第0部分:背景
PFN_NUMBER
FASTCALL
MiRemoveZeroPage (
??? IN ULONG Color
??? )
{
??????? ASSERT (Color < MmSecondaryColors);
??????? Page = FreePagesByColor[Color].Flink;
??????? if (Page != MM_EMPTY_LIST) {
??????????? //
??????????? // Remove the first entry on the zeroed by color list.
??????????? //
??????????? Page = MiRemovePageByColor (Page, Color);
第一部分:
1: kd> p
nt!MiRemoveZeroPage+0x11a:
80ac89b6 e825e4ffff????? call??? nt!MiRemovePageByColor (80ac6de0)
1: kd> t
nt!MiRemovePageByColor:
80ac6de0 55????????????? push??? ebp
1: kd> kc
?#
00 nt!MiRemovePageByColor
01 nt!MiRemoveZeroPage
02 nt!MiPfPutPagesInTransition
03 nt!MmPrefetchPages
04 nt!CcPfPrefetchSections
05 nt!CcPfBootWorker
06 nt!PspSystemThreadStartup
07 nt!KiThreadStartup
1: kd> dv
?????????? Page = 0x7b19b
????????? Color = 0x1b
?????????? Next = 0
?????? ListName = 0n-150603048 (No matching enumerant)
1: kd> dd 81000000+0x7b19b*18
81b8a688? 0007b19a 001ec66c 0007b19c 00003000
81b8a698? 0007b15b 03ffffff
第二部分:預分析1
?? +0x00c u3?????????????? : __unnamed
????? +0x000 e1?????????????? : _MMPFNENTRY
???????? +0x000 Modified???????? : Pos 0, 1 Bit
???????? +0x000 ReadInProgress?? : Pos 1, 1 Bit
???????? +0x000 WriteInProgress? : Pos 2, 1 Bit
???????? +0x000 PrototypePte???? : Pos 3, 1 Bit
???????? +0x000 PageColor??????? : Pos 4, 4 Bits?? ?0000
???????? +0x000 PageLocation???? : Pos 8, 3 Bits?? ?000?? ??? ??? ?ZeroedPageList (0)
1: kd> x nt!MmPageLocationList
80b14d04????????? nt!MmPageLocationList = struct _MMPFNLIST *[8]
1: kd> dx -r1 (*((ntkrnlmp!_MMPFNLIST * (*)[8])0x80b14d04))
(*((ntkrnlmp!_MMPFNLIST * (*)[8])0x80b14d04))???????????????? [Type: _MMPFNLIST * [8]]
??? [0]????????????? : 0x80b14c94 [Type: _MMPFNLIST *]
??? [1]????????????? : 0x80b14ca4 [Type: _MMPFNLIST *]
??? [2]????????????? : 0x80b14cb4 [Type: _MMPFNLIST *]
??? [3]????????????? : 0x80b14cc4 [Type: _MMPFNLIST *]
??? [4]????????????? : 0x80b14cd4 [Type: _MMPFNLIST *]
??? [5]????????????? : 0x80b14ce4 [Type: _MMPFNLIST *]
??? [6]????????????? : 0x0 [Type: _MMPFNLIST *]
??? [7]????????????? : 0x0 [Type: _MMPFNLIST *]
1: kd> dx -r1 ((ntkrnlmp!_MMPFNLIST *)0x80b14c94)
((ntkrnlmp!_MMPFNLIST *)0x80b14c94)???????????????? : 0x80b14c94 [Type: _MMPFNLIST *]
??? [+0x000] Total??????????? : 0x70e85 [Type: unsigned long]
??? [+0x004] ListName???????? : ZeroedPageList (0) [Type: _MMLISTS]
??? [+0x008] Flink??????????? : 0xed7 [Type: unsigned long]
??? [+0x00c] Blink??????????? : 0xa130 [Type: unsigned long]
第三部分:預分析2
1: kd> dd 81000000+0x7b19b*18
81b8a688? 0007b19a 001ec66c 0007b19c 00003000
81b8a698? 0007b15b 03ffffff
??? Next = Pfn1->u1.Flink;?? ?0007b19a
??? Pfn1->u1.Flink = 0;???????? // Assumes Flink width is >= WsIndex width
??? Previous = Pfn1->u2.Blink;?? ?0007b19c
??? Pfn1->u2.Blink = 0;
第四部分:預分析3
#define MM_EMPTY_LIST ((ULONG)0xFFFFFFFF) //
??? ColorHead->Flink = (PFN_NUMBER) Pfn1->OriginalPte.u.Long;
??? if (ColorHead->Flink != MM_EMPTY_LIST) {
??????? MI_PFN_ELEMENT (ColorHead->Flink)->u4.PteFrame = MM_EMPTY_LIST;
??? }
1: kd> dt _MMCOLOR_TABLES 0x81c00000+1b*c
nt!_MMCOLOR_TABLES
?? +0x000 Flink??????????? : 0x7b19b
?? +0x004 Blink??????????? : 0x810f2688 Void
?? +0x008 Count??????????? : 0x1c35
1: kd> dd 81000000+0007b15b*18
81b8a088? 0007b15a 001ec56c 0007b15c 00003000
81b8a098? 0007b11b 0007b19b
第五部分:調試
??? Pfn1 = MI_PFN_ELEMENT (Page);81b8a688
??? NodeColor = Pfn1->u3.e1.PageColor;
1: kd> p
nt!MiRemovePageByColor+0x48:
80ac6e28 8b7e0c????????? mov???? edi,dword ptr [esi+0Ch]
1: kd> r
eax=001714d1 ebx=0000001b ecx=81000000 edx=0000001b esi=81b8a688
1: kd> dd 81b8a688
81b8a688? 0007b19a 001ec66c 0007b19c 00003000
81b8a698? 0007b15b 03ffffff
??? ListHead = MmPageLocationList[Pfn1->u3.e1.PageLocation];?? ?0
??? ListName = ListHead->ListName;?? ??? ??? ??? ?ZeroedPageList (0)?? ??? ?
