Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

1410 lines
35 KiB

  1. /*++
  2. Copyright (c) 1992 Microsoft Corporation
  3. Module Name:
  4. physical.c
  5. Abstract:
  6. WinDbg Extension Api
  7. Revision History:
  8. --*/
  9. #include "precomp.h"
  10. #pragma hdrstop
  11. /*++
  12. Routine Description:
  13. Reverse sign extension of the value returned by GetExpression()
  14. based on the assumption that no physical address may be bigger
  15. than 0xfffffff00000000.
  16. Arguments:
  17. Val - points to the value to reverse sign extension
  18. Return Value:
  19. None.
  20. --*/
  21. void
  22. ReverseSignExtension(ULONG64* Val)
  23. {
  24. if ((*Val & 0xffffffff00000000) == 0xffffffff00000000)
  25. {
  26. *Val &= 0x00000000ffffffff;
  27. }
  28. }
  29. DECLARE_API( chklowmem )
  30. /*++
  31. Routine Description:
  32. Calls an Mm function that checks if the physical pages
  33. below 4Gb have a required fill pattern for PAE systems
  34. booted with /LOWMEM switch.
  35. Arguments:
  36. None.
  37. Return Value:
  38. None.
  39. --*/
  40. {
  41. UNREFERENCED_PARAMETER (args);
  42. UNREFERENCED_PARAMETER (Client);
  43. dprintf ("Checking the low 4GB of RAM for required fill pattern. \n");
  44. dprintf ("Please wait (verification takes approx. 20s) ...\n");
  45. Ioctl (IG_LOWMEM_CHECK, NULL, 0);
  46. dprintf ("Lowmem check done.\n");
  47. return S_OK;
  48. }
  49. /////////////////////////////////////////////////////////////////////
  50. ///////////////////////////////////////////////////////////// !search
  51. /////////////////////////////////////////////////////////////////////
  52. //
  53. // Kernel variable modification functions.
  54. //
  55. ULONG
  56. READ_ULONG (
  57. ULONG64 Address
  58. );
  59. VOID
  60. WRITE_ULONG (
  61. ULONG64 Address,
  62. ULONG Value
  63. );
  64. ULONG64
  65. READ_PVOID (
  66. ULONG64 Address
  67. );
  68. ULONG
  69. READ_PHYSICAL_ULONG (
  70. ULONG64 Address
  71. );
  72. ULONG64
  73. READ_PHYSICAL_ULONG64 (
  74. ULONG64 Address
  75. );
  76. ULONG64
  77. SearchGetSystemMemoryDescriptor (
  78. );
  79. ULONG64
  80. SearchConvertPageFrameToVa (
  81. ULONG64 PageFrameIndex,
  82. PULONG Flags,
  83. PULONG64 PteAddress
  84. );
  85. #define SEARCH_VA_PROTOTYPE_ADDRESS 0x0001
  86. #define SEARCH_VA_NORMAL_ADDRESS 0x0002
  87. #define SEARCH_VA_LARGE_PAGE_ADDRESS 0x0004
  88. #define SEARCH_VA_UNKNOWN_TYPE_ADDRESS 0x0008
  89. //
  90. // PAE independent functions from p_i386\pte.c
  91. //
  92. ULONG64
  93. DbgGetPdeAddress(
  94. IN ULONG64 VirtualAddress
  95. );
  96. ULONG64
  97. DbgGetPteAddress(
  98. IN ULONG64 VirtualAddress
  99. );
  100. #define BANG_SEARCH_HELP \
  101. "\n\
  102. !search ADDRESS [DELTA [START_PFN END_PFN]] \n\
  103. \n\
  104. Search the physical pages in range [START_PFN..END_PFN] \n\
  105. for ULONG_PTRs with values in range ADDRESS+/-DELTA or values \n\
  106. that differ in only one bit position from ADDRESS. \n\
  107. \n\
  108. The default value for DELTA is 0. For START/END_PFN the default \n\
  109. values are lowest physical page and highest physical page. \n\
  110. \n\
  111. Examples: \n\
  112. \n\
  113. !search AABBCCDD 0A \n\
  114. \n\
  115. Search all physical memory for values in range AABBCCD3 - \n\
  116. AABBCCE8 or with only one bit different than AABBCCDD. \n\
  117. \n\
  118. !search AABBCCDD 0A 13F 240 \n\
  119. \n\
  120. Search page frames in range 13F - 240 for values in range \n\
  121. AABBCCD3 - AABBCCE8 or with only one bit different \n\
  122. than AABBCCDD. \n\
  123. \n\
  124. By default only the first hit in the page is detected. If all \n\
  125. hits within the page are needed the START_PFN and END_PFN \n\
  126. must have the same value. \n\
  127. \n\
  128. Note that a search through the entire physical memory will find \n\
  129. hits in the search engine structures. By doing a search with a \n\
  130. completely different value it can be deduced what hits can be \n\
  131. ignored. \n\n"
  132. //
  133. // Comment this to get verbose output.
  134. //
  135. // #define _INTERNAL_DEBUG_
  136. //
  137. DECLARE_API( search )
  138. /*++
  139. Routine Description:
  140. This routine triggers a search within a given physical
  141. memory range for a pointer. The hits are defined by
  142. an interval (below and above the pointer value) and also
  143. by a Hamming distance equal to one (only one bit different).
