|
|
/*++
Copyright (c) 1992 Microsoft Corporation
Module Name:
memory.c
Abstract:
WinDbg Extension Api
Author:
Lou Perazzoli (loup)
Environment:
User Mode.
Revision History:
--*/
#include "precomp.h"
#pragma hdrstop
#define PACKET_MAX_SIZE 4000
#define USAGE_ALLOC_SIZE 256*1024
#ifdef _KB
#undef _KB
#endif
#define _KB (PageSize/1024)
typedef struct _PFN_INFO { ULONG64 Master; ULONG64 OriginalPte; ULONG ValidCount; ULONG StandbyCount; ULONG ModifiedCount; ULONG SharedCount; ULONG LockedCount; ULONG PageTableCount; struct _PFN_INFO *Next;} PFN_INFO, *PPFN_INFO;
typedef struct _KERN_MAP1 { ULONG64 StartVa; ULONG64 EndVa; ULONG ValidCount; ULONG StandbyCount; ULONG ModifiedCount; ULONG SharedCount; ULONG LockedCount; ULONG PageTableCount; WCHAR Name[256];} KERN_MAP1, *PKERN_MAP1;
typedef struct _KERN_MAP { ULONG Count; KERN_MAP1 Item[500];} KERN_MAP, *PKERN_MAP;
typedef struct _MMPFNENTRY { ULONG Modified : 1; ULONG ReadInProgress : 1; ULONG WriteInProgress : 1; ULONG PrototypePte: 1; ULONG PageColor : 3; ULONG ParityError : 1; ULONG PageLocation : 3; ULONG RemovalRequested : 1; ULONG CacheAttribute : 2; ULONG Rom : 1; ULONG LockCharged : 1; ULONG DontUse : 16; //overlays USHORT for reference count field.
} MMPFNENTRY;
typedef struct _MMPFN_READ { MMPFNENTRY u3_e1; ULONG u3_e2_ReferenceCount; ULONG64 u1_Flink, u2_Blink, PteAddress, OriginalPte, PteFrame;} MMPFN_READ, *PMMPFN_READ;
typedef struct _PFN_DUMP_CTXT { BOOL PrintIndex; ULONG64 index; BOOL ZeroAfterPrint; PMMPFN_READ pReadPfn;} PFN_DUMP_CTXT, *PPFN_DUMP_CTXT;
UCHAR *PageLocationList[] = { (PUCHAR)"Zeroed ", (PUCHAR)"Free ", (PUCHAR)"Standby ", (PUCHAR)"Modified", (PUCHAR)"ModNoWrt", (PUCHAR)"Bad ", (PUCHAR)"Active ", (PUCHAR)"Trans "};
UCHAR *PageAttribute[] = { (PUCHAR)"NonCached", (PUCHAR)"Cached ", (PUCHAR)"WriteComb", (PUCHAR)"NotMapped"};
ULONG64 MmSubsectionBase;ULONG64 MaxDirbase;#define MAX_DIRBASEVECTOR 256
ULONG64 DirBases[MAX_DIRBASEVECTOR];UCHAR Names[MAX_DIRBASEVECTOR][64];
VOIDPrintPfn64 ( IN ULONG64 PfnAddress );
VOIDDumpMmThreads ( VOID );
VOID DumpWholePfn( IN ULONG64 Address, IN ULONG Flags );
PUCHARDirbaseToImage( IN ULONG64 DirBase );
NTSTATUSBuildDirbaseList( VOID );
LOGICALBuildKernelMap ( OUT PKERN_MAP KernelMap );
ULONGDbgGetPfnSize( VOID ){ return GetTypeSize("nt!_MMPFN");}
LOGICALPoolGetTag ( IN PVOID PoolAddress, IN PULONG PoolTag );
ULONG64 SystemRangeStart;
DECLARE_API( memusage )
/*++
Routine Description:
Dumps the page frame database table
Arguments:
arg -
Return Value:
None.
--*/
{ ULONG result; ULONG64 PfnDb; ULONG64 HighPageAddr; ULONG64 LowPageAddr; ULONG64 HighPage=0; ULONG64 LowPage=0; ULONG64 PageCount; ULONG64 ReadCount; ULONG WasZeroedPage; ULONG WasFreePage; ULONG Total; ULONG WasStandbyPage; ULONG WasModifiedPage; ULONG WasModifiedNoWritePage; ULONG WasBadPage; ULONG WasActiveAndValidPage; ULONG WasTransitionPage; ULONG WasUnknownPage; ULONG64 NPPoolStart; ULONG64 NPSystemStart; ULONG64 Pfn; ULONG64 PfnStart; PCHAR PfnArray; ULONG PfnSize; ULONG NumberOfPfnToRead; ULONG CompleteSoFar = (ULONG) ~0; ULONG64 CacheSize; UNREFERENCED_PARAMETER (args); UNREFERENCED_PARAMETER (Client);
LowPageAddr = GetNtDebuggerData(MmLowestPhysicalPage); HighPageAddr = GetNtDebuggerData(MmHighestPhysicalPage); PfnDb = GetNtDebuggerData(MmPfnDatabase); NPPoolStart = GetNtDebuggerData(MmNonPagedPoolStart); NPSystemStart = GetNtDebuggerData(MmNonPagedSystemStart); SystemRangeStart = GetNtDebuggerDataValue(MmSystemRangeStart);
PfnSize = GetTypeSize("nt!_MMPFN");
NumberOfPfnToRead = 300;
if ( LowPageAddr && HighPageAddr && PfnDb && NPPoolStart && NPSystemStart ) {
if ( !ReadPointer( LowPageAddr, &LowPage) ) { dprintf("%08p: Unable to get low physical page\n",LowPageAddr); return E_INVALIDARG; }
if ( !ReadPointer( HighPageAddr,&HighPage) ) { dprintf("%08p: Unable to get high physical page\n",HighPageAddr); return E_INVALIDARG; }
if ( !ReadPointer( PfnDb,&PfnStart) ) { dprintf("%08p: Unable to get PFN database address\n",PfnDb); return E_INVALIDARG; }
#ifdef IG_GET_CACHE_SIZE
if (GetDebuggerCacheSize(&CacheSize)) { if (CacheSize < (HighPage - LowPage)*PfnSize) { dprintf("*** WARNING Cache size too low, !memusage might take long time to run\n" " Increase Cache to %#lx kb for better performance.\n", (HighPage - LowPage)*PfnSize / 1024); } }#endif
dprintf(" loading PFN database\n");
PfnArray = VirtualAlloc ( NULL, (ULONG) ((HighPage-LowPage+1) * PfnSize), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
if (!PfnArray) { dprintf("Unable to get allocate memory of %I64ld bytes\n", (HighPage+1) * PfnSize); } else {
for (PageCount = LowPage; PageCount <= HighPage; PageCount += NumberOfPfnToRead) {
//dprintf("getting PFN table block - "
// "address %lx - count %lu - page %lu\n",
// Pfn, ReadCount, PageCount);
if ( CheckControlC() ) { VirtualFree (PfnArray,0,MEM_RELEASE); return E_INVALIDARG; }
ReadCount = HighPage - PageCount > NumberOfPfnToRead ? NumberOfPfnToRead : HighPage - PageCount + 1;
ReadCount *= PfnSize;
Pfn = (PfnStart + PageCount * PfnSize);
if (CompleteSoFar != (ULONG) (((PageCount + LowPage) * 100)/ HighPage)) { CompleteSoFar = (ULONG) (((PageCount + LowPage) * 100)/ HighPage); dprintf("loading (%d%% complete)\r", CompleteSoFar); }
// Let KD cache the data - we won't be reading from the array.
