nt!MmMapViewInSystemCache函数分析PointerPte的填充

第一部分：

1: kd> kc
#
00 nt!MmMapViewInSystemCache
01 nt!CcGetVacbMiss
02 nt!CcGetVirtualAddress
03 nt!CcMapData
04 Ntfs!NtfsMapStream
05 Ntfs!NtfsReadBootSector
06 Ntfs!NtfsMountVolume
07 Ntfs!NtfsCommonFileSystemControl
08 Ntfs!NtfsFspDispatch
09 nt!ExpWorkerThread
0a nt!PspSystemThreadStartup
0b nt!KiThreadStartup

1: kd> p
nt!MmMapViewInSystemCache+0x32b:
80aaf01d 8b0e            mov     ecx,dword ptr [esi]
1: kd> dv
    SectionToMap = 0xe127a740
    CapturedBase = 0x89988000
   SectionOffset = 0xf78d6900 {-9175257283469246464}
CapturedViewSize = 0x00000040
       PteOffset = 0
       LastProto = 0x00000000
     PteContents = struct _MMPTE
         OldIrql = 0x00 ''
         LastPte = 0x89988000
   LastPteOffset = 0x40
          Waited = 1
        ProtoPte = 0xf78d6900
   NumberOfPages = 0x40

if (PointerPte->u.List.NextEntry == MM_EMPTY_PTE_LIST) {

    if ((PointerPte + 1)->u.List.NextEntry == (KeReadTbFlushTimeStamp() & MM_FLUSH_COUNTER_MASK)) {
        KeFlushEntireTb (TRUE, TRUE);
    }

第二部分：

1: kd> p
nt!MmMapViewInSystemCache+0x355:
80aaf047 8b4e04 mov ecx,dword ptr [esi+4]
1: kd> r
eax=00001314 ebx=898ff908 ecx=c10c0000 edx=00000000 esi=c0304200

1: kd> dd c0304200
c0304200 c10c0000 00000000 00000000 00000000

    //
    // Zero this explicitly now since the number of pages may be only 1.
    //

(PointerPte + 1)->u.List.NextEntry = 0;

1: kd> p
nt!MmMapViewInSystemCache+0x36d:
80aaf05f 816604ff0f0000 and dword ptr [esi+4],0FFFh

1: kd> r
eax=00001314 ebx=898ff908 ecx=00000000 edx=00000000 esi=c0304200 edi=00000000

第三部分：

*CapturedBase = MiGetVirtualAddressMappedByPte (PointerPte); c1080000

#define MiGetVirtualAddressMappedByPte(PTE) ((PVOID)((ULONG)(PTE) << 10))

c0304200

1100 0000 0011 0000 0100 0010 0000 0000
11 0000 0100 0010 0000 0000 00 0000 0000

11 00 00 01 00 00 10 00 00 00 00 00 0000 0000
c1080000

1: kd> !pte c1080000
                 VA c1080000
PDE at C0300C10         PTE at C0304200
contains 0A03F963       contains C10C0000
pfn a03f -G-DA--KWEV   not valid
                         Page has been freed

第四部分：

回顾PointerPte的由来：

PointerPte = MmFirstFreeSystemCache;

    //
    // Update next free entry.
    //

ASSERT (PointerPte->u.Hard.Valid == 0);

MmFirstFreeSystemCache = MmSystemCachePteBase + PointerPte->u.List.NextEntry;
ASSERT (MmFirstFreeSystemCache <= MiGetPteAddress (MmSystemCacheEnd));

1: kd> p
nt!MmMapViewInSystemCache+0x377:
80aaf069 8bc6 mov eax,esi
1: kd> p
nt!MmMapViewInSystemCache+0x379:
80aaf06b c1e00a shl eax,0Ah
1: kd> r
eax=c0304200

1: kd> dv
SectionToMap = 0xe127a740
CapturedBase = 0x89988000

1: kd> dx -r1 ((ntkrnlmp!void * *)0x89988000)
((ntkrnlmp!void * *)0x89988000) : 0x89988000 [Type: void * *]
0xc1080000

1: kd> !pte 0xc1080000
                 VA c1080000
PDE at C0300C10         PTE at C0304200
contains 0A03F963       contains C10C0000
pfn a03f -G-DA--KWEV   not valid
                         Page has been freed

1: kd> x nt!MmFirstFreeSystemCache
80b23594 nt!MmFirstFreeSystemCache = 0xc0304300

1: kd> dd 0xc0304200 //0xc0304200下一个是0xc0304300
c0304200 c10c0000

304300
0011 0000 0100 0011 0000 0000
0011 0000 0100 0011 0000 00
00 11 00 00 01 00 00 11 00 00 00
c10c0 //正确

