3.windbg-!pte转换地址(ring0)

来源：互联网发布：linux下安装redis 编辑：程序博客网时间：2024/06/05 06:14

1.取得DirBase

kd> !process  0 0 test.exePROCESS 89ed6170  SessionId: 0  Cid: 0558Peb: 7ffd9000  ParentCid: 0744DirBase: 0a7c0340  ObjectTable: e1e6b5a8  HandleCount:  15.Image: test.exe

2. 切换到指定进程

使用.process /i /p 89ed6170 注意一定要加/i
然后使用.process确认内核已切换到89ed6170 这个进程
然后!pte va即可！
给个清晰的示意图：

3.pfn对应详解

而!pfn更快：

kd> !pfn 806aeffcPFN 006AEFFC at address 8C9B6F90//006AEFFC 为806aeffc的物理地址flink 00000000 blink / share count 00000000 pteaddress 00000000reference count 0000 NonCached color 0restore pte 00000000 containing page 000000 Zeroedkd> !pte 806aeffcVA 806aeffcPDE at 00000000C0602018 PTE at 00000000C0403570contains 00000000006001E3 contains 0000000000000000pfn 600 -GLDA–KWEV LARGE PAGE pfn 6aekd> db 806aeffc806aeffc 00 00 00 00 00 00 00 00-00 00 00 00 4a 77 1d 00 …………Jw..806af00c 2c 06 00 00 4c 70 1d 00-00 00 00 00 00 00 00 00 ,…Lp……….806af01c 0e 78 1d 00 00 06 00 00-7c 71 1d 00 00 00 00 00 .x……|q……806af02c 00 00 00 00 a6 78 1d 00-30 07 00 00 00 00 00 00 …..x..0…….806af03c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …………….806af04c e8 77 1d 00 d4 77 1d 00-c2 77 1d 00 ae 77 1d 00 .w…w…w…w..806af05c a2 77 1d 00 8a 77 1d 00-72 77 1d 00 60 77 1d 00 .w…w..rw..`w..806af06c 52 77 1d 00 f8 77 1d 00-00 00 00 00 9e 72 1d 00 Rw…w…….r..kd> !db 006AEFFC# 6aeffc 00 00 00 00 00 00 00 00-00 00 00 00 4a 77 1d 00 …………Jw..