if ( !ReadMemory( Pfn, PfnArray + PageCount * PfnSize, (ULONG) ReadCount, &result) ) { dprintf("Unable to get PFN table block - " "address %p - count %lu - page %lu\n", Pfn, ReadCount, PageCount); VirtualFree (PfnArray,0,MEM_RELEASE); return E_INVALIDARG; } } dprintf("\n");
// Now we have a local copy: let's take a look
WasZeroedPage = 0; WasFreePage = 0; WasStandbyPage = 0; WasModifiedPage = 0; WasModifiedNoWritePage = 0; WasBadPage = 0; WasActiveAndValidPage = 0; WasTransitionPage = 0; WasUnknownPage = 0;
CompleteSoFar = 0; for (PageCount = LowPage; PageCount <= HighPage; PageCount++) { ULONG PageLocation=0; ULONG64 Flink=0, Blink=0;
if ( CheckControlC() ) { VirtualFree (PfnArray,0,MEM_RELEASE); return E_INVALIDARG; }
if (CompleteSoFar < (ULONG) (((PageCount + LowPage) * 100)/ HighPage)) { CompleteSoFar = (ULONG) (((PageCount + LowPage) * 100)/ HighPage); dprintf("Compiling memory usage data (%d%% Complete).\r", CompleteSoFar); }
Pfn = (PfnStart + PageCount * PfnSize);
GetFieldValue(Pfn, "nt!_MMPFN", "u3.e1.PageLocation", PageLocation);
switch (PageLocation) {
case ZeroedPageList: GetFieldValue(Pfn, "nt!_MMPFN", "u1.Flink", Flink); GetFieldValue(Pfn, "nt!_MMPFN", "u2.Blink", Blink); if ((Flink == 0) && (Blink == 0)) { WasActiveAndValidPage++; } else { WasZeroedPage++; } break;
case FreePageList: WasFreePage++; break;
case StandbyPageList: WasStandbyPage++; break;
case ModifiedPageList: WasModifiedPage++; break;
case ModifiedNoWritePageList: WasModifiedNoWritePage++; break;
case BadPageList: WasModifiedNoWritePage++; break;
case ActiveAndValid: WasActiveAndValidPage++; break;
case TransitionPage: WasTransitionPage++; break;
default: WasUnknownPage++; break; } } dprintf("\n");
dprintf( " Zeroed: %6lu (%6lu kb)\n", WasZeroedPage, WasZeroedPage * _KB); dprintf( " Free: %6lu (%6lu kb)\n", WasFreePage, WasFreePage * _KB); dprintf( " Standby: %6lu (%6lu kb)\n", WasStandbyPage, WasStandbyPage * _KB); dprintf( " Modified: %6lu (%6lu kb)\n", WasModifiedPage, WasModifiedPage * _KB); dprintf( " ModifiedNoWrite: %6lu (%6lu kb)\n", WasModifiedNoWritePage,WasModifiedNoWritePage * _KB); dprintf( " Active/Valid: %6lu (%6lu kb)\n", WasActiveAndValidPage, WasActiveAndValidPage * _KB); dprintf( " Transition: %6lu (%6lu kb)\n", WasTransitionPage, WasTransitionPage * _KB); dprintf( " Unknown: %6lu (%6lu kb)\n", WasUnknownPage, WasUnknownPage * _KB);
Total = WasZeroedPage + WasFreePage + WasStandbyPage + WasModifiedPage + WasModifiedNoWritePage + WasActiveAndValidPage + WasTransitionPage + WasUnknownPage + WasUnknownPage; dprintf( " TOTAL: %6lu (%6lu kb)\n", Total, Total * _KB); } MemoryUsage (PfnStart, LowPage, HighPage, 0); VirtualFree (PfnArray,0,MEM_RELEASE); } return S_OK;}
DECLARE_API( lockedpages )
/*++
Routine Description:
Displays the driver-locked pages.
Arguments:
None.
Return Value:
None.
--*/
{ ULONG64 LockHeader; ULONG64 LockTracker; ULONG64 NextEntry; ULONG GlistOff; ULONG64 Count; CHAR Buffer[256]; ULONG64 displacement;
UNREFERENCED_PARAMETER (args); UNREFERENCED_PARAMETER (Client);
LockHeader = GetExpression ("nt!MmLockedPagesHead");
if (GetFieldValue(LockHeader, "nt!_LOCK_HEADER", "Count", Count)) {
dprintf("%08p: Unable to get lock header data.\n", LockHeader); return E_INVALIDARG; }
GetFieldValue(LockHeader,"nt!_LOCK_HEADER","ListHead.Flink", NextEntry); if (NextEntry == 0) { dprintf("Locked pages tracking not enabled\n"); return E_INVALIDARG; }
if (NextEntry == LockHeader) { dprintf("There are no pages currently locked.\n"); return E_INVALIDARG; }
dprintf("%I64d locked pages...\n", Count); dprintf("Tracker MDL PageCount Caller/CallersCaller\n");
GetFieldOffset("LOCK_TRACKER", "GlobalListEntry", &GlistOff); while (NextEntry != LockHeader) {
LockTracker = (NextEntry - GlistOff);
if (GetFieldValue(LockTracker, "nt!LOCK_TRACKER", "GlobalListEntry.Flink", NextEntry)) {
dprintf("%08p: Unable to get lock tracker data.\n", LockTracker); return E_INVALIDARG; }
InitTypeRead(LockTracker, nt!LOCK_TRACKER); dprintf("Tracker %p : MDL @ %p, PageCount = %I64x, Caller = %p %p\n", LockTracker, ReadField(Mdl), ReadField(Count));
Buffer[0] = '!'; GetSymbol (ReadField(CallingAddress), (PCHAR)Buffer, &displacement);
dprintf("%s", Buffer); if (displacement) { dprintf( "+0x%1p", displacement ); } dprintf("/");
Buffer[0] = '!'; GetSymbol (ReadField(CallersCaller), (PCHAR)Buffer, &displacement);
dprintf("%s", Buffer); if (displacement) { dprintf( "+0x%1p", displacement ); }
dprintf("\n");
if (CheckControlC()) { break; } } return S_OK;}
DECLARE_API( pfnperf )
/*++
Routine Description:
Displays the PFN spinlock duration list.
Arguments:
None.
Return Value:
None.