  144. Arguments:
  145. None.
  146. Return Value:
  147. None.
  148. --*/
  149. {
  150. const ULONG SEARCH_SYMBOL_CHECK = 0xABCDDCBA;
  151. ULONG64 ParamAddress;
  152. ULONG64 ParamDelta;
  153. ULONG64 ParamStart;
  154. ULONG64 ParamEnd;
  155. ULONG64 KdpSearchPageHits;
  156. ULONG64 KdpSearchPageHitOffsets;
  157. ULONG64 KdpSearchPageHitIndex;
  158. ULONG64 KdpSearchCheckPoint;
  159. ULONG64 KdpSearchInProgress;
  160. ULONG64 KdpSearchStartPageFrame;
  161. ULONG64 KdpSearchEndPageFrame;
  162. ULONG64 KdpSearchAddressRangeStart;
  163. ULONG64 KdpSearchAddressRangeEnd;
  164. ULONG64 MmLowestPhysicalPage;
  165. ULONG64 MmHighestPhysicalPage;
  166. ULONG64 PageFrame;
  167. ULONG64 StartPage;
  168. ULONG64 EndPage;
  169. ULONG64 RunStartPage;
  170. ULONG64 RunEndPage;
  171. ULONG RunIndex;
  172. BOOLEAN RequestForInterrupt;
  173. BOOLEAN RequestAllOffsets;
  174. ULONG Hits;
  175. ULONG Index;
  176. ULONG64 PfnHit;
  177. ULONG64 VaHit;
  178. ULONG VaFlags;
  179. ULONG PfnOffset;
  180. ULONG64 AddressStart;
  181. ULONG64 AddressEnd;
  182. ULONG DefaultRange;
  183. ULONG64 MemoryDescriptor;
  184. ULONG64 PageCount, BasePage, NumberOfPages;
  185. ULONG NumberOfRuns;
  186. ULONG SizeOfPfnNumber = 0;
  187. ULONG64 PteAddress;
  188. BOOLEAN On64Bits;
  189. UNREFERENCED_PARAMETER (Client);
  190. switch (TargetMachine) {
  191. case IMAGE_FILE_MACHINE_IA64:
  192. case IMAGE_FILE_MACHINE_AMD64:
  193. On64Bits = TRUE;
  194. break;
  195. default:
  196. On64Bits = FALSE;
  197. break;
  198. }
  199. SizeOfPfnNumber = GetTypeSize("nt!PFN_NUMBER");
  200. if (SizeOfPfnNumber == 0) {
  201. dprintf ("Search: cannot get size of PFN_NUMBER \n");
  202. return E_INVALIDARG;
  203. }
  204. RequestForInterrupt = FALSE;
  205. RequestAllOffsets = FALSE;
  206. DefaultRange = 128;
  207. ParamAddress = 0;
  208. ParamDelta = 0;
  209. ParamStart = 0;
  210. ParamEnd = 0;
  211. //
  212. // Help requested ?
  213. //
  214. if (strstr (args, "?") != 0) {
  215. dprintf (BANG_SEARCH_HELP);
  216. return S_OK;
  217. }
  218. //
  219. // Get command line arguments.
  220. //
  221. {
  222. PCHAR Current = (PCHAR)args;
  223. CHAR Buffer [64];
  224. ULONG Index;
  225. ULONG BufferIndex;
  226. //
  227. // Get the 4 numeric arguments.
  228. //
  229. for (Index = 0; Index < 4; Index++) {
  230. //
  231. // Get rid of any leading spaces.
  232. //
  233. while (*Current == ' ' || *Current == '\t') {
  234. Current++;
  235. }
  236. if (*Current == 0) {
  237. if (Index == 0) {
  238. dprintf (BANG_SEARCH_HELP);
  239. return E_INVALIDARG;
  240. }
  241. else {
  242. break;
  243. }
  244. }
  245. //
  246. // Get the digits from the Index-th parameter.
  247. //
  248. Buffer [0] = '0';
  249. Buffer [1] = 'x';
  250. BufferIndex = 2;
  251. while ((*Current >= '0' && *Current <= '9')
  252. || (*Current >= 'a' && *Current <= 'f')
  253. || (*Current >= 'A' && *Current <= 'F')) {
  254. Buffer[BufferIndex] = *Current;
  255. Buffer[BufferIndex + 1] = 0;
  256. Current += 1;
  257. BufferIndex += 1;
  258. }
  259. switch (Index) {
  260. case 0: ParamAddress = GetExpression(Buffer); break;
  261. case 1: ParamDelta = GetExpression(Buffer); break;
  262. case 2: ParamStart = GetExpression(Buffer); break;
  263. case 3: ParamEnd = GetExpression(Buffer); break;
  264. default:
  265. dprintf (BANG_SEARCH_HELP);
  266. return E_INVALIDARG;
  267. }
  268. }
  269. }
  270. //
  271. // Verify that we have the right symbols.
  272. //
  273. KdpSearchCheckPoint = GetExpression ("nt!KdpSearchCheckPoint");
  274. if (KdpSearchCheckPoint == 0
  275. || READ_ULONG (KdpSearchCheckPoint) != SEARCH_SYMBOL_CHECK) {
  276. dprintf ("Search error: Incorrect symbols for kernel\n");
  277. return E_INVALIDARG;
  278. }
  279. //
  280. // Get all symbol values so that we can manipulate only addresses
  281. // from now on.
  282. //
  283. KdpSearchPageHits = GetExpression ("nt!KdpSearchPageHits");
  284. KdpSearchPageHitOffsets = GetExpression ("nt!KdpSearchPageHitOffsets");
  285. KdpSearchPageHitIndex = GetExpression ("nt!KdpSearchPageHitIndex");
  286. KdpSearchInProgress = GetExpression ("nt!KdpSearchInProgress");
  287. KdpSearchStartPageFrame = GetExpression ("nt!KdpSearchStartPageFrame");
  288. KdpSearchEndPageFrame = GetExpression ("nt!KdpSearchEndPageFrame");
  289. KdpSearchAddressRangeStart = GetExpression ("nt!KdpSearchAddressRangeStart");
  290. KdpSearchAddressRangeEnd = GetExpression ("nt!KdpSearchAddressRangeEnd");
  291. //
  292. // Perform some sanity checks on the values.
