|Using NuMega SoftICE|
Walking "page directory" with SoftICE - understanding "address context".A 32-bit application program running under Windows NT is given its own process space for its exclusive use. With this separation of address spaces, it eliminated a possibility of accessing physical momory that another application may be using.
This "process space" is also called "address context" and it is implemented by assigning a dedicated "page directory" to each application. Note that "page directory" is a term which is a part of the Intel x86 paging mechanism which Windows uses to implement its "virtual memory" functionality.
SoftICE "ADDR" command lists all the running processes and their "page directories". At any given moment, there can be only one "address context". The processor keeps track of current process by caching a "page directory address" in its control registers, CR3. Issue "CPU" command to see the content of CR3.
A "page directory" is a table of pointers to "page tables". (Yes, this is little confusing and you should refer to Intel x86 processor manual. It contains many useful diagrams.) Each "page table" is a table of pointers to "page frames". A page frame is a 4K-byte size "page" which contains actual bits.
Step-by-step walkThe following figure shows how to walk the page directory and page tables to get to the point where we see a memory mapped PE file of the sample program, "TryPage.exe" which owns this process space. Note that address values involved in those page related tables are in "physical address" format instead of "linear address" format. This is becuase these data structures implement "linear address" instead of using it. To view a physical memory location, you must first convert it to a "linear" address because SoftICE "D" command ("Dump memory") only takes address in "linear format". Use "PHYS" command to do the conversion.
|contact | guestbook | control panel|
|1998-2000 Tsuyoshi Watanabe. All rights reserved.|