1: kd> dd 0xc0304200
c0304200 c10c0000 00000000 00000000 00000000
c0304210 00000000 00000000 00000000 00000000

第五部分：

1: kd> dt subsection 0x898ff8d8+30
nt!SUBSECTION
   +0x000 ControlArea      : 0x898ff8d8 _CONTROL_AREA
   +0x004 u                : __unnamed
   +0x008 StartingSector   : 0
   +0x00c NumberOfFullSectors : 0x100
   +0x010 SubsectionBase   : 0xe1009c00 _MMPTE
   +0x014 UnusedPtes       : 0
   +0x018 PtesInSubsection : 0x100
   +0x01c NextSubsection   : (null)

PteOffset = 0

ProtoPte = &Subsection->SubsectionBase[PteOffset]; =0xe1009c00

1: kd> p
nt!MmMapViewInSystemCache+0x384:
80aaf076 8d0c88          lea     ecx,[eax+ecx*4]
1: kd> r
eax=e1009c00 ebx=898ff908 ecx=00000000 edx=00000000 esi=c0304200 edi=00000000
eip=80aaf076 esp=f78d6910 ebp=f78d6930 iopl=0         nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000             efl=00000286
nt!MmMapViewInSystemCache+0x384:
80aaf076 8d0c88          lea     ecx,[eax+ecx*4]
1: kd> p
nt!MmMapViewInSystemCache+0x387:
80aaf079 894d10          mov     dword ptr [ebp+10h],ecx
1: kd> r
eax=e1009c00 ebx=898ff908 ecx=e1009c00 edx=00000000 esi=c0304200 edi=00000000

1: kd> dv
SectionToMap = 0xe127a740

ProtoPte = 0xe1009c00 //正确

第六部分：

LastProto = &Subsection->SubsectionBase[Subsection->PtesInSubsection];

+0x018 PtesInSubsection : 0x100

0xe1009c00+0x100*4=

1: kd> ?0xe1009c00+0x100*4
Evaluate expression: -520052736 = e100a000

1: kd> dv
SectionToMap = 0xe127a740

LastProto = 0xe100a000

LastPte = PointerPte + NumberOfPages; eax=c0304300

0xc0304200+0x40*4=
1: kd> ?0xc0304200+0x40*4
Evaluate expression: -1070578944 = c0304300

1: kd> p
nt!MmMapViewInSystemCache+0x396:
80aaf088 8d0486          lea     eax,[esi+eax*4]
1: kd> r
eax=00000040 ebx=898ff908 ecx=00000100 edx=00000000 esi=c0304200 edi=00000000
eip=80aaf088 esp=f78d6910 ebp=f78d6930 iopl=0         nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000             efl=00000286
nt!MmMapViewInSystemCache+0x396:
80aaf088 8d0486          lea     eax,[esi+eax*4]
1: kd> p
nt!MmMapViewInSystemCache+0x399:
80aaf08b 8d7e08          lea     edi,[esi+8]
1: kd> r
eax=c0304300

第七部分：

while (PointerPte < LastPte) {

if (ProtoPte >= LastProto) {

            //
            // Handle extended subsections.
            //

            Subsection = Subsection->NextSubsection;
            ProtoPte = Subsection->SubsectionBase;
            LastProto = &Subsection->SubsectionBase[
                                        Subsection->PtesInSubsection];
        }
        PteContents.u.Long = MiProtoAddressForKernelPte (ProtoPte);
        MI_WRITE_INVALID_PTE (PointerPte, PteContents);

ASSERT (((ULONG_PTR)PointerPte & (MM_COLOR_MASK << PTE_SHIFT)) ==
(((ULONG_PTR)ProtoPte & (MM_COLOR_MASK << PTE_SHIFT))));

        PointerPte += 1;
        ProtoPte += 1;
    }

ProtoPte = &Subsection->SubsectionBase[PteOffset]; =0xe1009c00

#define MiProtoAddressForKernelPte(proto_va) MiProtoAddressForPte(proto_va)

#define MiProtoAddressForPte(proto_va) \
   ((((((ULONG)proto_va - MmProtopte_Base) >> 1) & (ULONG)0x000000FE)   | \
    (((((ULONG)proto_va - MmProtopte_Base) << 2) & (ULONG)0xfffff800))) | \
    MM_PTE_PROTOTYPE_MASK)

#define MM_PTE_PROTOTYPE_MASK 0x400

#define MmProtopte_Base ((ULONG)MmPagedPoolStart)
1: kd> x nt!MmPagedPoolStart
80b15028 nt!MmPagedPoolStart = 0xe1000000

1: kd> !pte 0xe1009c00
                 VA e1009c00
PDE at C0300E10         PTE at C0384024
contains 0A1C0963       contains 0A1CD963
pfn a1c0 -G-DA--KWEV   pfn a1cd -G-DA--KWEV