  293. //
  294. if (READ_ULONG (KdpSearchInProgress) != 0) {
  295. dprintf ("Search error: Inconsistent value for nt!KdpSearchInProgress \n");
  296. return E_INVALIDARG;
  297. }
  298. //
  299. // Reset the search engine
  300. //
  301. WRITE_ULONG (KdpSearchPageHitIndex, 0);
  302. WRITE_ULONG (KdpSearchInProgress, 1);
  303. //
  304. // Read physical memory limits.
  305. //
  306. MmLowestPhysicalPage = GetExpression ("nt!MmLowestPhysicalPage");
  307. MmHighestPhysicalPage = GetExpression ("nt!MmHighestPhysicalPage");
  308. #ifdef _INTERNAL_DEBUG_
  309. dprintf ("Low: %I64X, High: %I64X \n",
  310. READ_PVOID (MmLowestPhysicalPage),
  311. READ_PVOID (MmHighestPhysicalPage));
  312. #endif // #ifdef _INTERNAL_DEBUG_
  313. //
  314. // Figure out proper search parameters.
  315. //
  316. if (ParamStart == 0) {
  317. StartPage = READ_PVOID (MmLowestPhysicalPage);
  318. ParamStart = StartPage;
  319. }
  320. else {
  321. StartPage = ParamStart;
  322. }
  323. if (ParamEnd == 0) {
  324. EndPage = READ_PVOID (MmHighestPhysicalPage);
  325. ParamEnd = EndPage;
  326. }
  327. else {
  328. EndPage = ParamEnd;
  329. }
  330. //
  331. // Set range of addresses that we want to be searched.
  332. //
  333. AddressStart = ParamAddress - ParamDelta;
  334. AddressEnd = ParamAddress + ParamDelta;
  335. WritePointer (KdpSearchAddressRangeStart, AddressStart);
  336. WritePointer (KdpSearchAddressRangeEnd, AddressEnd);
  337. if (SizeOfPfnNumber == 8) {
  338. dprintf ("Searching PFNs in range %016I64X - %016I64X for [%016I64X - %016I64X]\n\n",
  339. StartPage, EndPage, AddressStart, AddressEnd);
  340. dprintf ("%-16s %-8s %-16s %-16s %-16s \n", "Pfn","Offset", "Hit", "Va", "Pte");
  341. dprintf ("- - - - - - - - - - - - - - - - - - - - - - ");
  342. dprintf ("- - - - - - - - - - - - - - - - - - - - - - - - - - -\n");
  343. }
  344. else {
  345. dprintf ("Searching PFNs in range %08I64X - %08I64X for [%08I64X - %08I64X]\n\n",
  346. StartPage, EndPage, AddressStart, AddressEnd);
  347. dprintf ("%-8s %-8s %-8s %-8s %-8s \n", "Pfn","Offset", "Hit", "Va", "Pte");
  348. dprintf ("- - - - - - - - - - - - - - - - - - - - - - - - - - -\n");
  349. }
  350. //
  351. // Get system memory description to figure out what ranges
  352. // should we skip. This is important for sparse PFN database
  353. // and for pages managed by drivers.
  354. //
  355. MemoryDescriptor = SearchGetSystemMemoryDescriptor ();
  356. if (MemoryDescriptor == 0) {
  357. dprintf ("Search error: cannot allocate system memory descriptor \n");
  358. return E_INVALIDARG;
  359. }
  360. //
  361. // Search all physical memory in the specified range.
  362. //
  363. WRITE_ULONG (KdpSearchPageHitIndex, 0);
  364. if (StartPage == EndPage) {
  365. EndPage += 1;
  366. RequestAllOffsets = TRUE;
  367. }
  368. //
  369. // Find out what pages are physically available create
  370. // page search ranges based on that.
  371. //
  372. // SilviuC: I should use ReadField to read all these structures
  373. // so that I do not have to take into account padding myself.
  374. //
  375. NumberOfRuns = READ_ULONG (MemoryDescriptor);
  376. NumberOfPages = READ_PVOID (MemoryDescriptor + SizeOfPfnNumber);
  377. #ifdef _INTERNAL_DEBUG_
  378. dprintf ("Runs: %x, Pages: %I64X \n", NumberOfRuns, NumberOfPages);
  379. for (RunIndex = 0; RunIndex < NumberOfRuns; RunIndex += 1) {
  380. ULONG64 RunAddress;
  381. RunAddress = MemoryDescriptor + 2 * SizeOfPfnNumber
  382. + RunIndex * GetTypeSize("nt!_PHYSICAL_MEMORY_RUN");
  383. BasePage = READ_PVOID (RunAddress);
  384. PageCount = READ_PVOID (RunAddress + SizeOfPfnNumber);
  385. dprintf ("Run[%d]: Base: %I64X, Count: %I64X \n",
  386. RunIndex, BasePage, PageCount);
  387. }
  388. #endif // #if _INTERNAL_DEBUG_
  389. #ifdef _INTERNAL_DEBUG_
  390. dprintf ("StartPage: %I64X, EndPage: %I64X \n", StartPage, EndPage);
  391. #endif // #ifdef _INTERNAL_DEBUG_
  392. for (PageFrame = StartPage; PageFrame < EndPage; PageFrame += DefaultRange) {
  393. for (RunIndex = 0; RunIndex < NumberOfRuns; RunIndex += 1) {
  394. //
  395. // BaseAddress and PageCount for current memory run.
