tag:blogger.com,1999:blog-5825826480086455136.post5847845012173828966..comments2021-08-19T15:22:23.429-07:00Comments on triplefault.io: Exploring Windows virtual memory managementUnknownnoreply@blogger.comBlogger5125tag:blogger.com,1999:blog-5825826480086455136.post-18857892659598643872021-08-19T15:22:23.429-07:002021-08-19T15:22:23.429-07:00I once encountered an entirely zeroed PTE (all bit...I once encountered an entirely zeroed PTE (all bits are 0), which after trying to access the VA, it returned a page and became valid.<br />I thought that completely zeroed PTEs are of unallocated VA, and if the page fault handler should consult the VAD tree, then the PTE should have at least some bits set (prototype).<br /><br />The mentioned page was in the middle of the ".text" section of ntdll.dll mapped to smss.exe at session 0 (on Windows Server 2016, 14393).<br /><br />any idea what's the mechanism behind this zeroed PTE which actually do brings back a page when accessed???Anonymoushttps://www.blogger.com/profile/10228164805955181840noreply@blogger.comtag:blogger.com,1999:blog-5825826480086455136.post-34425874649028277872017-08-19T06:23:19.432-07:002017-08-19T06:23:19.432-07:00Hi "Unknown",
Windows uses a concept ca...Hi "Unknown",<br /><br />Windows uses a concept called "Prototype PTE" (PPTE) to handle shared pages. Therefore, the "prototype" PTE is updated to become invalid, while all the regular PTEs will fault (as they normally do) with a special flag in the MMPTE indicating that this is a "ProtoPTE", at which point the address of the real PTE (inside of the SEGMENT structure part of the CONTROL_AREA) will be computed, which will show up as paged out (or on the standby list). It's pretty confusing, the book does an OK job having some diagrams around this :)Alex Ionescuhttps://www.blogger.com/profile/05441279888034384865noreply@blogger.comtag:blogger.com,1999:blog-5825826480086455136.post-82003136000773571582017-08-19T06:19:21.017-07:002017-08-19T06:19:21.017-07:00Are shared pages pageable ? If yes, how does the m...Are shared pages pageable ? If yes, how does the memory manager walks all currently active PTEs for the given page to mark them as invalid ?Anonymoushttps://www.blogger.com/profile/01119948626356535299noreply@blogger.comtag:blogger.com,1999:blog-5825826480086455136.post-64916852068779109802017-08-13T23:40:52.179-07:002017-08-13T23:40:52.179-07:00Hey Alex! Thanks a lot for reading it over.
I'...Hey Alex! Thanks a lot for reading it over.<br /><br />I've added some of your suggestions, with attribution. Really appreciate it. The updated kernel address space layout just barely fits into the diagram - phew!<br /><br />I do plan to talk about the kernel VA regions in more detail in a future article so I've left those descriptions out for now. Cheers!Michael VanKuipershttps://www.blogger.com/profile/18430588920681211328noreply@blogger.comtag:blogger.com,1999:blog-5825826480086455136.post-90783905011443227552017-08-13T21:20:13.314-07:002017-08-13T21:20:13.314-07:00Nice basic overview. There’s a few good books you ...Nice basic overview. There’s a few good books you may want to reference for readers that want to go deeper —� “How Does It Page?” and “Windows Internals”.<br /><br />FWIW, the table on my blog contains a much more accurate and up to date kernel address space as ofWindows 8.1 and Windows 10 pre-Anniversary Update prior to KASLR. You may want to use that information over the older CM post... additionally WinDBG has the !vm 0x21 extension which will dump the Win10 KASLR address ranges. It’s worth talking about the different kernel system VA types for a better understanding of what goes on there (but I understand this post mostly focused on user mode).<br /><br />One last comment — the working set does not describe the “full” set of pages that can be accessed without a page fault (note: a description if soft vs hard page faults may have been useful), but rather only those pages that are subject to paging. For example, AWE memory mappings and large pages never appear in the working set.Alex Ionescuhttps://www.blogger.com/profile/05441279888034384865noreply@blogger.com