--*/
{ ULONG64 PfnDuration; ULONG64 PfnEntry; ULONG64 displacement; ULONG64 AcquiredAddress; ULONG64 ReleasedAddress; CHAR SymbolBuffer[80]; PCHAR SymPointer; ULONG EntrySize; ULONG result; ULONG64 ReadCount; ULONG64 i; PCHAR LocalData; PCHAR local; ULONG64 NumberOfPfnEntries;
UNREFERENCED_PARAMETER (args); UNREFERENCED_PARAMETER (Client);
PfnDuration = GetExpression ("nt!MiPfnSorted");
if (PfnDuration == 0) { dprintf("%08p: Unable to get PFN duration data.\n", PfnDuration); return E_INVALIDARG; }
PfnEntry = PfnDuration; EntrySize = GetTypeSize("nt!_MMPFNTIMINGS");
NumberOfPfnEntries = GetUlongValue ("MiMaxPfnTimings");
dprintf("Top %ld PFN lock holders sorted by duration\n", NumberOfPfnEntries);
LocalData = LocalAlloc(LPTR, (ULONG) (NumberOfPfnEntries * EntrySize));
if (!LocalData) { dprintf("unable to get allocate %ld bytes of memory\n", NumberOfPfnEntries * EntrySize); return E_INVALIDARG; }
ReadCount = NumberOfPfnEntries * EntrySize;
if ((!ReadMemory(PfnDuration, LocalData, (ULONG) ReadCount, &result)) || (result < (ULONG) ReadCount)) { dprintf("unable to get PFN duration table - " "address %p - count %I64u\n", LocalData, ReadCount); } else {
dprintf("\nDuration LockAcquirer LockReleaser\n");
local = LocalData;
for (i = 0; i < NumberOfPfnEntries; i += 1) {
ULONG64 HoldTime=0, Address = 0;
GetFieldValue(PfnEntry, "nt!_MMPFNTIMINGS", "HoldTime", HoldTime); GetFieldValue(PfnEntry, "nt!_MMPFNTIMINGS", "AcquiredAddress", AcquiredAddress); GetFieldValue(PfnEntry, "nt!_MMPFNTIMINGS", "ReleasedAddress", ReleasedAddress);
//
// Sign extend if necessary.
//
if (!IsPtr64()) { AcquiredAddress = (ULONG64)(LONG64)(LONG)AcquiredAddress; ReleasedAddress = (ULONG64)(LONG64)(LONG)ReleasedAddress; }
//
// Output a '*' if the lock was contended for, '.' if not.
//
dprintf( "%3d%c %I64ld ", (ULONG)i, HoldTime & 0x1 ? '*' : '.', HoldTime );
SymbolBuffer[0] = '!'; GetSymbol(AcquiredAddress, (PCHAR)SymbolBuffer, &displacement); SymPointer = SymbolBuffer; while (*SymPointer != '!') { SymPointer += 1; } SymPointer += 1; dprintf ("%s", SymPointer); if (displacement) { dprintf( "+0x%x", displacement ); } dprintf( ", ");
SymbolBuffer[0] = '!'; GetSymbol(ReleasedAddress, (PCHAR)SymbolBuffer, &displacement); SymPointer = SymbolBuffer; while (*SymPointer != '!') { SymPointer += 1; } SymPointer += 1; dprintf ("%s", SymPointer); if (displacement) { dprintf( "+0x%x", displacement ); }
dprintf( "\n");
PfnEntry += EntrySize; } }
if (LocalData) { LocalFree((void *)LocalData); }
return S_OK;}
DECLARE_API( pfn )
/*++
Routine Description:
Displays the corresponding PDE and PTE.
Arguments:
arg - Supplies the Page frame number in hex.
Return Value:
None.
--*/
{ ULONG64 Address; ULONG64 PfnDb; ULONG64 Pfn; ULONG64 PfnStart; ULONG Flags; ULONG PfnSize;
PfnSize = GetTypeSize("nt!_MMPFN");
if (!PfnSize) { dprintf("unable to _MMPFN type.\n"); return E_INVALIDARG; }
PfnDb = GetNtDebuggerData( MmPfnDatabase );
if (!PfnDb) { dprintf("unable to get PFN0 database address\n"); return E_INVALIDARG; }
PfnStart = 0; if (!ReadPointer(PfnDb,&PfnStart)) { dprintf("unable to get PFN database address %p\n", PfnDb); return E_INVALIDARG; }
Address = 0; Flags = 0;
if (GetExpressionEx(args, &Address, &args)) { Flags = (ULONG) GetExpression(args); }
if (Flags != 0) { if (!TargetIsDump) { ULONG64 CacheSize; Ioctl(IG_GET_CACHE_SIZE, &CacheSize, sizeof(CacheSize));
if (TargetMachine == IMAGE_FILE_MACHINE_IA64) { if (CacheSize < 0x10000000) { dprintf("CacheSize too low - increasing to 10M\n"); ExecuteCommand(Client, ".cache 10000"); } } else if (CacheSize < 0x1000000) { dprintf("CacheSize too low - increasing to 1M\n"); ExecuteCommand(Client, ".cache 1000"); } } DumpWholePfn ( Address, Flags); return E_INVALIDARG; }
if (Address >= PfnStart) { //
// Ensure any passed in address is offsetted correctly.
//
Address = (Address - PfnStart) / PfnSize; }
Pfn = (PfnStart + Address * PfnSize);
PrintPfn64(Pfn); return S_OK;}
VOIDDumpTerminalServerMemory ( VOID ){ ULONG64 Next; ULONG64 SessionListPointer; ULONG64 SessionData; ULONG SessionId; ULONG SessionWsListLinksOffset; ULONG64 NonPagedPoolBytes; ULONG64 PagedPoolBytes; ULONG64 CommittedPages; ULONG Failures; ULONG TotalFailures; ULONG64 SessionPoolSize; ULONG64 SessionViewSize;
dprintf("\n\tTerminal Server Memory Usage By Session:\n\n");
// Get the offset of ActiveProcessLinks in _EPROCESS
if (GetFieldOffset("nt!_MM_SESSION_SPACE", "WsListEntry", &SessionWsListLinksOffset)) { return; }
SessionListPointer = GetExpression ("nt!MiSessionWsList");
if (!SessionListPointer) { dprintf("Unable to get value of SessionListPointer\n"); return; }
if (GetFieldValue( SessionListPointer, "nt!_LIST_ENTRY", "Flink", Next )) { dprintf("Unable to read _LIST_ENTRY @ %p\n", SessionListPointer); return; }
SessionPoolSize = GetUlongValue ("MmSessionPoolSize"); SessionViewSize = GetUlongValue ("MmSessionViewSize");
dprintf("\tSession Paged Pool Maximum is %ldK\n", SessionPoolSize / 1024); dprintf("\tSession View Space Maximum is %ldK\n", SessionViewSize / 1024);
while(Next != SessionListPointer) {
SessionData = Next - SessionWsListLinksOffset;
if (GetFieldValue( SessionData, "nt!_MM_SESSION_SPACE", "SessionId", SessionId )) { dprintf("Unable to read _MM_SESSION_SPACE at %p\n",SessionData); return; }
TotalFailures = 0;
dprintf("\n\tSession ID %x @ %p:\n",SessionId, SessionData);
GetFieldValue( SessionData, "nt!_MM_SESSION_SPACE", "NonPagedPoolBytes", NonPagedPoolBytes );
GetFieldValue( SessionData, "nt!_MM_SESSION_SPACE", "PagedPoolBytes", PagedPoolBytes );
GetFieldValue( SessionData, "nt!_MM_SESSION_SPACE", "CommittedPages", CommittedPages );
GetFieldValue( SessionData, "nt!_MM_SESSION_SPACE", "SessionPoolAllocationFailures[0]", Failures); TotalFailures += Failures;
GetFieldValue( SessionData, "nt!_MM_SESSION_SPACE", "SessionPoolAllocationFailures[1]", Failures); TotalFailures += Failures;
GetFieldValue( SessionData, "nt!_MM_SESSION_SPACE", "SessionPoolAllocationFailures[2]", Failures); TotalFailures += Failures;
GetFieldValue( SessionData, "nt!_MM_SESSION_SPACE", "SessionPoolAllocationFailures[3]", Failures); TotalFailures += Failures;
dprintf("\tNonpaged Pool Usage: %8I64ldK\n",NonPagedPoolBytes / 1024); dprintf("\tPaged Pool Usage: %8I64ldK\n",PagedPoolBytes / 1024);
if (TotalFailures != 0) { dprintf("\n\t*** %ld Pool Allocation Failures ***\n\n",TotalFailures); }
dprintf("\tCommit Usage: %8I64ldK\n",CommittedPages * _KB);
GetFieldValue(SessionData, "nt!_MM_SESSION_SPACE", "WsListEntry.Flink", Next);
if (CheckControlC()) { return; } }
return;}
#if (_MSC_VER < 1200) && defined(_M_IX86)
#pragma optimize("g", off)
#endif
DECLARE_API( vm )
/*++
Routine Description:
Displays physical memory usage by driver.
