Chapter 4/ System Briefing

kd> !pte 0

VA 00000000

PDE at C0300000 PTE at COOOOOOO

contains 1BE02867 contains 00000000

pfn lb602 ---DA--UWEV

kd> !pte

VA 7fffffff

PDE at C03007FC PTE at COIFFFFC

contains 1BD43867 contains 00000000

pfn lbd43 ...DA--UWEV

kd> !pte 80000000

VA 80000000

PDE at C0300800 PTE at C0200000

contains 0013E063 contains 00000000

pfn 13e ---DA—KWEV

kd> !pte ffffffff

VA ffffffff

PDE at C0300FFC PTE at C03FFFFC

contains 00123063 contains 00000000

pfn 123 —DA—KWEV

Even though the PTEs haven't been populated for this particular process,

there are several things we can glean from the previous output:

■ Page directories are loaded starting at linear address OxC0300000.

■ Page tables arc loaded starting at linear address OxCOOOOOOO.

■ User-level pages end at linear address 0x80000000.

There is one caveat to be aware of: Above, we're working on a machine

that is using a 32-bit physical address space. For a machine that is running

with PAE enabled, the base address of the page directory is mapped by the

memory manager to linear address 0xC0600000.

By looking at the flag settings in the PDE entries, we can see a sudden shift

in the U/S flag as we make the move from linear address Ox7FFFFFFF to

0x80000000. This is a mythical creature we've been chasing for the past couple

of chapters. This is how Windows implements a two-ring memory protection

scheme. The boundary separating us from the inner chambers is nothing more

than a 1-bit flag in a collection of operating system tables.

>-

Note: The page directory and page tables belonging to a process reside above the

0x8000000 divider that marks the beginning of supervisor-level code. This is done inten¬

tionally so that a process cannot modify its own address space.

Part I