EPROCESS DirBase如何生成"VAD树根"? [英] how EPROCESS DirBase generated maybe "VAD tree root"?
问题描述
我转储了一些过程数据. 我得到的DirBase值为00030000 Windows如何生成此值? 内核开始时是否有AVL Tree数据结构提供此数据? 我想学习如何在内核内部创建进程. 什么样的全局变量分配DirBase,ObjectTable等值.
i dump some process data. I got DirBase value as 00030000 How windows generate this value ? Any AVL Tree data structure at the begining of kernel gives this data? I want to learn how process is created internally on kernel. What kind of global variables assigns DirBase , ObjectTable etc values.
以下是一些示例windbg: !process fb667a00 7 过程fb667a00投标编号:0002 Peb:00000000父投标编号:0000 DirBase:00030000 ObjectTable:e1000f88 TableSize:112.
Here is some sample windbg: !process fb667a00 7 PROCESS fb667a00 Cid: 0002 Peb: 00000000 ParentCid: 0000 DirBase: 00030000 ObjectTable: e1000f88 TableSize: 112.
When a process created by system.
System creates new pagedirectory for process and assigns a number to process page directory.
How can windows assigns that number ? is there an AVL Tree data structure that has free page tables and busy page tables trees.
And system allocates one page directory from that AVL Tree ?
There is no documentation how this mechanism works ?
I want to learn how page directory gets its data ?
推荐答案
DirBase是页面目录的物理地址. 每个进程都有自己的页面目录,将其放置在结构KPROCESS :: DirectoryTableBase中.当OS激活一个进程时,来自KPROCESS :: DirectoryTableBase的值将被加载到CR3寄存器中.
DirBase is a physical address of a page directory. Each process has own page directory, it is placed in the struct KPROCESS::DirectoryTableBase. When OS activates a process, the value from KPROCESS::DirectoryTableBase is loaded to CR3 register.
页面目录具有《英特尔开发人员手册》中描述的结构 http://wiki.osdev.org/Paging
Page directory has a structure descripbed in Intel Developer Manual http://wiki.osdev.org/Paging
这篇关于EPROCESS DirBase如何生成"VAD树根"?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