Arguments:
arg - Flags : 0 (default) == systemwide vm & per-process output. 1 == just systemwide vm counts, no per-process output. 2 == systemwide vm, per-process & Mm thread output. 3 == systemwide vm & Mm thread display, no per-process output.
Return Value:
None.
--*/
{ ULONG Flags; ULONG Index; ULONG64 MemorySize; ULONG64 CommitLimit; ULONG64 CommitTotal; ULONG64 SharedCommit; ULONG64 SpecialPoolPages; ULONG64 ProcessCommit; ULONG64 PagedPoolCommit; ULONG64 DriverCommit; ULONG64 ZeroPages; ULONG64 FreePages; ULONG64 StandbyPages; ULONG64 ModifiedPages; ULONG64 ModifiedNoWrite; ULONG64 NumberOfPagedPools; ULONG64 NumberOfPagingFiles; ULONG64 AvailablePages; ULONG64 LockPagesCount; ULONG64 SpecialPagesNonPaged; ULONG64 SpecialPagesNonPagedMaximum; ULONG64 FreePtesPointer; ULONG64 FreeNonPagedPtes; ULONG64 ResidentAvailablePages; ULONG64 PoolLoc; ULONG64 PoolLocBase; ULONG result; ULONG TotalPages; ULONG ExtendedCommit; ULONG64 TotalProcessCommit; PPROCESS_COMMIT_USAGE ProcessCommitUsage; ULONG i; ULONG NumberOfProcesses; ULONG64 PagedPoolBytesMax; ULONG64 PagedPoolBytes; ULONG64 NonPagedPoolBytesMax; ULONG64 NonPagedPoolBytes; ULONG64 PageFileBase; ULONG64 PageFilePointer; ULONG PageFileFullExtendPages; ULONG PageFileFullExtendCount; PUCHAR tempbuffer; UNICODE_STRING unicodeString; ULONG64 PagedPoolInfoPointer; ULONG64 FreeSystemPtes; UCHAR PagedPoolType[] = "nt!_MM_PAGED_POOL_INFO"; ULONG64 AllocatedPagedPool=0; ULONG Desc_TotalPages=0, TotalBigPages=0, Desc_size; ULONG PtrSize = DBG_PTR_SIZE; ULONG NumberOfNonPagedPools; ULONG64 ExpNumberOfNonPagedPools;
Flags = 0; Flags = (ULONG) GetExpression(args);
dprintf("\n*** Virtual Memory Usage ***\n"); MemorySize = GetNtDebuggerDataValue(MmNumberOfPhysicalPages); dprintf ("\tPhysical Memory: %8I64ld (%8I64ld Kb)\n",MemorySize,_KB*MemorySize); NumberOfPagingFiles = GetNtDebuggerDataValue(MmNumberOfPagingFiles); PageFilePointer = GetExpression ("nt!MmPagingFile"); if (NumberOfPagingFiles == 0) { dprintf("\n************ NO PAGING FILE *********************\n\n"); } else { for (i = 0; i < NumberOfPagingFiles; i++) { ULONG64 PageFileName_Buffer=0;
if (!ReadPointer(PageFilePointer, &PageFileBase)) {
dprintf("%08p: Unable to get page file\n",PageFilePointer); break; }
if (GetFieldValue(PageFileBase, "nt!_MMPAGING_FILE", "PageFileName.Buffer", PageFileName_Buffer)) {
dprintf("%08p: Unable to get page file\n",PageFilePointer); break; }
InitTypeRead(PageFileBase, nt!_MMPAGING_FILE);
if (PageFileName_Buffer == 0) { dprintf("\tNo Name for Paging File\n\n"); } else {
unicodeString.Length = (USHORT) ReadField(PageFileName.Length);
tempbuffer = LocalAlloc(LPTR, unicodeString.Length);
unicodeString.Buffer = (PWSTR)tempbuffer; unicodeString.MaximumLength = unicodeString.Length;
if (!ReadMemory ( PageFileName_Buffer, tempbuffer, unicodeString.Length, &result)) { dprintf("\tPaging File Name paged out\n"); } else { dprintf("\tPage File: %wZ\n", &unicodeString); }
LocalFree(tempbuffer);
}
dprintf("\t Current: %9I64ldKb Free Space: %9I64ldKb\n", ReadField(Size)*_KB, ReadField(FreeSpace)*_KB); dprintf("\t Minimum: %9I64ldKb Maximum: %9I64ldKb\n", ReadField(MinimumSize)*_KB, ReadField(MaximumSize)*_KB); PageFilePointer += PtrSize; } }
PagedPoolInfoPointer = GetExpression ("nt!MmPagedPoolInfo");
if (GetFieldValue(PagedPoolInfoPointer, PagedPoolType, "AllocatedPagedPool", AllocatedPagedPool)) {
dprintf("%08p: Unable to get paged pool info %p\n",PagedPoolInfoPointer); }
PagedPoolBytesMax = GetNtDebuggerDataValue(MmSizeOfPagedPoolInBytes); PagedPoolBytes = AllocatedPagedPool; PagedPoolBytes *= PageSize; NonPagedPoolBytesMax = GetNtDebuggerDataValue(MmMaximumNonPagedPoolInBytes); NonPagedPoolBytes = GetUlongValue ("MmAllocatedNonPagedPool"); NonPagedPoolBytes *= PageSize; CommitLimit = GetNtDebuggerDataValue(MmTotalCommitLimit); CommitTotal = GetNtDebuggerDataValue(MmTotalCommittedPages); SharedCommit = GetNtDebuggerDataValue(MmSharedCommit); DriverCommit = GetNtDebuggerDataValue(MmDriverCommit); ProcessCommit = GetNtDebuggerDataValue(MmProcessCommit); PagedPoolCommit = GetNtDebuggerDataValue(MmPagedPoolCommit); ZeroPages = GetNtDebuggerDataValue(MmZeroedPageListHead); FreePages = GetNtDebuggerDataValue(MmFreePageListHead); StandbyPages = GetNtDebuggerDataValue(MmStandbyPageListHead); ModifiedPages = GetNtDebuggerDataValue(MmModifiedPageListHead); ModifiedNoWrite = GetNtDebuggerDataValue(MmModifiedNoWritePageListHead); AvailablePages = GetNtDebuggerDataValue(MmAvailablePages); ResidentAvailablePages = GetNtDebuggerDataValue(MmResidentAvailablePages);
