Chapter 4/ System Briefing

User Space and Kernel Space_

Microsoft refers to Intel's linear address space as a virtual address space.

This reflects the fact that Windows uses disk space to simulate physical mem¬

ory, such that the 4-GB linear address doesn't all map to physical memory.

Recall that in Windows, each process has its own value for the CR3 control

register and thus its own virtual address space. As we saw in the last section,

the mechanics of paging divide virtual memory into two parts:

■ User spacc (linear addresses oxoooooooo - Ox7FFFFFFF).

■ Kernel space (linear addresses 0x80000000 - OxFFFFFFFP).

By default, user space gets the lower half of the address range, and kernel

space gets the upper half. The 4-GB linear address space gets divided into

2-GB halves. Thus, the idea of submerging your code down into the kernel is

somewhat of a misnomer.

4-Gigabyte Tuning (4GT)

This allocation scheme isn't required to be an even 50-50 split; it's just the

default setup. Using the BCDedit.exe command, the position of the dividing

line can be altered to give the user spacc 3 GB of memory (at the expense of

kernel space).

bcdedtt /set increaseuserva 3072

To allow an application to use this extra space, a special flag has to be set in

the header section of the application's binary (i.e., IMAGE_FILE_LARGE_ADDRESS

AWARE). This flag is normally set by the linker when the application is built.

For example, the Visual Studio linker has a /LARGEADDRESSAWARE switch

to this end. You can use the dumpbin. exe utility that ships with the platform

software development kit (SDK) to see if this flag has been enabled.

dumpbin /headers C:\windows\systeTr3 2\smss.exe

Microsoft (R) COFF/PE Dumper Version 9.00.30729.01

Copyright (C) Microsoft Corporation. All rights reserved.

Dump of file C:\windows\system32\smss.exe

PE signature found

File Type: EXECUTABLE IMAGE

FILE HEADER VALUES

_14C machine (x86)