  396. //
  397. ULONG64 RunAddress;
  398. #ifdef _INTERNAL_DEBUG_
  399. // dprintf ("Finding a good range ... \n");
  400. #endif // #ifdef _INTERNAL_DEBUG_
  401. RunAddress = MemoryDescriptor + 2 * SizeOfPfnNumber
  402. + RunIndex * GetTypeSize("nt!_PHYSICAL_MEMORY_RUN");
  403. BasePage = READ_PVOID (RunAddress);
  404. PageCount = READ_PVOID (RunAddress + SizeOfPfnNumber);
  405. //
  406. // Figure out real start and end page.
  407. //
  408. RunStartPage = PageFrame;
  409. RunEndPage = PageFrame + DefaultRange;
  410. if (RunEndPage < BasePage) {
  411. continue;
  412. }
  413. if (RunStartPage >= BasePage + PageCount) {
  414. continue;
  415. }
  416. if (RunStartPage < BasePage) {
  417. RunStartPage = BasePage;
  418. }
  419. if (RunEndPage > BasePage + PageCount) {
  420. RunEndPage = BasePage + PageCount;
  421. }
  422. WritePointer (KdpSearchStartPageFrame, RunStartPage);
  423. if (RequestAllOffsets) {
  424. //
  425. // If the search is in only one page then we
  426. // will try to get all offsets with a hit.
  427. //
  428. WritePointer (KdpSearchEndPageFrame, RunStartPage);
  429. }
  430. else {
  431. WritePointer (KdpSearchEndPageFrame, RunEndPage);
  432. }
  433. #ifdef _INTERNAL_DEBUG_
  434. dprintf ("Start: %I64X, End: %I64X \n",
  435. READ_PVOID(KdpSearchStartPageFrame),
  436. READ_PVOID(KdpSearchEndPageFrame));
  437. #endif // #if _INTERNAL_DEBUG_
  438. //
  439. // Reset search index
  440. //
  441. WRITE_ULONG (KdpSearchPageHitIndex, 0);
  442. //
  443. // Invalidate kd cache
  444. //
  445. WRITE_ULONG (KdpSearchPageHits, 0);
  446. WRITE_ULONG (KdpSearchPageHitOffsets, 0);
  447. //
  448. // This is the trigger for memory search. We piggy back on the same
  449. // code as for !chklowmem and the logic in kernel detects what
  450. // we really want to do.
  451. //
  452. Ioctl (IG_LOWMEM_CHECK, NULL, 0);
  453. //
  454. // Display results
  455. //
  456. Hits = READ_ULONG (KdpSearchPageHitIndex);
  457. for (Index = 0; Index < Hits; Index++) {
  458. PCHAR VaString = "";
  459. VaFlags = 0;
  460. PfnHit = READ_PVOID (KdpSearchPageHits + Index * SizeOfPfnNumber);
  461. PfnOffset = READ_ULONG (KdpSearchPageHitOffsets + Index * sizeof (ULONG));
  462. VaHit = SearchConvertPageFrameToVa (PfnHit, &VaFlags, &PteAddress);
  463. // dprintf ("Hits: %u, Index: %u, Va: %I64X \n", Hits, Index, VaHit);
  464. PfnOffset &= (ULONG)0xFFFF;
  465. #if DBG
  466. if ((VaFlags & SEARCH_VA_NORMAL_ADDRESS)) {
  467. VaString = ""; // "normal";
  468. }
  469. else if ((VaFlags & SEARCH_VA_LARGE_PAGE_ADDRESS)) {
  470. VaString = "large page";
  471. }
  472. else if ((VaFlags & SEARCH_VA_PROTOTYPE_ADDRESS)) {
  473. VaString = "prototype";
  474. }
  475. else if ((VaFlags & SEARCH_VA_UNKNOWN_TYPE_ADDRESS)) {
  476. VaString = "unknown";
  477. }
  478. #endif // #if DBG
  479. if (SizeOfPfnNumber == 8) {
  480. dprintf ("%016I64X %08X %016I64X %016I64X %016I64X %s\n",
  481. PfnHit,
  482. PfnOffset,
  483. READ_PHYSICAL_ULONG64 (PfnHit * PageSize + PfnOffset),
  484. (VaHit == 0 ? 0 : VaHit + PfnOffset),
  485. PteAddress,
  486. VaString);
  487. }
  488. else {
  489. VaHit &= (ULONG64)0xFFFFFFFF;
  490. PteAddress &= (ULONG64)0xFFFFFFFF;
  491. dprintf ("%08I64X %08X %08X %08I64X %08I64X %s\n",
  492. PfnHit,
  493. PfnOffset,
  494. READ_PHYSICAL_ULONG (PfnHit * PageSize + PfnOffset),
  495. (VaHit == 0 ? 0 : VaHit + PfnOffset),
  496. PteAddress,
  497. VaString);
  498. }
  499. }
  500. //
  501. // check for ctrl-c
  502. //
  503. if (CheckControlC()) {
  504. dprintf ("Search interrupted. \n");
  505. RequestForInterrupt = TRUE;
  506. break;
  507. }
  508. }
  509. if (RequestForInterrupt) {
  510. break;
  511. }
  512. }
  513. //
  514. // Reset the search engine state
  515. //
  516. WRITE_ULONG (KdpSearchInProgress, 0);
  517. if (RequestForInterrupt) {
  518. return E_INVALIDARG;
  519. }
  520. else {
  521. dprintf ("Search done.\n");
  522. }
  523. return S_OK;
  524. }
  525. ULONG64
  526. SearchGetSystemMemoryDescriptor (
  527. )