if (BuildNo < 2257) { ExtendedCommit = GetUlongValue("MmExtendedCommit"); PageFileFullExtendPages = GetUlongValue("MmPageFileFullExtendPages"); PageFileFullExtendCount = GetUlongValue("MmPageFileFullExtendCount"); } FreeSystemPtes = GetUlongValue("MmTotalFreeSystemPtes"); LockPagesCount = GetUlongValue("MmSystemLockPagesCount"); SpecialPagesNonPaged = GetUlongValue("MiSpecialPagesNonPaged"); SpecialPagesNonPagedMaximum = GetUlongValue("MiSpecialPagesNonPagedMaximum");
FreePtesPointer = GetExpression ("nt!MmTotalFreeSystemPtes");
FreePtesPointer += sizeof(ULONG); FreeNonPagedPtes = 0; if (!ReadMemory (FreePtesPointer, &FreeNonPagedPtes, sizeof(ULONG), &result)) { dprintf("\tError reading free nonpaged PTEs %p\n", FreePtesPointer); }
SpecialPoolPages = GetUlongValue("nt!MmSpecialPagesInUse");
dprintf("\tAvailable Pages: %8I64ld (%8I64ld Kb)\n",AvailablePages, AvailablePages*_KB); dprintf("\tResAvail Pages: %8I64ld (%8I64ld Kb)\n",ResidentAvailablePages, ResidentAvailablePages*_KB);
if ((LONG64) (ResidentAvailablePages - LockPagesCount) < 100) {
dprintf("\n\t********** Running out of physical memory **********\n\n"); } dprintf("\tLocked IO Pages: %8I64ld (%8I64ld Kb)\n",LockPagesCount,_KB*LockPagesCount); dprintf("\tFree System PTEs: %8I64ld (%8I64ld Kb)\n",FreeSystemPtes,_KB*FreeSystemPtes); dprintf("\tFree NP PTEs: %8I64ld (%8I64ld Kb)\n",FreeNonPagedPtes,_KB*FreeNonPagedPtes); dprintf("\tFree Special NP: %8I64ld (%8I64ld Kb)\n", (SpecialPagesNonPagedMaximum - SpecialPagesNonPaged), _KB*(SpecialPagesNonPagedMaximum - SpecialPagesNonPaged));
dprintf("\tModified Pages: %8I64ld (%8I64ld Kb)\n",ModifiedPages,ModifiedPages*_KB); if ((AvailablePages < 50) && (ModifiedPages > 200)) { dprintf("\t********** High Number Of Modified Pages ********\n"); }
if (ModifiedNoWrite > ((MemorySize / 100) * 3)) { dprintf("\t********** High Number Of Modified No Write Pages ********\n"); dprintf("\tModified No Write Pages: %I64ld (%8I64ld Kb)\n", ModifiedNoWrite,_KB*ModifiedNoWrite); }
//
// Dump all the nonpaged pools.
//
PoolLoc = GetNtDebuggerData(NonPagedPoolDescriptor ); Desc_TotalPages = 0; TotalBigPages=0; if ( !PoolLoc || GetFieldValue(PoolLoc, "nt!_POOL_DESCRIPTOR", "TotalPages", Desc_TotalPages)) {
dprintf("%08p: Unable to get pool descriptor\n",PoolLoc); return E_INVALIDARG; }
Desc_size = GetTypeSize("nt!_POOL_DESCRIPTOR");
if (ExpNumberOfNonPagedPools = GetExpression("nt!ExpNumberOfNonPagedPools")) { NumberOfNonPagedPools = GetUlongFromAddress (ExpNumberOfNonPagedPools); } else { NumberOfNonPagedPools = 0; }
if (NumberOfNonPagedPools > 1) {
TotalPages = 0;
PoolLocBase = GetExpression ("nt!ExpNonPagedPoolDescriptor");
if (PoolLocBase != 0) {
for (Index = 0; Index < NumberOfNonPagedPools; Index += 1) {
if (!ReadPointer(PoolLocBase, &PoolLoc)) {
dprintf("%08p: Unable to get nonpaged pool info\n",PoolLocBase); break; }
if (GetFieldValue(PoolLoc, "nt!_POOL_DESCRIPTOR", "TotalPages", Desc_TotalPages)) {
dprintf("%08p: Unable to get pool descriptor\n",PoolLoc); return E_INVALIDARG; } GetFieldValue(PoolLoc,"_POOL_DESCRIPTOR","TotalBigPages",TotalBigPages);
dprintf("\tNonPagedPool %1ld Used: %5ld (%8ld Kb)\n", Index, Desc_TotalPages + TotalBigPages, _KB*(Desc_TotalPages + TotalBigPages));
TotalPages += Desc_TotalPages + TotalBigPages; PoolLocBase += PtrSize; } } }
GetFieldValue(PoolLoc,"nt!_POOL_DESCRIPTOR","TotalBigPages",TotalBigPages);
if (NumberOfNonPagedPools > 1) { dprintf("\tNonPagedPool Usage: %5ld (%8ld Kb)\n", TotalPages,_KB*TotalPages); } else { dprintf("\tNonPagedPool Usage: %5ld (%8ld Kb)\n", Desc_TotalPages + TotalBigPages, _KB*(Desc_TotalPages + TotalBigPages)); }
dprintf("\tNonPagedPool Max: %5I64ld (%8I64ld Kb)\n", NonPagedPoolBytesMax/PageSize,_KB*(NonPagedPoolBytesMax/PageSize));
if ((Desc_TotalPages + TotalBigPages) > 4 * ((NonPagedPoolBytesMax / PageSize) / 5)) { dprintf("\t********** Excessive NonPaged Pool Usage *****\n"); }
//
// Dump all the paged pools.
