protected void ProcessSoftwareEntry(SoftwarePageTableEntry spte, ulong virtualAddress) { if (spte.Entry == 0) { return; } if (spte.IsTransition && !spte.IsPrototype) { AddressRecord ar = new AddressRecord(); ar.VirtualAddress = virtualAddress; ar.PhysicalAddress = spte.RealEntry; ar.Size = 0x1000; ar.Flags = spte.Flags; _translationLookasideBuffer.Add(ar); } else { AddressRecord ar = new AddressRecord(); ar.VirtualAddress = virtualAddress; ar.PhysicalAddress = spte.Entry; // full original entry ar.Size = 0x1000; ar.Flags = spte.Flags; ar.IsSoftware = true; _translationLookasideBuffer.Add(ar); } }
string ProcessSoftwarePte(SoftwarePageTableEntry entry) { string result = ""; result += "Software Page Table Entry\n"; if (entry.IsTransition && !entry.IsPrototype) { result += "[TRANSITION]"; } else if (entry.IsPrototype) { result += "[PROTO]\n"; ulong protoAddress = entry.ProtoAddress; result += "Proto Address: " + protoAddress.ToString("x08"); if (protoAddress == 0xFFFFFFFF0000) { result += "[VAD]"; } } else if (!entry.IsTransition && !entry.IsPrototype) { result += "[SOFTWARE]\n"; ulong pfh = entry.PageFileOffset; ulong pfl = entry.PageFileNumber; ulong ue = entry.UsedPageTableEntries; ulong pt = entry.Protection; result += "Page File High: " + pfh.ToString("x08"); result += "\nPage File Low: " + pfl.ToString("x08"); result += "\nProtection: " + pt.ToString("x08"); result += "\nUsed Entries: " + ue.ToString("x08"); } if (result != "") { result += "\n"; } return(result); }
public override string TraceAddress(ulong virtualAddress) { string output = ""; output += "Tracing Virtual Address: 0x" + virtualAddress.ToString("x16") + "\n\n"; output += "Directory Table Base: " + _dtb.ToString("x08") + "\n"; ulong pml4eAddress = ((UInt64)_dtb & 0x0000fffffffff000); byte[] buffer = ReadData(pml4eAddress, 4096); ulong pml4eIndex = (virtualAddress & 0xff8000000000) >> 39; ulong pdpteIndex = (virtualAddress & 0x7fc0000000) >> 30; ulong pdeIndex = (virtualAddress & 0x3fe00000) >> 21; ulong pteIndex = (virtualAddress & 0x1ff000) >> 12; output += "P4[" + pml4eIndex + "] "; output += "PDPTE[" + pdpteIndex + "] "; output += "PDE[" + pdeIndex + "] "; output += "PTE[" + pteIndex + "] "; output += "Offset[" + (virtualAddress & 0xfff) + "]\n\n"; // L4 ulong pml4eEntry = BitConverter.ToUInt64(buffer, (int)(pml4eIndex * 8)); L4PageDirectoryEntry l4de = new L4PageDirectoryEntry(pml4eEntry); output += "pml4e value @ " + (pml4eAddress + pml4eIndex * 8).ToString("x08") + " is " + pml4eEntry.ToString("x08").PadRight(20) + "Flags: " + GetFlagString(l4de); if (!l4de.InUse) { output += "Entry Not In Use\n\n"; return(output); } //PDPTE buffer = ReadData(l4de.RealEntry, 4096); ulong pdpteEntry = BitConverter.ToUInt64(buffer, (int)(pdpteIndex * 8)); PageDirectoryPointerTableEntry pdpte = new PageDirectoryPointerTableEntry(pdpteEntry); output += "pdpte value @ " + (l4de.RealEntry + pdpteIndex * 8).ToString("x08") + " is " + pdpteEntry.ToString("x08").PadRight(20) + "Flags: " + GetFlagString(pdpte); if (!pdpte.InUse) { output += "Entry Not In Use\n\n"; return(output); } if (pdpte.IsLarge) { output += "Entry is LARGE\n\n"; return(output); } // PDE buffer = ReadData(pdpte.RealEntry, 4096); ulong pdeEntry = BitConverter.ToUInt64(buffer, (int)(pdeIndex * 8)); PageDirectoryEntry pde = new PageDirectoryEntry(pdeEntry); output += "pde value @ " + (pdpte.RealEntry + pdeIndex * 8).ToString("x08") + " is " + pdeEntry.ToString("x08").PadRight(20); if (!pde.InUse) { output += "Entry Not In Use\n\n"; return(output); } if (pde.IsLarge) { LargePageDirectoryEntry lpde = new LargePageDirectoryEntry(pdeEntry); output += "Flags: " + GetFlagString(lpde); ulong physicalAddressL = (pdeEntry & 0xffffffe00000) + (virtualAddress & 0x1fffff); output += "\nPhysical Address is in a LARGE 2M page @ 0x" + physicalAddressL.ToString("x08") + "\n\n"; return(output); } output += "Flags: " + GetFlagString(pde); // PTE buffer = ReadData(pde.RealEntry, 4096); ulong pteEntry = BitConverter.ToUInt64(buffer, (int)(pteIndex * 8)); PageTableEntry pte = new PageTableEntry(pteEntry); output += "pte value @ " + (pde.RealEntry + pteIndex * 8).ToString("x08") + " is " + pteEntry.ToString("x08").PadRight(20) + "Flags: " + GetFlagString(pte); if (!pte.InUse) { SoftwarePageTableEntry spte = new SoftwarePageTableEntry(pteEntry); output += ProcessSoftwarePte(spte); output += "Entry Not In Use\n\n"; return(output); } ulong physicalAddress = (pteEntry & 0xfffffffff000) + (virtualAddress & 0xfff); output += "\nPhysical Address is 0x" + physicalAddress.ToString("x08") + "\n\n"; return(output); }