Exploring Windows 2000 Memory

Macros and Constants

The definitions in Listing 4-5 are supplements to the structures in Listings 4-2 to 4-4 and make the work with i386 memory management easier. They can be subdivided into three main groups. The first group handles linear addresses:

1. X86_PAGE_MASK, X86_PDI_MASK, and X86_PTI_MASK are bit masks that isolate the constituent parts of linear addresses. They are based on the constants PAGE_SHIFT (12), PDI-SHIFT (22), and PTI-SHIFT (12), defined in the Windows 2000 DDK header file ntddk.h. X86_PAGE_MASK evaluates to 0xFFFFF000, effectively masking off the 4-KB offset part of a linear address (cf. X86_LINEAR_4K). X86_PDI_MASK is equal to 0xFFC00000 and obviously extracts the 10 topmost PDI bits of a linear address (cf. X86_LINEAR_4M and X86_LINEAR_4K). X86_PTI_MASK evaluates to 0x003FF0000 and masks off all bits except for the page-table index (PTI) bits of a linear address (cf. X86_LINEAR_4K).

Listing 4-4. i386 Linear Addresses

// =================================================================
// INTEL X86 STRUCTURES, PART 3 OF 3
// =================================================================

typedef struct _X86_LINEAR_4M // linear address (4-MB page)
    {
    union
        {
        struct
            {
            PVOID pAddress;       // packed address
            };
        struct
            {
            unsigned Offset : 22; // offset into page
            unsigned PDI    : 10; // page-directory index
            };
        };
    }
    X86_LINEAR_4M, *PX86_LINEAR_4M, **PPX86_LINEAR_4M;

#define X86_LINEAR_4M_ sizeof (X86_LINEAR_4M)

// -----------------------------------------------------------------

typedef struct _X86_LINEAR_4K // linear address (4-KB page)
    {
    union
        {
        struct
            {
            PVOID pAddress;       // packed address
            };
        struct
            {
            unsigned Offset : 12; // offset into page
            unsigned PTI    : 10; // page-table index
            unsigned PDI    : 10; // page-directory index
            };
        };
    }
    X86_LINEAR_4K, *PX86_LINEAR_4K, **PPX86_LINEAR_4K;

#define X86_LINEAR_4K_ sizeof (X86_LINEAR_4K)

// -----------------------------------------------------------------

typedef struct _X86_LINEAR // general linear address
    {
    union
        {        PVOID         pAddress; // packed address
        X86_LINEAR_4M linear4M; // linear address (4-MB page)
        X86_LINEAR_4K linear4K; // linear address (4-KB page)
        };
    }
    X86_LINEAR, *PX86_LINEAR, **PPX86_LINEAR;

#define X86_LINEAR_ sizeof (X86_LINEAR)

// =================================================================

2. X86_PAGE(), X86_PDI(), and X86_PTI() use the above constants to compute the page index, PDI, or PTI of a given linear address. X86_PAGE() is typically used to read a PTE from the Windows 2000 PTE array starting at address 0xC0000000. X86_PDI() and X86_PTI() simply apply X86_PDI_MASK or X86_PTI_ MASK to the supplied pointer and shift the resulting index to the rightmost bit position.

3. X86_OFFSET_4M() and X86_OFFSET_4K() extract the offset portion of a 4-MB or 4-KB linear address, respectively.

4. X86_PAGE_4M and X86_PAGE_4K compute the sizes of 4-MB and 4-KB pages from the DDK constants PDI_SHIFT and PTI_SHIFT, resulting in X86_PAGE_4M = 4,194,304 and X86_PAGE_4K = 4,096. Note that X86_PAGE_4K is equivalent to the DDK constant PAGE_SIZE, also defined in ntddk.h.

5. X86_PAGES_4M and X86_PAGES_4K state the number of 4-MB or 4-KB pages fitting into the 4-GB linear address space. X86_PAGES_4M evaluates to 1,024, and X86_PAGES_4K to 1,048,576.

The second group of macros and constants relates to the Windows 2000 PDE and PTE arrays. Unlike several other system addresses, the base addresses of these arrays are not available as global variables set up at boot time, but are defined as constants. This can be proved easily by disassembling the memory manager API functions MmGetPhysicalAddress() or MmIsAddressValid(), where these addresses appear as "magic numbers." These constants are not included in the DDK header files, but Listing 4-5 shows how they might have been defined.

• X86_PAGES is a hard-coded address and points, of course, to 0xC0000000, where the Windows 2000 PTE array starts.

• X86_PTE_ARRAY is equal to X86_PAGES, but typecasts the value to PX86_PE, that is, a pointer to an array of X86_PE page entry structures, as defined in Listing 4-2.

• X86_PDE_ARRAY is a tricky definition that computes the base address of the PDE array from the PTE array location, using the PTI_SHIFT constant. As explained earlier, the general formula for mapping a linear address to a PTE address is ((LinearAddress >> 12) * 4) + 0xC0000000, and the page-directory is located by setting LinearAddress to 0xC0000000. Nothing else is done by the definition of X86_PDE_ARRAY.