//
NumberOfPagedPools = GetNtDebuggerDataValue(ExpNumberOfPagedPools);
TotalPages = 0;
PoolLocBase = GetExpression ("nt!ExpPagedPoolDescriptor");
if ((PoolLocBase != 0) && (NumberOfPagedPools != 0)) {
for (Index = 0; (Index < (NumberOfPagedPools + 1)) ; Index += 1) {
if (Index && (BuildNo <= 2464)) { PoolLoc += Desc_size; } else { if (!ReadPointer(PoolLocBase, &PoolLoc)) {
dprintf("%08p: Unable to get paged pool info\n",PoolLocBase); break; }
} if (GetFieldValue(PoolLoc, "nt!_POOL_DESCRIPTOR", "TotalPages", Desc_TotalPages)) {
dprintf("%08p: Unable to get pool descriptor, PagedPool usage may be wrong\n",PoolLoc); break; } GetFieldValue(PoolLoc,"nt!_POOL_DESCRIPTOR","TotalBigPages",TotalBigPages);
dprintf("\tPagedPool %1ld Usage: %5ld (%8ld Kb)\n", Index, Desc_TotalPages + TotalBigPages, _KB*(Desc_TotalPages + TotalBigPages)); TotalPages += Desc_TotalPages + TotalBigPages; PoolLocBase += PtrSize; } }
if (PagedPoolBytes > 95 * (PagedPoolBytesMax/ 100)) { dprintf("\t********** Excessive Paged Pool Usage *****\n"); }
dprintf("\tPagedPool Usage: %5ld (%8ld Kb)\n", TotalPages,_KB*TotalPages); dprintf("\tPagedPool Maximum: %5I64ld (%8I64ld Kb)\n", PagedPoolBytesMax/PageSize,_KB*(PagedPoolBytesMax/PageSize)); dprintf("\tShared Commit: %8I64ld (%8I64ld Kb)\n",SharedCommit,_KB*SharedCommit ); dprintf("\tSpecial Pool: %8I64ld (%8I64ld Kb)\n",SpecialPoolPages,_KB*SpecialPoolPages ); dprintf("\tShared Process: %8I64ld (%8I64ld Kb)\n",ProcessCommit,_KB*ProcessCommit );
dprintf("\tPagedPool Commit: %8I64ld (%8I64ld Kb)\n",PagedPoolCommit,_KB*PagedPoolCommit); dprintf("\tDriver Commit: %8I64ld (%8I64ld Kb)\n",DriverCommit, _KB*DriverCommit ); dprintf("\tCommitted pages: %8I64ld (%8I64ld Kb)\n",CommitTotal, _KB*CommitTotal ); dprintf("\tCommit limit: %8I64ld (%8I64ld Kb)\n",CommitLimit, _KB*CommitLimit ); if ((CommitTotal + 100) > CommitLimit) { dprintf("\n\t********** Number of committed pages is near limit ********\n"); } if (BuildNo < 2257) { if (ExtendedCommit != 0) { dprintf("\n\t********** Commit has been extended with VM popup ********\n"); dprintf("\tExtended by: %8ld (%8ld Kb)\n", ExtendedCommit,_KB*ExtendedCommit); }
if (PageFileFullExtendCount) { if (PageFileFullExtendCount == 1) { dprintf("\n\t****** ALL PAGING FILE BECAME FULL ONCE - COMMITMENT ADJUSTED ****\n", PageFileFullExtendCount); } else { dprintf("\n\t****** ALL PAGING FILE BECAME FULL (%u times) - COMMITMENT ADJUSTED ****\n", PageFileFullExtendCount); } dprintf("\tCurrent adjust: %8ld (%8ld Kb)\n", PageFileFullExtendPages, _KB*PageFileFullExtendPages); } } dprintf("\n");
if ((Flags & 0x1) == 0) {
ProcessCommitUsage = GetProcessCommit( &TotalProcessCommit, &NumberOfProcesses ); if (ProcessCommitUsage == NULL) { dprintf("\nProcessCommitUsage could not be calculated\n"); } else { if (TotalProcessCommit != 0) { dprintf("\tTotal Private: %8I64ld (%8I64ld Kb)\n", TotalProcessCommit,_KB*TotalProcessCommit); }
for (i=0; i<NumberOfProcesses; i++) { dprintf( " %04I64lx %-15s %6I64d (%8I64ld Kb)\n", ProcessCommitUsage[i].ClientId, ProcessCommitUsage[i].ImageFileName, ProcessCommitUsage[i].CommitCharge, _KB*(ProcessCommitUsage[i].CommitCharge) ); } HeapFree(GetProcessHeap(), 0, ProcessCommitUsage); } }
if (Flags & 0x2) { if (Client && (ExtQuery(Client) == S_OK)) {
dprintf("\n\tMemory Management Thread Stacks:\n"); DumpMmThreads ();
ExtRelease(); } }
if (Flags & 0x4) { if (Client && (ExtQuery(Client) == S_OK)) {
DumpTerminalServerMemory ();
ExtRelease(); } }
return S_OK;}
#if (_MSC_VER < 1200) && defined(_M_IX86)
#pragma optimize("", on)
#endif
VOIDDumpWholePfn( IN ULONG64 Address, IN ULONG Flags )
/*++
Routine Description:
Dumps the PFN database
Arguments:
Address - address to dump at Flags -
Return Value:
None.
--*/
{ ULONG result; ULONG64 HighPage; ULONG64 LowPage; ULONG64 PageCount; ULONG64 ReadCount; ULONG64 i; ULONG64 Pfn; ULONG64 PfnStart; PUCHAR PfnArray; PUCHAR PfnArrayPointer; ULONG64 VirtualAddress; ULONG MatchLocation; BOOLEAN foundlink; BOOLEAN RandomAccessRequired; ULONG PfnSize; ULONG NumberOfPfnToRead; ULONG sz; MMPFNENTRY u3_e1; CHAR InPageError;
LowPage = GetNtDebuggerDataValue(MmLowestPhysicalPage); HighPage = GetNtDebuggerDataValue(MmHighestPhysicalPage); PfnStart = GetNtDebuggerDataPtrValue(MmPfnDatabase);
PfnSize = GetTypeSize("nt!_MMPFN");
//
// Read sufficient pages such that htere isn't lot of wait
// before first page dump.
//
NumberOfPfnToRead = 2000;
PfnArray = NULL;
if (Flags == 7) { RandomAccessRequired = TRUE; } else { RandomAccessRequired = FALSE; }
if (RandomAccessRequired == FALSE) { dprintf("\n Page Flink Blk/Shr Ref V PTE Address SavedPTE Frame State\n"); }
//
// If asked to dump the whole database or we're going to need the ability
// to look up random frames, then read in the whole database now.
//
if (Address == 0 || RandomAccessRequired == TRUE) {
PfnArray = LocalAlloc(LPTR, (ULONG) (HighPage+1) * PfnSize); if (!PfnArray) { dprintf("unable to get allocate %ld bytes of memory\n", (HighPage+1) * PfnSize); return; }
for (PageCount = LowPage; PageCount <= HighPage; PageCount += NumberOfPfnToRead) {
if (CheckControlC()) { goto alldone; }
ReadCount = HighPage - PageCount > NumberOfPfnToRead ? NumberOfPfnToRead : HighPage - PageCount + 1;
ReadCount *= PfnSize;
Pfn = (PfnStart + PageCount * PfnSize);
PfnArrayPointer = (PUCHAR)(PfnArray + (ULONG) PageCount * PfnSize);
//
// KD caches the Pfns
//
if ((!ReadMemory(Pfn, PfnArrayPointer, (ULONG) ReadCount, &result)) || (result < (ULONG) ReadCount)) { dprintf("unable to get PFN table block - " "address %p - count %I64u - page %I64lu\n", Pfn, ReadCount, PageCount); goto alldone; } for (i = PageCount; (i < PageCount + NumberOfPfnToRead) && (i < HighPage); i += 1, Pfn = (Pfn + PfnSize)) { ULONG u3_e2_ReferenceCount=0; ULONG64 u1_Flink=0, u2_Blink=0, PteAddress=0, OriginalPte=0, PteFrame=0;
if (RandomAccessRequired == TRUE) { if ((i % 256 ) == 0) { dprintf("."); // every 256 pages, print a dot
} } else { GetFieldValue(Pfn, "nt!_MMPFN", "u1.Flink", u1_Flink); GetFieldValue(Pfn, "nt!_MMPFN", "u2.Blink", u2_Blink); GetFieldValue(Pfn, "nt!_MMPFN", "PteAddress",PteAddress); GetFieldValue(Pfn, "nt!_MMPFN", "OriginalPte",OriginalPte); GetFieldValue(Pfn, "nt!_MMPFN", "u3.e2.ReferenceCount", u3_e2_ReferenceCount); GetFieldValue(Pfn, "nt!_MMPFN", "u3.e1", u3_e1);