1: kd> p
nt!MiRemovePageByColor+0x88:
80ac6e68 83e007????????? and???? eax,7
1: kd> p
nt!MiRemovePageByColor+0x8b:
80ac6e6b 8b0485044db180? mov???? eax,dword ptr nt!MmPageLocationList (80b14d04)[eax*4]
1: kd> r
eax=00000000
1: kd> x nt!MmPageLocationList
80b14d04????????? nt!MmPageLocationList = struct _MMPFNLIST *[8]
1: kd> dx -r1 (*((ntkrnlmp!_MMPFNLIST * (*)[8])0x80b14d04))
(*((ntkrnlmp!_MMPFNLIST * (*)[8])0x80b14d04))???????????????? [Type: _MMPFNLIST * [8]]
??? [0]????????????? : 0x80b14c94 [Type: _MMPFNLIST *]
??? [1]????????????? : 0x80b14ca4 [Type: _MMPFNLIST *]
??? [2]????????????? : 0x80b14cb4 [Type: _MMPFNLIST *]
??? [3]????????????? : 0x80b14cc4 [Type: _MMPFNLIST *]
??? [4]????????????? : 0x80b14cd4 [Type: _MMPFNLIST *]
??? [5]????????????? : 0x80b14ce4 [Type: _MMPFNLIST *]
??? [6]????????????? : 0x0 [Type: _MMPFNLIST *]
??? [7]????????????? : 0x0 [Type: _MMPFNLIST *]
1: kd> dx -r1 ((ntkrnlmp!_MMPFNLIST *)0x80b14c94)
((ntkrnlmp!_MMPFNLIST *)0x80b14c94)???????????????? : 0x80b14c94 [Type: _MMPFNLIST *]
??? [+0x000] Total??????????? : 0x70e85 [Type: unsigned long]
??? [+0x004] ListName???????? : ZeroedPageList (0) [Type: _MMLISTS]
??? [+0x008] Flink??????????? : 0xed7 [Type: unsigned long]
??? [+0x00c] Blink??????????? : 0xa130 [Type: unsigned long]
第六部分:
1: kd> p
nt!MiRemovePageByColor+0x95:
80ac6e75 ff08??????????? dec???? dword ptr [eax]
1: kd> r
eax=80b14c94
??? ListHead->Total -= 1;
1: kd> dx -r1 ((ntkrnlmp!_MMPFNLIST *)0x80b14c94)
((ntkrnlmp!_MMPFNLIST *)0x80b14c94)???????????????? : 0x80b14c94 [Type: _MMPFNLIST *]
??? [+0x000] Total??????????? : 0x70e84 [Type: unsigned long]
??? [+0x004] ListName???????? : ZeroedPageList (0) [Type: _MMLISTS]
??? [+0x008] Flink??????????? : 0xed7 [Type: unsigned long]
??? [+0x00c] Blink??????????? : 0xa130 [Type: unsigned long]
第七部分:
??? Next = Pfn1->u1.Flink;
??? Pfn1->u1.Flink = 0;???????? // Assumes Flink width is >= WsIndex width
??? Previous = Pfn1->u2.Blink;
??? Pfn1->u2.Blink = 0;
1: kd> dd 81b8a688
81b8a688? 00000000 001ec66c 00000000 00003000
81b8a698? 0007b15b 03ffffff
??? else {
??????? Pfn2 = MI_PFN_ELEMENT(Next);
??????? Pfn2->u2.Blink = Previous;
??? }
1: kd> dd 81000000+0x7b19a*18
81b8a670? 0007b199 001ec668 0007b19b 00003000
81b8a680? 0007b15a 0007b1da
??? else {
??????? Pfn2 = MI_PFN_ELEMENT(Next);
??????? Pfn2->u2.Blink = Previous;
??? }
1: kd> dd 81000000+0x7b19a*18
81b8a670? 0007b199 001ec668 0007b19c 00003000
81b8a680? 0007b15a 0007b1da
??? else {
??????? Pfn2 = MI_PFN_ELEMENT(Previous);
??????? Pfn2->u1.Flink = Next;
??? }
1: kd> dd 81000000+0x7b19c*18
81b8a6a0? 0007b19a 001ec670 0007b19d 00003000
81b8a6b0? 0007b15c 0007b1dc
u1和u2脫鏈完成。
第八部分:
?? Pfn1->u3.e2.ShortFlags = 0;
??? Pfn1->u3.e1.PageColor = NodeColor;
