Windows地址转译方法

1: kd> vertarget
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (2 procs) Free x86 compatible
Product: Server, suite: Enterprise TerminalServer DataCenter SingleUserTS
Built by: 3790.srv03_sp2_gdr.101019-0340
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8

1: kd> !process -1 0
PROCESS 87af3020  SessionId: 0  Cid: 0408    Peb: 7ffd3000  ParentCid: 03e8
    DirBase: 17b881a0  ObjectTable: e1c63fb8  HandleCount: 539.
    Image: explorer.exe

1: kd> r cr3,cr4,eip
cr3=17b881a0 cr4=000006b9 eip=808eebe0
1: kd> ? (cr4 & 0y010000)
Evaluate expression: 16 = 00000010                  # PAE已开启
1: kd> !dq cr3 l4                                   # 查询PDPT
#17b881a0 00000000`13343801 00000000`133c4801
#17b881b0 00000000`133c5801 00000000`13346801

1: kd> .formats eip                                 # 查看地址的16/2进制表示
Evaluate expression:       
  Hex:     808eebe0
  Binary:  10000000 10001110 11101011 11100000

1: kd> !dq (00000000`133c5801 & 0`FFFFF000)+ 8*0y000000100 l2   # 定位PDE:PDP+目的地址(VA)高2位
#133c5020 00000000`008009e3 00000000`00a009e3                  
1: kd> ? ((00000000`008009e3 & 00000FFF)&0y10000000)            # 判断PDE的LargePage位是否置上
Evaluate expression: 128 = 00000080
1: kd> !db (00000000`008009e3 & 0`FFFFF000)+(808eebe0 & 002FFFFF) l10   # 目的地址(VA->PA)处16B数据
#  8eebe0 8b ff 55 8b ec 33 c0 50-50 50 ff 75 30 ff 75 2c ..U..3.PPP.u0.u,
1: kd> db 808eebe0 l10                                          # 目的地址处(VA)16B数据
808eebe0  8b ff 55 8b ec 33 c0 50-50 50 ff 75 30 ff 75 2c  ..U..3.PPP.u0.u,
1: kd> !pte eip
                    VA 808eebe0
PDE at C0602020            PTE at C0404770
contains 00000000008009E3  contains 0000000000000000
pfn 800       -GLDA--KWEV   LARGE PAGE pfn 8ee     

1: kd> dq C0600000+8*(0`808eebe0>>0n21) l2
c0602020  00000000`008009e3 00000000`00a009e3
1: kd> dq C0000000+8*(0`808eebe0>>0n12) l2
c0404770  00000000`00000000 00000000`00000000

//-------------------------------------------------------------------------------

1: kd> r cr3,cr4,eip
cr3=17b881a0 cr4=000006b9 eip=7c956c79
1: kd> ? (cr4 & 0y100000)
Evaluate expression: 32 = 00000020              # PAE已开启
1: kd> !dq cr3 l4                               # 查询PDPT
#17b881a0 00000000`13343801 00000000`133c4801  
#17b881b0 00000000`133c5801 00000000`13346801
1: kd> .formats 7c956c79                        # 查看地址的16/2进制表示
Evaluate expression:
  Hex:     7c956c79
  Binary:  01111100 10010101 01101100 01111001

1: kd> !dq (00000000`133c4801 & 0`FFFFF000)+8*0y111100100 l1    # 定位PDE
#133c4f20 00000000`12055867
1: kd> ? (00000000`12055867 & 000FFF)&0y10000000                # 判断PDE的LargePage位是否置上
Evaluate expression: 0 = 00000000                               # 非LargePage
1: kd> !dq (00000000`12055867 & 0`FFFFF000)+8*0y101010110 l1    # 定位PTE
#12055ab0 00000000`177a4067
1: kd> !db (00000000`177a4067 & 0`FFFFF000)+0y110001111001 l10  # 目的地址(VA->PA)处16B数据
#177a4c79 c2 2c 00 90 b8 28 00 00-00 ba 00 03 fe 7f ff 12 .,...(..........
1: kd> db 7c956c79 l10                                          # 目的地址处(VA)16B数据
7c956c79  c2 2c 00 90 b8 28 00 00-00 ba 00 03 fe 7f ff 12  .,...(..........
1: kd> !pte 7c956c79
                    VA 7c956c79
PDE at C0601F20            PTE at C03E4AB0
contains 0000000012055867  contains 00000000177A4067
pfn 12055     ---DA--UWEV   pfn 177a4     ---DA--UWEV