  528. /*++
  529. Routine Description:
  530. Arguments:
  531. None.
  532. Return Value:
  533. A malloc'd PHYSICAL_MEMORY_DESCRIPTOR structure.
  534. Caller is responsible of freeing.
  535. Environment:
  536. Call triggered only from !search Kd extension.
  537. --*/
  538. {
  539. ULONG64 MemoryDescriptorAddress;
  540. ULONG NumberOfRuns;
  541. MemoryDescriptorAddress = READ_PVOID (GetExpression ("nt!MmPhysicalMemoryBlock"));
  542. NumberOfRuns = READ_ULONG (MemoryDescriptorAddress);
  543. if (NumberOfRuns == 0) {
  544. return 0;
  545. }
  546. return MemoryDescriptorAddress;
  547. }
  548. //
  549. // SilviuC: this is copied from \ntos\mm headers.
  550. // We only need it to figure out if a PFN has
  551. // prototype ptes.
  552. //
  553. typedef struct _MMPFNENTRY {
  554. ULONG Modified : 1;
  555. ULONG ReadInProgress : 1;
  556. ULONG WriteInProgress : 1;
  557. ULONG PrototypePte: 1;
  558. ULONG PageColor : 3;
  559. ULONG ParityError : 1;
  560. ULONG PageLocation : 3;
  561. ULONG InPageError : 1;
  562. ULONG VerifierAllocation : 1;
  563. ULONG RemovalRequested : 1;
  564. #if PFN_CONSISTENCY
  565. ULONG PageTablePage : 1;
  566. ULONG Reserved : 1;
  567. #else
  568. ULONG Reserved : 2;
  569. #endif
  570. ULONG DontUse : 16; //overlays USHORT for reference count field.
  571. } MMPFNENTRY;
  572. ULONG64
  573. SearchConvertPageFrameToVa (
  574. ULONG64 PageFrameIndex,
  575. PULONG Flags,
  576. PULONG64 PteAddress
  577. )
  578. /*++
  579. Routine Description:
  580. This routine returnes the virtual address corresponding to a
  581. PFN index if the reverse mapping is easy to figure out. For all
  582. other cases (e.g. prototype PTE) the result is null.
  583. Arguments:
  584. PageFrameIndex - PFN index to convert.
  585. Return Value:
  586. The corresponding virtual address or null in case the PFN index
  587. cannot be easily converted to a virtual address.
  588. Environment:
  589. Call triggered only from Kd extension.
  590. --*/
  591. {
  592. ULONG64 Va;
  593. ULONG64 PfnAddress;
  594. ULONG BytesRead;
  595. MMPFNENTRY u3_e1;
  596. //
  597. // Get address of PFN structure
  598. //
  599. PfnAddress = READ_PVOID (GetExpression("nt!MmPfnDatabase"))
  600. + PageFrameIndex * GetTypeSize("nt!_MMPFN");
  601. BytesRead = 0;
  602. *Flags = 0;
  603. InitTypeRead(PfnAddress, nt!_MMPFN);
  604. //
  605. // (SilviuC): should check if MI_IS_PFN_DELETED(Pfn) is on.
  606. //
  607. //
  608. // Try to figure out Va if possible.
  609. //
  610. *PteAddress = ((ULONG64)ReadField (PteAddress));
  611. GetFieldValue(PfnAddress, "nt!_MMPFN", "u3.e1", u3_e1);
  612. if (u3_e1.PrototypePte) {
  613. *Flags |= SEARCH_VA_PROTOTYPE_ADDRESS;
  614. return 0;
  615. }
  616. Va = DbgGetVirtualAddressMappedByPte (*PteAddress);
  617. *Flags |= SEARCH_VA_NORMAL_ADDRESS;
  618. return Va;
  619. }
  620. //
  621. // Read/write functions
  622. //
  623. ULONG
  624. READ_ULONG (
  625. ULONG64 Address
  626. )
  627. {
  628. ULONG Value = 0;
  629. ULONG BytesRead;
  630. if (! ReadMemory (Address, &Value, sizeof Value, &BytesRead)) {
  631. dprintf ("Search: READ_ULONG error \n");
  632. }
  633. return Value;
  634. }
  635. VOID
  636. WRITE_ULONG (
  637. ULONG64 Address,
  638. ULONG Value
  639. )
  640. {
  641. ULONG BytesWritten;
  642. if (! WriteMemory (Address, &Value, sizeof Value, &BytesWritten)) {
  643. dprintf ("Search: WRITE_ULONG error \n");
  644. }
  645. }
  646. ULONG64
  647. READ_PVOID (
  648. ULONG64 Address
  649. )
  650. {
  651. ULONG64 Value64 = 0;
  652. if (!ReadPointer(Address, &Value64)) {
  653. dprintf ("Search: READ_PVOID error \n");
  654. }
  655. return Value64;
  656. }
  657. ULONG
  658. READ_PHYSICAL_ULONG (
  659. ULONG64 Address
  660. )
  661. {
  662. ULONG Value = 0;
  663. ULONG Bytes = 0;
  664. ReadPhysical (Address, &Value, sizeof Value, &Bytes);
  665. if (Bytes != sizeof Value) {
  666. dprintf ("Search: READ_PHYSICAL_ULONG error \n");
  667. }
  668. return Value;
  669. }
  670. ULONG64