??? Pfn1->u3.e1.CacheAttribute = MiNotMapped;
typedef enum _MI_PFN_CACHE_ATTRIBUTE {
??? MiNonCached,?? ??? ??? ??? ??? ?0
??? MiCached,?? ??? ??? ??? ??? ?1
??? MiWriteCombined,?? ??? ??? ??? ?2
??? MiNotMapped?? ??? ??? ??? ??? ?3
} MI_PFN_CACHE_ATTRIBUTE, *PMI_PFN_CACHE_ATTRIBUTE;
1: kd> dd 81000000+0x7b19b*18
81b8a688? 00000000 001ec66c 00000000 00003000
81b8a698? 0007b15b 03ffffff
?? +0x00c u3?????????????? : __unnamed
????? +0x000 e1?????????????? : _MMPFNENTRY
???????? +0x000 Modified???????? : Pos 0, 1 Bit
???????? +0x000 ReadInProgress?? : Pos 1, 1 Bit
???????? +0x000 WriteInProgress? : Pos 2, 1 Bit
???????? +0x000 PrototypePte???? : Pos 3, 1 Bit
???????? +0x000 PageColor??????? : Pos 4, 4 Bits
???????? +0x000 PageLocation???? : Pos 8, 3 Bits
???????? +0x000 RemovalRequested : Pos 11, 1 Bit
???????? +0x000 CacheAttribute?? : Pos 12, 2 Bits?? ??? ??? ?11=3
第九部分:
??? //
??? // Update the color lists.
??? //
??? ASSERT (Color < MmSecondaryColors);
??? ColorHead = &MmFreePagesByColor[ListName][Color];
??? ASSERT (ColorHead->Count >= 1);
??? ColorHead->Flink = (PFN_NUMBER) Pfn1->OriginalPte.u.Long;
??? if (ColorHead->Flink != MM_EMPTY_LIST) {
??????? MI_PFN_ELEMENT (ColorHead->Flink)->u4.PteFrame = MM_EMPTY_LIST;
??? }
1: kd> dt _MMCOLOR_TABLES 0x81c00000+1b*c
nt!_MMCOLOR_TABLES
?? +0x000 Flink??????????? : 0x7b19b
?? +0x004 Blink??????????? : 0x810f2688 Void
?? +0x008 Count??????????? : 0x1c35
1: kd> p
nt!MiRemovePageByColor+0x181:
80ac6f61 8d3c81????????? lea???? edi,[ecx+eax*4]
1: kd> pr
eax=00000051 ebx=0000001b ecx=81c00000 edx=81000000 esi=81b8a688 edi=81c00144
1: kd> dd 0x81c00000+1b*c
81c00144? 0007b19b 810f2688 00001c35
??? ColorHead->Flink = (PFN_NUMBER) Pfn1->OriginalPte.u.Long;?? ?=0007b15b
1: kd> dd 81000000+0x7b19b*18
81b8a688? 00000000 001ec66c 00000000 00003000
81b8a698? 0007b15b 03ffffff
1: kd> dt _MMCOLOR_TABLES 0x81c00000+1b*c
nt!_MMCOLOR_TABLES
?? +0x000 Flink??????????? : 0x7b15b
?? +0x004 Blink??????????? : 0x810f2688 Void
?? +0x008 Count??????????? : 0x1c35
1: kd> dd 81000000+0x7b15b*18
81b8a088? 0007b15a 001ec56c 0007b15c 00003000
81b8a098? 0007b11b 0007b19b
??? if (ColorHead->Flink != MM_EMPTY_LIST) {
??????? MI_PFN_ELEMENT (ColorHead->Flink)->u4.PteFrame = MM_EMPTY_LIST;
??? }
1: kd> dd 81000000+0x7b15b*18
81b8a088? 0007b15a 001ec56c 0007b15c 00003000
81b8a098? 0007b11b 03ffffff
第十部分:
??? ColorHead->Count -= 1;
1: kd> dt _MMCOLOR_TABLES 0x81c00000+1b*c
nt!_MMCOLOR_TABLES
?? +0x000 Flink??????????? : 0x7b15b
?? +0x004 Blink??????????? : 0x810f2688 Void
?? +0x008 Count??????????? : 0x1c34
第十一部分:
1: kd> p
nt!MiRemovePageByColor+0x213:
80ac6ff3 c9????????????? leave
1: kd> r
eax=0007b19b
1: kd> dd 81000000+0x7b19b*18
81b8a688? 00000000 001ec66c 00000000 00003000
81b8a698? 0007b15b 03ffffff
)
創建窗口)
)
