = 0x118

1: kd> dd c0503698+c3*4
c05039a4? 77e2a201

0x77e2a201+0x118=0x77e2a319

1: kd> p
nt!MiAllocateWsle+0x15f:
80a4d851 8d04b8????????? lea???? eax,[eax+edi*4]
1: kd> p
nt!MiAllocateWsle+0x162:
80a4d854 0908??????????? or????? dword ptr [eax],ecx
1: kd> r
eax=c05039a4 ebx=0fffffff ecx=00000118

??????? Wsle[WorkingSetIndex].u1.Long |= WsleMask;之后

1: kd> dd c0503698+c3*4
c05039a4? 77e2a319