if (GetFieldValue(Pfn, "nt!_MMPFN", "u4.PteFrame", PteFrame) == FIELDS_DID_NOT_MATCH) { GetFieldValue(Pfn, "nt!_MMPFN", "u3.e1.InPageError", InPageError); GetFieldValue(Pfn, "nt!_MMPFN", "PteFrame", PteFrame); } else { GetFieldValue(Pfn, "nt!_MMPFN", "u4.InPageError", InPageError); }
if (u3_e1.PrototypePte == 0) { VirtualAddress = DbgGetVirtualAddressMappedByPte(PteAddress); } else { VirtualAddress = 0; }
dprintf("%5I64lx %8p %8p%6x %8p %8p ", i, u1_Flink, u2_Blink, u3_e2_ReferenceCount, PteAddress, VirtualAddress);
dprintf("%8p ", OriginalPte);
dprintf("%6I64lx ", PteFrame);
dprintf("%s %c%c%c%c%c%c\n", PageLocationList[u3_e1.PageLocation], u3_e1.Modified ? 'M':' ', u3_e1.PrototypePte ? 'P':' ', u3_e1.ReadInProgress ? 'R':' ', u3_e1.WriteInProgress ? 'W':' ', InPageError ? 'E':' ', u3_e1.ParityError ? 'X':' ' ); }
if (CheckControlC()) { goto alldone; } } }
if (RandomAccessRequired == TRUE) { dprintf("\n"); } else { goto alldone; } }
dprintf("\n Page Flink Blk/Shr Ref V PTE Address SavedPTE Frame State\n");
Pfn = (PfnStart + Address * PfnSize);
if (GetFieldValue(Pfn, "nt!_MMPFN", "u3.e1", u3_e1)) { dprintf("unable to get PFN element\n"); goto alldone; } MatchLocation = u3_e1.PageLocation;
do { ULONG u3_e2_ReferenceCount=0; ULONG64 u1_Flink=0, u2_Blink=0, PteAddress=0, OriginalPte=0, PteFrame=0;
if (CheckControlC()) { goto alldone; }
Pfn = (PfnStart + Address * PfnSize);
sz = sizeof (u3_e1); GetFieldValue(Pfn, "nt!_MMPFN", "u3.e1", u3_e1);
if (u3_e1.PrototypePte == 0) { VirtualAddress = DbgGetVirtualAddressMappedByPte ( PteAddress); } else { VirtualAddress = 0; } if (u3_e1.PageLocation == MatchLocation) { GetFieldValue(Pfn, "nt!_MMPFN", "u1.Flink", u1_Flink); GetFieldValue(Pfn, "nt!_MMPFN", "u2.Blink", u2_Blink); GetFieldValue(Pfn, "nt!_MMPFN", "PteAddress", PteAddress); GetFieldValue(Pfn, "nt!_MMPFN", "OriginalPte",OriginalPte); GetFieldValue(Pfn, "nt!_MMPFN", "u3.e2.ReferenceCount", u3_e2_ReferenceCount); if(GetFieldValue(Pfn, "nt!_MMPFN", "u4.PteFrame", PteFrame) == FIELDS_DID_NOT_MATCH) { GetFieldValue(Pfn, "nt!_MMPFN", "u3.e1.InPageError", InPageError); GetFieldValue(Pfn, "nt!_MMPFN", "PteFrame", PteFrame); } else { GetFieldValue(Pfn, "nt!_MMPFN", "u4.InPageError", InPageError); }
dprintf("%5I64lx %8p %8p%6x %8p %8p ", Address, u1_Flink, u2_Blink, u3_e2_ReferenceCount, PteAddress, VirtualAddress);
dprintf("%8p ", OriginalPte);
dprintf("%6I64lx ", PteFrame);
dprintf("%s %c%c%c%c%c%c\n", PageLocationList[u3_e1.PageLocation], u3_e1.Modified ? 'M':' ', u3_e1.PrototypePte ? 'P':' ', u3_e1.ReadInProgress ? 'R':' ', u3_e1.WriteInProgress ? 'W':' ', InPageError ? 'E':' ', u3_e1.ParityError ? 'X':' ' );
}
if (MatchLocation > 5) { Address += 1; } else { ULONG64 OriginalPte_u_Long=0; sz = sizeof (OriginalPte_u_Long); if (Flags == 7) { ULONG64 P; //
// Search the whole database for an OriginalPte field that
// points to this PFN - we must do this because this chain
// is singly (not doubly) linked.
//
foundlink = FALSE; P = PfnStart; for (i = 0; i <= HighPage; i += 1, P += PfnSize) { GetFieldValue(P, "nt!_MMPFN", "OriginalPte.u.Long", OriginalPte_u_Long); if (OriginalPte_u_Long == Address) { Address = i; foundlink = TRUE; break; } } if (foundlink == FALSE) { dprintf("No OriginalPte chain found for %lx\n", Address); break; } } else if (Flags == 5) { GetFieldValue(Pfn, "nt!_MMPFN", "OriginalPte.u.Long", OriginalPte_u_Long); Address = OriginalPte_u_Long; } else if (Flags == 3) { Address = u2_Blink; } else { Address = u1_Flink; } }
if (CheckControlC()) { goto alldone; } } while (Address < HighPage);
alldone:
if (PfnArray) { LocalFree((void *)PfnArray); }}
VOIDPrintPfn64 ( IN ULONG64 PfnAddress ){ MMPFNENTRY u3_e1; ULONG64 PfnDb, PfnStart; ULONG PfnSize; ULONG CacheAttribute; CHAR InPageError, VerifierAllocation;
if ((PfnSize = GetTypeSize("nt!_MMPFN")) == 0) { dprintf("Type _MMPFN not found.\n"); return; }
PfnDb = GetNtDebuggerData(MmPfnDatabase); if (!ReadPointer(PfnDb, &PfnStart)) { dprintf("%08P: Unable to get PFN database start\n",PfnDb); return; }
if (!IsPtr64()) { PfnAddress = (ULONG64) (LONG64) (LONG) PfnAddress; }
dprintf(" PFN %08P at address %08P\n", (PfnAddress - PfnStart) / PfnSize, PfnAddress);
InitTypeRead(PfnAddress, nt!_MMPFN);
dprintf(" flink %08P", ReadField(u1.Flink)); dprintf(" blink / share count %08P", ReadField(u2.Blink)); dprintf(" pteaddress %08P\n", ReadField(PteAddress));
GetFieldValue(PfnAddress, "nt!_MMPFN", "u3.e1", u3_e1);
switch (TargetMachine) { case IMAGE_FILE_MACHINE_IA64: case IMAGE_FILE_MACHINE_AMD64: dprintf(" reference count %04hX used entry count %04hX %s color %01hX\n", (ULONG) ReadField(u3.e2.ReferenceCount), (ULONG) ReadField(UsedPageTableEntries), PageAttribute[u3_e1.CacheAttribute], u3_e1.PageColor); break; default: dprintf(" reference count %04hX %s color %01hX\n", (ULONG) ReadField(u3.e2.ReferenceCount), PageAttribute[u3_e1.CacheAttribute], u3_e1.PageColor); break; }
dprintf(" restore pte %08I64X ", ReadField(OriginalPte));
if (BuildNo < 2440) { dprintf("containing page %06P ", ReadField(PteFrame)); InPageError = (CHAR) ReadField(u3.e1.InPageError); VerifierAllocation = (CHAR) ReadField(u3.e1.VerifierAllocation); } else { dprintf("containing page %06P ", ReadField(u4.PteFrame)); InPageError = (CHAR) ReadField(u4.InPageError); VerifierAllocation = (CHAR) ReadField(u4.VerifierAllocation); }
dprintf("%s %c%c%c%c%c%c\n", PageLocationList[u3_e1.PageLocation], u3_e1.Modified ? 'M':' ', u3_e1.PrototypePte ? 'P':' ', u3_e1.ReadInProgress ? 'R':' ', u3_e1.WriteInProgress ? 'W':' ', InPageError ? 'E':' ', u3_e1.ParityError ? 'X':' ', u3_e1.RemovalRequested ? 'Y':' ', VerifierAllocation ? 'V':' ' );
dprintf(" %s %s %s %s %s %s\n", u3_e1.Modified ? "Modified":" ", u3_e1.PrototypePte ? "Shared":" ", u3_e1.ReadInProgress ? "ReadInProgress":" ", u3_e1.WriteInProgress ? "WriteInProgress":" ", InPageError ? "InPageError":" ", u3_e1.ParityError ? "ParityError":" ", u3_e1.RemovalRequested ? "RemovalRequested":" ", VerifierAllocation ? "VerifierAllocation":" ");
return;}
VOIDMemoryUsage ( IN ULONG64 PfnStart, IN ULONG64 LowPage, IN ULONG64 HighPage, IN ULONG IgnoreInvalidFrames )
/*++
Routine Description:
This routine (debugging only) dumps the current memory usage by walking the PFN database.
