nt!MiRemovePageByColor函数分析之脱链和刷新颜色表

第0部分：背景

PFN_NUMBER
FASTCALL
MiRemoveZeroPage (
    IN ULONG Color
    )
{

        ASSERT (Color < MmSecondaryColors);
        Page = FreePagesByColor[Color].Flink;

        if (Page != MM_EMPTY_LIST) {

            //
            // Remove the first entry on the zeroed by color list.
            //

            Page = MiRemovePageByColor (Page, Color);

第一部分：

1: kd> p
nt!MiRemoveZeroPage+0x11a:
80ac89b6 e825e4ffff      call    nt!MiRemovePageByColor (80ac6de0)
1: kd> t
nt!MiRemovePageByColor:
80ac6de0 55              push    ebp
1: kd> kc
 #
00 nt!MiRemovePageByColor
01 nt!MiRemoveZeroPage
02 nt!MiPfPutPagesInTransition
03 nt!MmPrefetchPages
04 nt!CcPfPrefetchSections
05 nt!CcPfBootWorker
06 nt!PspSystemThreadStartup
07 nt!KiThreadStartup

1: kd> dv
           Page = 0x7b19b
          Color = 0x1b
           Next = 0
       ListName = 0n-150603048 (No matching enumerant)

1: kd> dd 81000000+0x7b19b*18
81b8a688  0007b19a 001ec66c 0007b19c 00003000
81b8a698  0007b15b 03ffffff

第二部分：预分析1

   +0x00c u3               : __unnamed
      +0x000 e1               : _MMPFNENTRY
         +0x000 Modified         : Pos 0, 1 Bit
         +0x000 ReadInProgress   : Pos 1, 1 Bit
         +0x000 WriteInProgress  : Pos 2, 1 Bit
         +0x000 PrototypePte     : Pos 3, 1 Bit
         +0x000 PageColor        : Pos 4, 4 Bits    0000
         +0x000 PageLocation     : Pos 8, 3 Bits    000            ZeroedPageList (0)

1: kd> x nt!MmPageLocationList
80b14d04          nt!MmPageLocationList = struct _MMPFNLIST *[8]
1: kd> dx -r1 (*((ntkrnlmp!_MMPFNLIST * (*)[8])0x80b14d04))
(*((ntkrnlmp!_MMPFNLIST * (*)[8])0x80b14d04))                 [Type: _MMPFNLIST * [8]]
    [0]              : 0x80b14c94 [Type: _MMPFNLIST *]
    [1]              : 0x80b14ca4 [Type: _MMPFNLIST *]
    [2]              : 0x80b14cb4 [Type: _MMPFNLIST *]
    [3]              : 0x80b14cc4 [Type: _MMPFNLIST *]
    [4]              : 0x80b14cd4 [Type: _MMPFNLIST *]
    [5]              : 0x80b14ce4 [Type: _MMPFNLIST *]
    [6]              : 0x0 [Type: _MMPFNLIST *]
    [7]              : 0x0 [Type: _MMPFNLIST *]
1: kd> dx -r1 ((ntkrnlmp!_MMPFNLIST *)0x80b14c94)
((ntkrnlmp!_MMPFNLIST *)0x80b14c94)                 : 0x80b14c94 [Type: _MMPFNLIST *]
    [+0x000] Total            : 0x70e85 [Type: unsigned long]
    [+0x004] ListName         : ZeroedPageList (0) [Type: _MMLISTS]
    [+0x008] Flink            : 0xed7 [Type: unsigned long]
    [+0x00c] Blink            : 0xa130 [Type: unsigned long]

第三部分：预分析2

1: kd> dd 81000000+0x7b19b*18
81b8a688  0007b19a 001ec66c 0007b19c 00003000
81b8a698  0007b15b 03ffffff

    Next = Pfn1->u1.Flink;    0007b19a
    Pfn1->u1.Flink = 0;         // Assumes Flink width is >= WsIndex width
    Previous = Pfn1->u2.Blink;    0007b19c
    Pfn1->u2.Blink = 0;

第四部分：预分析3

#define MM_EMPTY_LIST ((ULONG)0xFFFFFFFF) //

    ColorHead->Flink = (PFN_NUMBER) Pfn1->OriginalPte.u.Long;
    if (ColorHead->Flink != MM_EMPTY_LIST) {
        MI_PFN_ELEMENT (ColorHead->Flink)->u4.PteFrame = MM_EMPTY_LIST;
    }

1: kd> dt _MMCOLOR_TABLES 0x81c00000+1b*c
nt!_MMCOLOR_TABLES
   +0x000 Flink            : 0x7b19b
   +0x004 Blink            : 0x810f2688 Void
   +0x008 Count            : 0x1c35