  671. READ_PHYSICAL_ULONG64 (
  672. ULONG64 Address
  673. )
  674. {
  675. ULONG64 Value = 0;
  676. ULONG Bytes = 0;
  677. ReadPhysical (Address, &Value, sizeof Value, &Bytes);
  678. if (Bytes != sizeof Value) {
  679. dprintf ("Search: READ_PHYSICAL_ULONG64 error \n");
  680. }
  681. return Value;
  682. }
  683. /////////////////////////////////////////////////////////////////////
  684. ////////////////////////////////////////////////////////// !searchpte
  685. /////////////////////////////////////////////////////////////////////
  686. DECLARE_API( searchpte )
  687. {
  688. const ULONG SEARCH_SYMBOL_CHECK = 0xABCDDCBA;
  689. ULONG64 ParamAddress;
  690. ULONG64 ParamDelta;
  691. ULONG64 ParamStart;
  692. ULONG64 ParamEnd;
  693. ULONG64 KdpSearchPageHits;
  694. ULONG64 KdpSearchPageHitOffsets;
  695. ULONG64 KdpSearchPageHitIndex;
  696. ULONG64 KdpSearchInProgress;
  697. ULONG64 KdpSearchStartPageFrame;
  698. ULONG64 KdpSearchEndPageFrame;
  699. ULONG64 KdpSearchAddressRangeStart;
  700. ULONG64 KdpSearchAddressRangeEnd;
  701. ULONG64 KdpSearchPfnValueAddress;
  702. ULONG64 KdpSearchCheckPoint;
  703. ULONG64 MmLowestPhysicalPage;
  704. ULONG64 MmHighestPhysicalPage;
  705. ULONG64 PageFrame;
  706. ULONG64 StartPage;
  707. ULONG64 EndPage;
  708. ULONG64 RunStartPage;
  709. ULONG64 RunEndPage;
  710. ULONG RunIndex;
  711. BOOLEAN RequestForInterrupt = FALSE;
  712. ULONG Hits;
  713. ULONG LastHits;
  714. ULONG Index;
  715. ULONG64 PfnHit;
  716. ULONG64 VaHit;
  717. ULONG VaFlags;
  718. ULONG PfnOffset;
  719. ULONG PfnValue;
  720. ULONG64 AddressStart;
  721. ULONG64 AddressEnd;
  722. ULONG DefaultRange = 128;
  723. ULONG64 MemoryDescriptor;
  724. ULONG64 PageCount, BasePage, NumberOfPages;
  725. ULONG NumberOfRuns;
  726. ULONG SizeOfPfnNumber = 0;
  727. ULONG64 PteAddress;
  728. BOOLEAN On64Bits;
  729. ULONG64 PfnSearchValue;
  730. ULONG NumberOfHits = 0;
  731. PULONG64 PfnHitsBuffer = NULL;
  732. ULONG PfnHitsBufferIndex = 0;
  733. ULONG PfnHitsBufferSize = 1024;
  734. ULONG PfnIndex;
  735. HRESULT Result;
  736. switch (TargetMachine) {
  737. case IMAGE_FILE_MACHINE_IA64:
  738. case IMAGE_FILE_MACHINE_AMD64:
  739. On64Bits = TRUE;
  740. break;
  741. default:
  742. On64Bits = FALSE;
  743. break;
  744. }
  745. SizeOfPfnNumber = GetTypeSize("nt!PFN_NUMBER");
  746. if (SizeOfPfnNumber == 0) {
  747. dprintf ("Search: cannot get size of PFN_NUMBER \n");
  748. Result = E_INVALIDARG;
  749. goto Exit;
  750. }
  751. ParamAddress = 0;
  752. //
  753. // Help requested ?
  754. //
  755. if (strstr (args, "?") != 0) {
  756. dprintf ("!searchpte FRAME(in hex) \n");
  757. dprintf (" \n");
  758. return S_OK;
  759. }
  760. //
  761. // Get command line arguments.
  762. //
  763. sscanf (args, "%I64X", &ParamAddress);
  764. //
  765. // Verify that we have the right symbols.
  766. //
  767. KdpSearchCheckPoint = GetExpression ("nt!KdpSearchCheckPoint");
  768. if (KdpSearchCheckPoint == 0
  769. || READ_ULONG (KdpSearchCheckPoint) != SEARCH_SYMBOL_CHECK) {
  770. dprintf ("Search error: Incorrect symbols for kernel\n");
  771. Result = E_INVALIDARG;
  772. goto Exit;
  773. }
  774. //
  775. // Get all symbol values so that we can manipulate only addresses
  776. // from now on.
  777. //
  778. KdpSearchPageHits = GetExpression ("nt!KdpSearchPageHits");
  779. KdpSearchPageHitOffsets = GetExpression ("nt!KdpSearchPageHitOffsets");
  780. KdpSearchPageHitIndex = GetExpression ("nt!KdpSearchPageHitIndex");
  781. KdpSearchInProgress = GetExpression ("nt!KdpSearchInProgress");
  782. KdpSearchStartPageFrame = GetExpression ("nt!KdpSearchStartPageFrame");
  783. KdpSearchEndPageFrame = GetExpression ("nt!KdpSearchEndPageFrame");
  784. KdpSearchAddressRangeStart = GetExpression ("nt!KdpSearchAddressRangeStart");
  785. KdpSearchAddressRangeEnd = GetExpression ("nt!KdpSearchAddressRangeEnd");
  786. KdpSearchPfnValueAddress = GetExpression ("nt!KdpSearchPfnValue");
  787. //
  788. // Perform some sanity checks on the values.