9c00

1001 1100 0000 0000
1001 1100 0000 000

1001 110 0 000 0 000
1 111 1 110

1001 1100 0000 0000 00

10 01 11 00 00 00 00 00 00
27000

27400

第八部分：

PteContents.u.Long = MiProtoAddressForKernelPte (ProtoPte); //关键地方1：

1: kd> p
nt!MmMapViewInSystemCache+0x3ee:
80aaf0e0 8b4510 mov eax,dword ptr [ebp+10h]
1: kd> p
nt!MmMapViewInSystemCache+0x3f1:
80aaf0e3 2b052850b180 sub eax,dword ptr [nt!MmPagedPoolStart (80b15028)]
1: kd> r
eax=e1009c00

1: kd> p
nt!MmMapViewInSystemCache+0x411:
80aaf103 894d08 mov dword ptr [ebp+8],ecx
1: kd> r
eax=00027000 ebx=898ff908 ecx=00027400

第九部分：

MI_WRITE_INVALID_PTE (PointerPte, PteContents); //关键地方2：

1: kd> p
nt!MmMapViewInSystemCache+0x506:
80aaf1f8 8906 mov dword ptr [esi],eax
1: kd> r
eax=00027400 ebx=898ff908 ecx=f78d6920 edx=e7f77906 esi=c0304200 edi=80b79030

1: kd> dd 0xc0304200
c0304200 00027400 00000000 00000000 00000000
c0304210 00000000 00000000 00000000 00000000
c0304220 00000000 00000000 00000000 00000000
c0304230 00000000 00000000 00000000 00000000
c0304240 00000000 00000000 00000000 00000000
c0304250 00000000 00000000 00000000 00000000
c0304260 00000000 00000000 00000000 00000000
c0304270 00000000 00000000 00000000 00000000

1: kd> !pte 0xc0304200
                 VA c1080000
PDE at C0300C10         PTE at C0304200
contains 0A03F963       contains 00027400
pfn a03f -G-DA--KWEV   not valid
                         Proto: E1009C00

第十部分：

1: kd> dd 0xc0304200
c0304200 00027400 00027402

1: kd> !pte 0xc0304204
                 VA c1081000
PDE at C0300C10         PTE at C0304204
contains 0A03F963       contains 00027402
pfn a03f -G-DA--KWEV   not valid
                         Proto: E1009C04

ProtoPte = 0xe1009c08

第十一部分：

1: kd> dd 0xc0304200
c0304200 00027400 00027402 00027404 00000000

1: kd> dd 0xc0304200
c0304200 00027400 00027402 00027404 00027406
c0304210 00027408 0002740a 0002740c 0002740e
c0304220 00027410 00027412 00027414 00027416
c0304230 00027418 0002741a 0002741c 0002741e
c0304240 00027420 00027422 00027424 00027426
c0304250 00027428 0002742a 0002742c 0002742e
c0304260 00027430 00027432 00027434 00027436
c0304270 00027438 0002743a 0002743c 0002743e

dv
ProtoPte = 0xe1009c80

1: kd> dd 0xc0304200+80
c0304280 00027440 00027442 00027444 00027446
c0304290 00027448 0002744a 0002744c 0002744e
c03042a0 00027450 00027452 00027454 00027456
c03042b0 00027458 0002745a 0002745c 0002745e
c03042c0 00027460 00027462 00027464 00027466
c03042d0 00027468 0002746a 0002746c 0002746e
c03042e0 00027470 00027472 00027474 00027476
c03042f0 00027478 0002747a 0002747c 0002747e

ProtoPte = 0xe1009cfc

1: kd> dd 0xe1009c00
e1009c00 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c10 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c20 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c30 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c40 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c50 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c60 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c70 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
1: kd> dd 0xe1009c00+80
e1009c80 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009c90 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009ca0 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009cb0 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009cc0 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009cd0 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009ce0 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2
e1009cf0 fcfe94c2 fcfe94c2 fcfe94c2 fcfe94c2

1: kd> p
nt!MmMapViewInSystemCache+0x50f:
80aaf201 3b750c          cmp     esi,dword ptr [ebp+0Ch]
1: kd> r
eax=0002747e ebx=898ff908 ecx=f78d6920 edx=e7f77906 esi=c0304300 edi=80b88f00
eip=80aaf201 esp=f78d6910 ebp=f78d6930 iopl=0         nv up ei ng nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000             efl=00000296
nt!MmMapViewInSystemCache+0x50f:
80aaf201 3b750c          cmp     esi,dword ptr [ebp+0Ch] ss:0010:f78d693c=c0304300
1: kd> dd f78d6930+c
f78d693c c0304300