1: kd> dd 81000000+0007b15b*18
81b8a088  0007b15a 001ec56c 0007b15c 00003000
81b8a098  0007b11b 0007b19b

第五部分：调试

    Pfn1 = MI_PFN_ELEMENT (Page);81b8a688
    NodeColor = Pfn1->u3.e1.PageColor;

1: kd> p
nt!MiRemovePageByColor+0x48:
80ac6e28 8b7e0c          mov     edi,dword ptr [esi+0Ch]
1: kd> r
eax=001714d1 ebx=0000001b ecx=81000000 edx=0000001b esi=81b8a688

1: kd> dd 81b8a688
81b8a688  0007b19a 001ec66c 0007b19c 00003000
81b8a698  0007b15b 03ffffff

    ListHead = MmPageLocationList[Pfn1->u3.e1.PageLocation];    0
    ListName = ListHead->ListName;                ZeroedPageList (0)        

1: kd> p
nt!MiRemovePageByColor+0x88:
80ac6e68 83e007          and     eax,7
1: kd> p
nt!MiRemovePageByColor+0x8b:
80ac6e6b 8b0485044db180  mov     eax,dword ptr nt!MmPageLocationList (80b14d04)[eax*4]
1: kd> r
eax=00000000

1: kd> x nt!MmPageLocationList
80b14d04          nt!MmPageLocationList = struct _MMPFNLIST *[8]
1: kd> dx -r1 (*((ntkrnlmp!_MMPFNLIST * (*)[8])0x80b14d04))
(*((ntkrnlmp!_MMPFNLIST * (*)[8])0x80b14d04))                 [Type: _MMPFNLIST * [8]]
    [0]              : 0x80b14c94 [Type: _MMPFNLIST *]
    [1]              : 0x80b14ca4 [Type: _MMPFNLIST *]
    [2]              : 0x80b14cb4 [Type: _MMPFNLIST *]
    [3]              : 0x80b14cc4 [Type: _MMPFNLIST *]
    [4]              : 0x80b14cd4 [Type: _MMPFNLIST *]
    [5]              : 0x80b14ce4 [Type: _MMPFNLIST *]
    [6]              : 0x0 [Type: _MMPFNLIST *]
    [7]              : 0x0 [Type: _MMPFNLIST *]
1: kd> dx -r1 ((ntkrnlmp!_MMPFNLIST *)0x80b14c94)
((ntkrnlmp!_MMPFNLIST *)0x80b14c94)                 : 0x80b14c94 [Type: _MMPFNLIST *]
    [+0x000] Total            : 0x70e85 [Type: unsigned long]
    [+0x004] ListName         : ZeroedPageList (0) [Type: _MMLISTS]
    [+0x008] Flink            : 0xed7 [Type: unsigned long]
    [+0x00c] Blink            : 0xa130 [Type: unsigned long]

第六部分：

1: kd> p
nt!MiRemovePageByColor+0x95:
80ac6e75 ff08            dec     dword ptr [eax]
1: kd> r
eax=80b14c94

    ListHead->Total -= 1;

1: kd> dx -r1 ((ntkrnlmp!_MMPFNLIST *)0x80b14c94)
((ntkrnlmp!_MMPFNLIST *)0x80b14c94)                 : 0x80b14c94 [Type: _MMPFNLIST *]
    [+0x000] Total            : 0x70e84 [Type: unsigned long]
    [+0x004] ListName         : ZeroedPageList (0) [Type: _MMLISTS]
    [+0x008] Flink            : 0xed7 [Type: unsigned long]
    [+0x00c] Blink            : 0xa130 [Type: unsigned long]

第七部分：

    Next = Pfn1->u1.Flink;
    Pfn1->u1.Flink = 0;         // Assumes Flink width is >= WsIndex width
    Previous = Pfn1->u2.Blink;
    Pfn1->u2.Blink = 0;

1: kd> dd 81b8a688
81b8a688  00000000 001ec66c 00000000 00003000
81b8a698  0007b15b 03ffffff

    else {
        Pfn2 = MI_PFN_ELEMENT(Next);
        Pfn2->u2.Blink = Previous;
    }

1: kd> dd 81000000+0x7b19a*18
81b8a670  0007b199 001ec668 0007b19b 00003000
81b8a680  0007b15a 0007b1da

    else {
        Pfn2 = MI_PFN_ELEMENT(Next);
        Pfn2->u2.Blink = Previous;
    }
1: kd> dd 81000000+0x7b19a*18
81b8a670  0007b199 001ec668 0007b19c 00003000
81b8a680  0007b15a 0007b1da

    else {
        Pfn2 = MI_PFN_ELEMENT(Previous);
        Pfn2->u1.Flink = Next;
    }