  789. //
  790. if (READ_ULONG (KdpSearchInProgress) != 0) {
  791. dprintf ("Search error: Inconsistent value for nt!KdpSearchInProgress \n");
  792. Result = E_INVALIDARG;
  793. goto Exit;
  794. }
  795. //
  796. // Reset the search engine
  797. //
  798. WRITE_ULONG (KdpSearchPageHitIndex, 0);
  799. WRITE_ULONG (KdpSearchInProgress, 1);
  800. PfnSearchValue = ParamAddress;
  801. {
  802. ULONG BytesWritten = 0;
  803. WriteMemory (KdpSearchPfnValueAddress,
  804. &PfnSearchValue,
  805. SizeOfPfnNumber,
  806. &BytesWritten);
  807. if (BytesWritten != SizeOfPfnNumber) {
  808. dprintf ("Search error: failed to write nt!KdpSearchPfnValue \n");
  809. Result = E_INVALIDARG;
  810. goto Exit;
  811. }
  812. }
  813. dprintf ("Searching for PTEs containing PFN value %I64X ...\n", PfnSearchValue);
  814. //
  815. // Read physical memory limits.
  816. //
  817. MmLowestPhysicalPage = GetExpression ("nt!MmLowestPhysicalPage");
  818. MmHighestPhysicalPage = GetExpression ("nt!MmHighestPhysicalPage");
  819. //
  820. // Figure out proper search parameters.
  821. //
  822. StartPage = READ_PVOID (MmLowestPhysicalPage);
  823. ParamStart = StartPage;
  824. EndPage = READ_PVOID (MmHighestPhysicalPage);
  825. ParamEnd = EndPage;
  826. //
  827. // Set the range of addresses that we want searched.
  828. //
  829. AddressStart = PfnSearchValue;
  830. AddressEnd = PfnSearchValue;
  831. WritePointer (KdpSearchAddressRangeStart, PfnSearchValue);
  832. WritePointer (KdpSearchAddressRangeEnd, PfnSearchValue);
  833. if (SizeOfPfnNumber == 8) {
  834. dprintf ("Searching PFNs in range %016I64X - %016I64X \n\n",
  835. StartPage, EndPage);
  836. dprintf ("%-16s %-8s %-16s %-16s %-16s \n", "Pfn","Offset", "Hit", "Va", "Pte");
  837. dprintf ("- - - - - - - - - - - - - - - - - - - - - - ");
  838. dprintf ("- - - - - - - - - - - - - - - - - - - - - - - - - - -\n");
  839. }
  840. else {
  841. dprintf ("Searching PFNs in range %08I64X - %08I64X \n\n",
  842. StartPage, EndPage);
  843. dprintf ("%-8s %-8s %-8s %-8s %-8s \n", "Pfn","Offset", "Hit", "Va", "Pte");
  844. dprintf ("- - - - - - - - - - - - - - - - - - - - - - - - - - -\n");
  845. }
  846. //
  847. // Get system memory description to figure out what ranges
  848. // should we skip. This is important for sparse PFN database
  849. // and for pages managed by drivers.
  850. //
  851. MemoryDescriptor = SearchGetSystemMemoryDescriptor ();
  852. if (MemoryDescriptor == 0) {
  853. dprintf ("Search error: cannot allocate system memory descriptor \n");
  854. Result = E_INVALIDARG;
  855. goto Exit;
  856. }
  857. //
  858. // Search all physical memory in the specified range.
  859. //
  860. WRITE_ULONG (KdpSearchPageHitIndex, 0);
  861. //
  862. // Allocate hits buffer.
  863. //
  864. PfnHitsBuffer = (PULONG64) malloc (PfnHitsBufferSize * sizeof(ULONG64));
  865. if (PfnHitsBuffer == NULL) {
  866. dprintf ("Search error: cannot allocate hits buffer. \n");
  867. Result = E_INVALIDARG;
  868. goto Exit;
  869. }
  870. //
  871. // Find out what pages are physically available create
  872. // page search ranges based on that.
  873. //
  874. // SilviuC: I should use ReadField to read all these structures
  875. // so that I do not have to take into account padding myself.
  876. //
  877. NumberOfRuns = READ_ULONG (MemoryDescriptor);
  878. NumberOfPages = READ_PVOID (MemoryDescriptor + SizeOfPfnNumber);
  879. for (PageFrame = StartPage; PageFrame < EndPage; PageFrame += DefaultRange) {
  880. for (RunIndex = 0; RunIndex < NumberOfRuns; RunIndex += 1) {
  881. //
  882. // BaseAddress and PageCount for current memory run.
  883. //
  884. ULONG64 RunAddress;
  885. RunAddress = MemoryDescriptor + 2 * SizeOfPfnNumber
  886. + RunIndex * GetTypeSize("nt!_PHYSICAL_MEMORY_RUN");
  887. BasePage = READ_PVOID (RunAddress);
  888. PageCount = READ_PVOID (RunAddress + SizeOfPfnNumber);
  889. //
  890. // Figure out real start and end page.
  891. //
  892. RunStartPage = PageFrame;
  893. RunEndPage = PageFrame + DefaultRange;
  894. if (RunEndPage < BasePage) {
  895. continue;
  896. }
  897. if (RunStartPage >= BasePage + PageCount) {
  898. continue;
  899. }
  900. if (RunStartPage < BasePage) {
  901. RunStartPage = BasePage;
  902. }
  903. if (RunEndPage > BasePage + PageCount) {
  904. RunEndPage = BasePage + PageCount;
  905. }
  906. WritePointer (KdpSearchStartPageFrame, RunStartPage);
  907. WritePointer (KdpSearchEndPageFrame, RunEndPage);
  908. //
  909. // Reset search index
  910. //
  911. WRITE_ULONG (KdpSearchPageHitIndex, 0);
  912. //
  913. // Invalidate kd cache
  914. //
  915. WRITE_ULONG (KdpSearchPageHits, 0);
  916. WRITE_ULONG (KdpSearchPageHitOffsets, 0);
  917. //
  918. // This is the trigger for memory search. We piggy back on the same
  919. // code as for !chklowmem and the logic in kernel detects what
  920. // we really want to do.