1: kd> dq C0600000+8*(7c956c79>>0n21) l1
c0601f20  00000000`12055867
1: kd> dq C0000000+8*(7c956c79>>0n12) l1
c03e4ab0  00000000`177a4067

//-------------------------------------------------------------------------------
//-------------------------------------------------------------------------------

0: kd> vertarget
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.17514.amd64fre.win7sp1_rtm.101119-1850
Kernel base = 0xfffff800`03e13000 PsLoadedModuleList = 0xfffff800`04058e90

0: kd> !process -1 0
PROCESS fffffa8002aa2790
    SessionId: 1  Cid: 0724    Peb: 7fffffdf000  ParentCid: 06a0
    DirBase: 151ad000  ObjectTable: fffff8a0014477f0  HandleCount: 888.
    Image: explorer.exe

0: kd> r cr3,rip
cr3=00000000151ad000 rip=fffff8000419b400
0: kd> .formats fffff8000419b400
Evaluate expression:
  Hex:     fffff800`0419b400
  Binary:  11111111 11111111 11111000 00000000 00000100 00011001 10110100 00000000

0: kd> !dq 151ad000+8*0y111110000 l1
#151adf80 00000000`00199063
0: kd> !dq (00000000`00199063 & 0`FFFFF000)+8*0y000000000 l1
#  199000 00000000`00198063
0: kd> !dq (00000000`00198063 & 0`FFFFF000)+8*0y000100000 l1
#  198100 00000000`001e4063
0: kd> !dq (00000000`001e4063 & 0`FFFFF000)+8*0y110011011 l1
#  1e4cd8 0bc00000`0419b121
0: kd> !db (bc00000`0419b121 & 0`FFFFF000)+0y010000000000 l10
# 419b400 4c 8b dc 48 81 ec 88 00-00 00 33 c0 49 89 43 f0 L..H......3.I.C.

0: kd> db rip l10
fffff800`0419b400  4c 8b dc 48 81 ec 88 00-00 00 33 c0 49 89 43 f0  L..H......3.I.C.

0: kd> !pte rip
                                           VA fffff8000419b400
PXE at FFFFF6FB7DBEDF80    PPE at FFFFF6FB7DBF0000    PDE at FFFFF6FB7E000100    PTE at FFFFF6FC00020CD8
contains 0000000000199063  contains 0000000000198063  contains 00000000001E4063  contains 0BC000000419B121
pfn 199       ---DA--KWEV  pfn 198       ---DA--KWEV  pfn 1e4       ---DA--KWEV  pfn 419b      -G--A--KREV

#define PXE_BASE          0xFFFFF6FB7DBED000UI64
#define PXE_SELFMAP       0xFFFFF6FB7DBEDF68UI64
#define PPE_BASE          0xFFFFF6FB7DA00000UI64
#define PDE_BASE          0xFFFFF6FB40000000UI64
#define PTE_BASE          0xFFFFF68000000000UI64

0: kd> dq 0xFFFFF6FB7DBED000+8*0y111110000 l1
fffff6fb`7dbedf80  00000000`00199063
0: kd> dq 0xFFFFF6FB7DA00000+8*0y111110000000000000 l1
fffff6fb`7dbf0000  00000000`00198063
0: kd> dq 0xFFFFF6FB40000000+8*0y111110000000000000000100000 l1
fffff6fb`7e000100  00000000`001e4063
0: kd> dq 0xFFFFF68000000000+8*0y111110000000000000000100000110011011 l1
fffff6fc`00020cd8  0bc00000`0419b121