• 从虚拟地址,到物理地址(开PAE)


    学了好久好久,但是好久好久都没有用过,今天突然要用,都快忘了怎么玩了,

    这里记录一下吧。

    如何检测PAE

    r cr4

    第5位如果是1,则开了PAE,否则没开

    切入目标进程


    查找一个自己关注的字符串
    s -u (start) L(len) ""
    得到地址

    得到地址
    kd> db 01014dd4
    01014dd4 31 00 32 00 33 00 34 00-35 00 36 00 37 00 38 00 1.2.3.4.5.6.7.8.
    01014de4 39 00 30 00 31 00 32 00-33 00 00 00 00 00 00 00 9.0.1.2.3.......
    01014df4 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
    01014e04 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
    01014e14 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
    01014e24 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
    01014e34 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
    01014e44 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................

    获取CR3
    kd> r cr3
    cr3=02b80480

    看内存中的页表信息
    kd> !dd 02b80480
    # 2b80480 11868801 00000000 080e9801 00000000
    # 2b80490 0c96a801 00000000 083e7801 00000000
    # 2b804a0 0749f801 00000000 124a0801 00000000
    # 2b804b0 18d61801 00000000 15e5e801 00000000
    # 2b804c0 f8c63320 00000000 1fe11801 00000000
    # 2b804d0 1d8d2801 00000000 1baa7801 00000000
    # 2b804e0 f8c63540 00000000 12a48801 00000000
    # 2b804f0 098c9801 00000000 09ba6801 00000000


    切分虚拟地址,有PAE的情况
    01014dd4
    2 9 9 12
    0 0x8 0x14 0xDD4

    在第0个页,所以得到了这个地址,是16位的
    12到位35是内存页基地址的高24位,低12位不用(页属性)
    kd> !dq 11868000
    #11868000 00000000`0830c867 00000000`1cf62867
    #11868010 00000000`14948867 00000000`00000000
    #11868020 00000000`135a6867 00000000`1a369867
    #11868030 00000000`00000000 00000000`00000000
    #11868040 00000000`03ec7867 00000000`00000000
    #11868050 00000000`00000000 00000000`00000000
    #11868060 00000000`00000000 00000000`00000000
    #11868070 00000000`00000000 00000000`00000000

    !dq 11868000+8*8

    12到位35是内存页基地址的高24位,低12位不用(页属性)
    kd> !dq 03ec7000
    # 3ec7000 80000000`1e99b025 00000000`05fc2025
    # 3ec7010 00000000`0c7fb025 00000000`00000000
    # 3ec7020 00000000`10e7d025 00000000`12abe025
    # 3ec7030 00000000`18d7f025 00000000`15380025
    # 3ec7040 00000000`0e481025 00000000`03778025
    # 3ec7050 00000000`0fa39025 00000000`1163a025
    # 3ec7060 00000000`00000000 00000000`00000000
    # 3ec7070 00000000`00000000 00000000`00000000
    # 3ec7080 00000000`00000000 00000000`19bb7025
    # 3ec7090 00000000`1c938025 00000000`11bf9025
    # 3ec70a0 80000000`1acb1867 80000000`14cee867
    # 3ec70b0 80000000`1ec48025 00000000`00000000
    # 3ec70c0 00000000`00000000 00000000`00000000
    # 3ec70d0 80000000`1e30d025 80000000`1550e025
    # 3ec70e0 80000000`0818f025 80000000`1ab10025
    # 3ec70f0 80000000`05a11025 00000000`00000000

    !dq 03ec7000+0x14*8

    12到位35是内存页基地址的高24位,低12位不用(页属性)
    kd> !db 1acb1dd4
    #1acb1dd4 31 00 32 00 33 00 34 00-35 00 36 00 37 00 38 00 1.2.3.4.5.6.7.8.
    #1acb1de4 39 00 30 00 31 00 32 00-33 00 00 00 00 00 00 00 9.0.1.2.3.......
    #1acb1df4 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
    #1acb1e04 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
    #1acb1e14 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
    #1acb1e24 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
    #1acb1e34 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
    #1acb1e44 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................

  • 相关阅读:
    php文件里直接写上<?xml version="1.0" encoding="utf8"?>出错?
    Cannot modify header information headers already sent by错误解决办法
    转:静态类和单例的区别
    转:Spring TransactionDefinition中事务传播的类型
    转:注解+动态代理例子
    转:UML几种类间关系
    转:AOP 的利器:ASM 3.0 介绍
    转:java内部类
    Android 模拟器安装及使用教程
    转:java读取指定package下的class
  • 原文地址:https://www.cnblogs.com/suanguade/p/5882212.html
Copyright © 2020-2023  润新知