1: kd> dd 81000000+0x7b19c*18
81b8a6a0  0007b19a 001ec670 0007b19d 00003000
81b8a6b0  0007b15c 0007b1dc

u1和u2脱链完成。

第八部分：

   Pfn1->u3.e2.ShortFlags = 0;
    Pfn1->u3.e1.PageColor = NodeColor;
    Pfn1->u3.e1.CacheAttribute = MiNotMapped;

typedef enum _MI_PFN_CACHE_ATTRIBUTE {
    MiNonCached,                    0
    MiCached,                    1
    MiWriteCombined,                2
    MiNotMapped                    3
} MI_PFN_CACHE_ATTRIBUTE, *PMI_PFN_CACHE_ATTRIBUTE;

1: kd> dd 81000000+0x7b19b*18
81b8a688  00000000 001ec66c 00000000 00003000
81b8a698  0007b15b 03ffffff

   +0x00c u3               : __unnamed
      +0x000 e1               : _MMPFNENTRY
         +0x000 Modified         : Pos 0, 1 Bit
         +0x000 ReadInProgress   : Pos 1, 1 Bit
         +0x000 WriteInProgress  : Pos 2, 1 Bit
         +0x000 PrototypePte     : Pos 3, 1 Bit
         +0x000 PageColor        : Pos 4, 4 Bits
         +0x000 PageLocation     : Pos 8, 3 Bits
         +0x000 RemovalRequested : Pos 11, 1 Bit
         +0x000 CacheAttribute   : Pos 12, 2 Bits            11=3

第九部分：

    //
    // Update the color lists.
    //

    ASSERT (Color < MmSecondaryColors);

    ColorHead = &MmFreePagesByColor[ListName][Color];
    ASSERT (ColorHead->Count >= 1);
    ColorHead->Flink = (PFN_NUMBER) Pfn1->OriginalPte.u.Long;
    if (ColorHead->Flink != MM_EMPTY_LIST) {
        MI_PFN_ELEMENT (ColorHead->Flink)->u4.PteFrame = MM_EMPTY_LIST;
    }

1: kd> dt _MMCOLOR_TABLES 0x81c00000+1b*c
nt!_MMCOLOR_TABLES
   +0x000 Flink            : 0x7b19b
   +0x004 Blink            : 0x810f2688 Void
   +0x008 Count            : 0x1c35

1: kd> p
nt!MiRemovePageByColor+0x181:
80ac6f61 8d3c81          lea     edi,[ecx+eax*4]
1: kd> pr
eax=00000051 ebx=0000001b ecx=81c00000 edx=81000000 esi=81b8a688 edi=81c00144

1: kd> dd 0x81c00000+1b*c
81c00144  0007b19b 810f2688 00001c35

    ColorHead->Flink = (PFN_NUMBER) Pfn1->OriginalPte.u.Long;    =0007b15b

1: kd> dd 81000000+0x7b19b*18
81b8a688  00000000 001ec66c 00000000 00003000
81b8a698  0007b15b 03ffffff

1: kd> dt _MMCOLOR_TABLES 0x81c00000+1b*c
nt!_MMCOLOR_TABLES
   +0x000 Flink            : 0x7b15b
   +0x004 Blink            : 0x810f2688 Void
   +0x008 Count            : 0x1c35

1: kd> dd 81000000+0x7b15b*18
81b8a088  0007b15a 001ec56c 0007b15c 00003000
81b8a098  0007b11b 0007b19b

    if (ColorHead->Flink != MM_EMPTY_LIST) {
        MI_PFN_ELEMENT (ColorHead->Flink)->u4.PteFrame = MM_EMPTY_LIST;
    }
1: kd> dd 81000000+0x7b15b*18
81b8a088  0007b15a 001ec56c 0007b15c 00003000
81b8a098  0007b11b 03ffffff

第十部分：

    ColorHead->Count -= 1;

1: kd> dt _MMCOLOR_TABLES 0x81c00000+1b*c
nt!_MMCOLOR_TABLES
   +0x000 Flink            : 0x7b15b
   +0x004 Blink            : 0x810f2688 Void
   +0x008 Count            : 0x1c34

第十一部分：

1: kd> p
nt!MiRemovePageByColor+0x213:
80ac6ff3 c9              leave
1: kd> r
eax=0007b19b

1: kd> dd 81000000+0x7b19b*18
81b8a688  00000000 001ec66c 00000000 00003000
81b8a698  0007b15b 03ffffff