windbg 手动查找hello world 物理地址 验证分页机制
windbg 手动查找hello world 物理地址 验证分页机制
windbg 手动查找hello world 物理地址 验证分页机制
在Windows中,有2种方式:
- 非物理地址扩展模式
- 物理地址扩展模式(PAE)
测试环境:
双击联调本机 windows 10 x64
vmware + windows 10 x86 + windbg + 32位测试exe
32位测试程序代码如下:
物理地址扩展模式windbg实验
1. 运行32程序,如果如下:
2. windbg 依次输入以下命令:
1.!process 0 0 quicksort.exe
PROCESS 94485040 SessionId: 1 Cid: 1320 Peb: 0072f000 ParentCid: 1110
DirBase: bfff8300 ObjectTable: aa7a4b40 HandleCount: 40.
Image: quicksort.exe
2. .process -i 94485040
You need to continue execution (press 'g' <enter>) for the context
to be switched. When the debugger breaks in again, you will be in
the new process context.
3: kd> g
Break instruction exception - code 80000003 (first chance)
nt!RtlpBreakWithStatusInstruction:
821680e4 cc int 3
3. !vtop 0 0x00A08A2C /*查看进程虚拟地址对应的物理地址
X86VtoP: Virt 0000000000a08a2c, pagedir 00000000bfff8300
X86VtoP: PAE PDPE 00000000bfff8300 - 00000000967e8801
X86VtoP: PAE PDE 00000000967e8028 - 00000000881d8867
X86VtoP: PAE PTE 00000000881d8040 - 800000006ca83105
X86VtoP: PAE Mapped phys 000000006ca83a2c
Virtual address a08a2c translates to physical address 6ca83a2c.
4. dU 0x00A08A2C
00a08a2c "Hello world! this is a [email protected]#"
5. .formats 0x00A08A2C
Evaluate expression:
Hex: 00a08a2c
Decimal: 10521132
Octal: 00050105054
Binary: 00000000 10100000 10001010 00101100
Chars: ...,
Time: Sun May 3 02:32:12 1970
Float: low 1.47432e-038 high 0
Double: 5.19813e-317
虚拟地址被拆分为4个部分:
- 页目录表指针索引(2个二进制位)
- 页目录(9个二进制位)
- 页表(9个二进制位)
- 页内偏移(12个二进制位)
也就是 2‐9‐9‐12
需要注意,非PAE模式下使用4个字节保存页表首地址和分页首地址,在
PAE模式下,使用8字节来保存。所以查看命令要用!dq。
6. 按 2-9-9-12 分解 00 000000101 000001000 101000101100 -> 0 0x5 0x8 0xa2c
7. !dq bfff8300 + 8*0
#bfff8300 00000000`967e8801 00000000`94ce9801
#bfff8310 00000000`7daea801 00000000`981d0801
#bfff8320 00000000`967e8801 00000000`94ce9801
#bfff8330 00000000`be900801 00000000`96bcf801
#bfff8340 00000000`25fd9801 00000000`883da801
#bfff8350 00000000`84bdb801 00000000`847bd801
#bfff8360 00000000`25fd9801 00000000`883da801
#bfff8370 00000000`be900801 00000000`00000000
8. !dq 00000000`967e8000 + 8*0x5
#967e8028 00000000`881d8867 00000000`00000000
#967e8038 00000000`00000000 00000000`00000000
#967e8048 00000000`00000000 00000000`00000000
#967e8058 00000000`00000000 00000000`00000000
#967e8068 00000000`00000000 00000000`00000000
#967e8078 00000000`00000000 00000000`00000000
#967e8088 00000000`00000000 00000000`00000000
#967e8098 00000000`00000000 00000000`00000000
9. !dq 00000000`881d8000 + 8*0x8
#881d8040 80000000`6ca83125 a4f52fa0`00000400
#881d8050 80000000`378f6947 80000000`9cb43947
#881d8060 80000000`6ab4a105 00000000`00000000
#881d8070 00000000`00000000 00000000`00000000
#881d8080 80000000`3c6c8105 80000000`3c6c7105
#881d8090 80000000`3c6c6105 80000000`3c6c5105
#881d80a0 80000000`3c6c4105 80000000`3c1c3105
#881d80b0 00000000`00000000 00000000`00000000
10. !db 00000000`6ca83000 + 0xa2c
#6ca83a2c 48 00 65 00 6c 00 6c 00-6f 00 20 00 77 00 6f 00 H.e.l.l.o. .w.o.
#6ca83a3c 72 00 6c 00 64 00 21 00-20 00 74 00 68 00 69 00 r.l.d.!. .t.h.i.
#6ca83a4c 73 00 20 00 69 00 73 00-20 00 61 00 20 00 74 00 s. .i.s. .a. .t.
#6ca83a5c 65 00 73 00 74 00 21 00-40 00 23 00 00 00 00 00 [email protected]#.....
#6ca83a6c 70 00 54 00 65 00 6d 00-70 00 20 00 3d 00 20 00 p.T.e.m.p. .=. .
#6ca83a7c 30 00 78 00 25 00 70 00-20 00 0a 00 00 00 00 00 0.x.%.p. .......
#6ca83a8c 00 00 00 00 33 ef 59 5f-00 00 00 00 02 00 00 00 ....3.Y_........
#6ca83a9c 54 00 00 00 dc 8b 01 00-dc 75 01 00 00 00 00 00 T........u......
未完。。。。。