Listing 4-5. Additional i386 Memory Management Definitions

// =================================================================
// INTEL X86 MACROS & CONSTANTS
// =================================================================

#define X86_PAGE_MASK (0 - (1 << PAGE_SHIFT))
#define X86_PAGE(_p)  (((DWORD) (_p) & X86_PAGE_MASK) >> PAGE_SHIFT)

#define X86_PDI_MASK  (0 - (1 << PDI_SHIFT))
#define X86_PDI(_p)   (((DWORD) (_p) & X86_PDI_MASK) >> PDI_SHIFT)

#define X86_PTI_MASK  ((0 - (1 << PTI_SHIFT)) & ~X86_PDI_MASK)
#define X86_PTI(_p)   (((DWORD) (_p) & X86_PTI_MASK) >> PTI_SHIFT)

#define X86_OFFSET_4M(_p) ((_p) & ~(X86_PDI_MASK               ))
#define X86_OFFSET_4K(_p) ((_p) & ~(X86_PDI_MASK | X86_PTI_MASK))

#define X86_PAGE_4M   (1 << PDI_SHIFT)
#define X86_PAGE_4K   (1 << PTI_SHIFT)

#define X86_PAGES_4M  (1 << (32 - PDI_SHIFT))
#define X86_PAGES_4K  (1 << (32 - PTI_SHIFT))

// -----------------------------------------------------------------

#define X86_PAGES         0xC0000000
#define X86_PTE_ARRAY     ((PX86_PE) X86_PAGES)
#define X86_PDE_ARRAY     (X86_PTE_ARRAY + (X86_PAGES >> PTI_SHIFT))

// -----------------------------------------------------------------

#define X86_SELECTOR_RPL            0x0003
#define X86_SELECTOR_TI             0x0004
#define X86_SELECTOR_INDEX          0xFFF8
#define X86_SELECTOR_SHIFT          3

#define X86_SELECTOR_LIMIT          (X86_SELECTOR_INDEX >> \
                                     X86_SELECTOR_SHIFT)

// -----------------------------------------------------------------

#define X86_DESCRIPTOR_SYS_TSS16A       0x1
#define X86_DESCRIPTOR_SYS_LDT          0x2
#define X86_DESCRIPTOR_SYS_TSS16B       0x3
#define X86_DESCRIPTOR_SYS_CALL16       0x4
#define X86_DESCRIPTOR_SYS_TASK         0x5
#define X86_DESCRIPTOR_SYS_INT16        0x6
#define X86_DESCRIPTOR_SYS_TRAP16       0x7
#define X86_DESCRIPTOR_SYS_TSS32A       0x9
#define X86_DESCRIPTOR_SYS_TSS32B       0xB
#define X86_DESCRIPTOR_SYS_CALL32       0xC
#define X86_DESCRIPTOR_SYS_INT32        0xE
#define X86_DESCRIPTOR_SYS_TRAP32       0xF

// -----------------------------------------------------------------

#define X86_DESCRIPTOR_APP_ACCESSED     0x1
#define X86_DESCRIPTOR_APP_READ_WRITE   0x2
#define X86_DESCRIPTOR_APP_EXECUTE_READ 0x2
#define X86_DESCRIPTOR_APP_EXPAND_DOWN  0x4
#define X86_DESCRIPTOR_APP_CONFORMING   0x4
#define X86_DESCRIPTOR_APP_CODE         0x8

// =================================================================

The last two sections of Listing 4-5 handle selectors and special types of descriptors, and are complementary to Listing 4-2:

• X86_SELECTOR_RPL, X86_SELECTOR_TI, and X86_SELECTOR_INDEX are bit masks corresponding to the RPL, TI, and Index members of the X86_SELECTOR structures defined in Listing 4-2.

• X86_SELECTOR_SHIFT is a right-shift factor that right-aligns the value of the selector's Index member.

• X86_SELECTOR_LIMIT defines the maximum index value a selector can hold and is equal to 8,191. This value determines the maximum size of a descriptor table. Each selector index points to a descriptor, and each descriptor consists of 64 bits or 8 bytes (cf. X86_DESCRIPTOR in Listing 4-2), so the maximum descriptor table size amounts to 8,192 * 8 = 64 KB.

• The list of X86_DESCRIPTOR_SYS_* constants define values of a descriptor's Type member if its S-bit is zero, identifying it as a system descriptor. Please refer to Listing 4-2 for the bit-field layout of a descriptor, determined by the structure X86_DESCRIPTOR. The system descriptor types are described in detail in the Intel manuals (Intel 1999c, pp. 3-15f) and summarized in Table 4-1.

The X86_DESCRIPTOR_APP_* constants concluding Listing 4-5 apply to a descriptor's Type member if it is an application descriptor referring to a code or data segment, identified by a nonzero S-bit. Because application descriptor types can be characterized by independent properties reflected by the four type bits, the X86_DESCRIPTOR_APP_* constants are defined as single-bit masks, in which some bits are interpreted differently for data and code segments:

• X86_DESCRIPTOR_APP_ACCESSED is set if the segment has been accessed.

• X86_DESCRIPTOR_APP_READ_WRITE decides whether a data segment allows read-only or read/write access.

• X86_DESCRIPTOR_APP_EXECUTE_READ decides whether a code segment allows execute-only or execute/read access.

• X86_DESCRIPTOR_APP_DOWN is set for expand-down data segments, which is a property commonly exposed by stack segments.

• X86_DESCRIPTOR_APP_CONFORMING indicates whether a code segment is conforming, that is, whether it can be called by less privileged code (cf. Intel 1999c, pp. 4-13ff).

• X86_DESCRIPTOR_APP_CODE distinguishes code and data segments. Note that stack segments belong to the data segment category and must always be writable.

We will revisit system descriptors later when the memory spy application presented in the next sections is up and running. Table 4-1 also concludes a short introduction to i386 memory management. For more information on this topic, please refer to the original Intel Pentium manuals (Intel 1999a, 1999b, 1999c) or one of the secondary readings, such as Robert L. Hummel's great 80486 reference handbook (Hummel 1992).

Table 4-1. System Descriptor Types