  921. //
  922. Ioctl (IG_LOWMEM_CHECK, NULL, 0);
  923. //
  924. // Display results
  925. //
  926. Hits = READ_ULONG (KdpSearchPageHitIndex);
  927. for (Index = 0; Index < Hits; Index++) {
  928. NumberOfHits += 1;
  929. dprintf (".");
  930. //
  931. // Add to hits buffer
  932. //
  933. PfnHit = READ_PVOID (KdpSearchPageHits + Index * SizeOfPfnNumber);
  934. PfnHitsBuffer [PfnHitsBufferIndex] = PfnHit;
  935. PfnHitsBufferIndex += 1;
  936. if (PfnHitsBufferIndex >= PfnHitsBufferSize) {
  937. PVOID NewBuffer;
  938. PfnHitsBufferSize *= 2;
  939. NewBuffer = realloc (PfnHitsBuffer,
  940. PfnHitsBufferSize * sizeof(ULONG64));
  941. if (NewBuffer == NULL) {
  942. dprintf ("Search error: cannot reallocate hits buffer with size %u. \n",
  943. PfnHitsBufferSize);
  944. Result = E_INVALIDARG;
  945. goto Exit;
  946. }
  947. PfnHitsBuffer = NewBuffer;
  948. }
  949. }
  950. //
  951. // check for ctrl-c
  952. //
  953. if (CheckControlC()) {
  954. RequestForInterrupt = TRUE;
  955. break;
  956. }
  957. }
  958. if (RequestForInterrupt) {
  959. break;
  960. }
  961. }
  962. //
  963. // Now find all hits in all pages.
  964. //
  965. dprintf ("\n");
  966. dprintf ("Found %u pages with hits. \n", PfnHitsBufferIndex);
  967. dprintf ("Searching now for all hits in relevant pages ... \n");
  968. NumberOfHits = 0;
  969. for (PfnIndex = 0;
  970. !RequestForInterrupt && PfnIndex < PfnHitsBufferIndex;
  971. PfnIndex += 1) {
  972. WRITE_ULONG (KdpSearchPageHitIndex, 0);
  973. WRITE_ULONG (KdpSearchInProgress, 1);
  974. WritePointer (KdpSearchAddressRangeStart, PfnSearchValue);
  975. WritePointer (KdpSearchAddressRangeEnd, PfnSearchValue);
  976. WritePointer (KdpSearchStartPageFrame, PfnHitsBuffer[PfnIndex]);
  977. WritePointer (KdpSearchEndPageFrame, PfnHitsBuffer[PfnIndex]);
  978. WRITE_ULONG (KdpSearchPageHits, 0);
  979. WRITE_ULONG (KdpSearchPageHitOffsets, 0);
  980. Ioctl (IG_LOWMEM_CHECK, NULL, 0);
  981. Hits = READ_ULONG (KdpSearchPageHitIndex);
  982. for (Index = 0; Index < Hits; Index++) {
  983. NumberOfHits += 1;
  984. PfnHit = READ_PVOID (KdpSearchPageHits + Index * SizeOfPfnNumber);
  985. PfnOffset = READ_ULONG (KdpSearchPageHitOffsets + Index * sizeof (ULONG));
  986. VaHit = SearchConvertPageFrameToVa (PfnHit, &VaFlags, &PteAddress);
  987. PfnOffset &= (ULONG)0xFFFF;
  988. if (SizeOfPfnNumber == 8) {
  989. dprintf ("%016I64X %08X %016I64X %016I64X %016I64X \n",
  990. PfnHit,
  991. PfnOffset,
  992. READ_PHYSICAL_ULONG64 (PfnHit * PageSize + PfnOffset),
  993. (VaHit == 0 ? 0 : VaHit + PfnOffset),
  994. PteAddress);
  995. }
  996. else {
  997. VaHit &= (ULONG64)0xFFFFFFFF;
  998. PteAddress &= (ULONG64)0xFFFFFFFF;
  999. dprintf ("%08I64X %08X %08X %08I64X %08I64X \n",
  1000. PfnHit,
  1001. PfnOffset,
  1002. READ_PHYSICAL_ULONG (PfnHit * PageSize + PfnOffset),
  1003. (VaHit == 0 ? 0 : VaHit + PfnOffset),
  1004. PteAddress);
  1005. }
  1006. if (CheckControlC()) {
  1007. RequestForInterrupt = TRUE;
  1008. break;
  1009. }
  1010. }
  1011. }
  1012. dprintf ("\n");
  1013. Result = S_OK;
  1014. //
  1015. // Exit point
  1016. //
  1017. Exit:
  1018. WRITE_ULONG (KdpSearchInProgress, 0);
  1019. PfnSearchValue = 0;
  1020. {
  1021. ULONG BytesWritten = 0;
  1022. WriteMemory (KdpSearchPfnValueAddress,
  1023. &PfnSearchValue,
  1024. SizeOfPfnNumber,
  1025. &BytesWritten);
  1026. if (BytesWritten != SizeOfPfnNumber) {
  1027. dprintf ("Search error: failed to reset nt!KdpSearchPfnValue \n");
  1028. }
  1029. }
  1030. if (PfnHitsBuffer) {
  1031. free (PfnHitsBuffer);
  1032. }
  1033. if (! RequestForInterrupt) {
  1034. dprintf ("Search done (%u hits in %u pages).\n",
  1035. NumberOfHits,
  1036. PfnHitsBufferIndex);
  1037. }
  1038. else {
  1039. dprintf ("Search interrupted. \n");
  1040. }
  1041. return Result;
  1042. }