Arguments:
None.
Return Value:
None.
--*/
{ ULONG PfnSize; ULONG64 LastPfn; ULONG64 Pfn1; ULONG64 Pfn2; ULONG64 Subsection1; UNICODE_STRING NameString; PPFN_INFO Info; PPFN_INFO Info1; PPFN_INFO InfoStart; PPFN_INFO InfoEnd; ULONG InfoSize; PFN_INFO ProcessPfns; PFN_INFO PagedPoolBlock; PPFN_INFO LastProcessInfo = &ProcessPfns; ULONG64 Master; ULONG64 ControlArea1; BOOLEAN Found; ULONG result; ULONG i; ULONG64 PagedPoolStart; ULONG64 VirtualAddress; ULONG64 MmNonPagedPoolEnd; ULONG64 PteFrame; ULONG OriginalPteOffset; ULONG PercentComplete=0; PKERN_MAP pKernelMap;
// Get the offset of OriginalPte in MMPFN
if (GetFieldOffset("nt!_MMPFN", "OriginalPte", &OriginalPteOffset)) { dprintf("Cannot find _MMPFN type"); return ; }
ProcessPfns.Next = NULL; MmNonPagedPoolEnd = GetNtDebuggerDataPtrValue(MmNonPagedPoolEnd);
NameString.MaximumLength = sizeof(WCHAR) * 1000; NameString.Buffer = calloc(1, NameString.MaximumLength);
if (!NameString.Buffer) { return; }
PagedPoolStart = GetNtDebuggerDataPtrValue(MmPagedPoolStart); pKernelMap = calloc(1, sizeof(*pKernelMap)); if (!pKernelMap) { free(NameString.Buffer); return; }
dprintf (" Building kernel map\n");
if (BuildKernelMap (pKernelMap) == FALSE) { free(pKernelMap); free(NameString.Buffer); return; }
dprintf (" Finished building kernel map\n");
RtlZeroMemory (&PagedPoolBlock, sizeof (PFN_INFO));
PfnSize = GetTypeSize("nt!_MMPFN");
LastPfn = (PfnStart + HighPage * PfnSize);
if (MmSubsectionBase == 0) { MmSubsectionBase = GetNtDebuggerDataValue(MmSubsectionBase); }
//
// Allocate a chunk of memory to hold PFN information. This is resized
// if it is later determined that the current size is not large enough.
//
InfoSize = USAGE_ALLOC_SIZE;
restart:
InfoStart = VirtualAlloc (NULL, InfoSize, MEM_COMMIT, PAGE_READWRITE);
if (InfoStart == NULL) { dprintf ("heap allocation for %d bytes failed\n", InfoSize); free(pKernelMap); free(NameString.Buffer); return; }
InfoEnd = InfoStart;
Pfn1 = (PfnStart + LowPage * PfnSize);
while (Pfn1 < LastPfn) { ULONG PageLocation=0, PrototypePte=0, ReferenceCount=0; ULONG Comp; ULONG64 ShareCount=0, PteFrame1=0, PteAddress;
Comp = ((ULONG) (Pfn1 - (PfnStart + LowPage * PfnSize)))*100 / ((ULONG) (LastPfn -(PfnStart + LowPage * PfnSize))); if (Comp > PercentComplete) { PercentComplete = Comp; dprintf("Scanning PFN database - (%02d%% complete) \r", PercentComplete); }
if (CheckControlC()) { VirtualFree (InfoStart,0,MEM_RELEASE); free(pKernelMap); free(NameString.Buffer); return; }
GetFieldValue(Pfn1, "nt!_MMPFN", "u3.e1.PageLocation", PageLocation);
if ((PageLocation != FreePageList) && (PageLocation != ZeroedPageList) && (PageLocation != BadPageList)) {
GetFieldValue(Pfn1, "nt!_MMPFN", "u3.e1.PrototypePte", PrototypePte); GetFieldValue(Pfn1, "nt!_MMPFN", "u3.e2.ReferenceCount", ReferenceCount); GetFieldValue(Pfn1, "nt!_MMPFN", "u2.ShareCount", ShareCount); GetFieldValue(Pfn1, "nt!_MMPFN", "PteAddress", PteAddress);
if (GetFieldValue(Pfn1, "nt!_MMPFN", "u4.PteFrame", PteFrame1) == FIELDS_DID_NOT_MATCH) { GetFieldValue(Pfn1, "nt!_MMPFN", "PteFrame", PteFrame1); }
Subsection1 = 0; if (PrototypePte) { Subsection1 = DbgGetSubsectionAddress (Pfn1 + OriginalPteOffset); }
if ((Subsection1) && (Subsection1 < 0xffffffffffbff000UI64)) { Master = Subsection1; } else {
PteFrame = PteFrame1; if (IgnoreInvalidFrames) { Master = PteFrame; } else {// dprintf("Pteaddr %p, PagedPoolStart %I64x ", PteAddress, PagedPoolStart);
if (PteAddress > PagedPoolStart) { Master = PteFrame; } else { Master=0;
Pfn2 = PfnStart + PteFrame*PfnSize;
if (GetFieldValue(Pfn2, "nt!_MMPFN", "PteFrame", Master) == FIELDS_DID_NOT_MATCH) { GetFieldValue(Pfn2, "nt!_MMPFN", "u4.PteFrame", Master); }// Master = MI_PFN_PTE FRAME(Pfn2);
if ((Master == 0) || (Master > HighPage)) { dprintf("Invalid PTE frame\n");// PrintPfn((PVOID)(((PCHAR)Pfn1-(PCHAR)PfnStart)/PfnSize),Pfn1);
PrintPfn64(Pfn1); PrintPfn64(Pfn2); dprintf(" subsection address: %p\n",Subsection1); goto NextPfn; } } } }
//
// Tally any pages which are not protos and have a valid PTE
// address field.
//
if ((PteAddress < PagedPoolStart) && (PteAddress >= DbgGetPteAddress(SystemRangeStart) )) {
for (i=0; i<pKernelMap->Count; i++) {
VirtualAddress = DbgGetVirtualAddressMappedByPte (PteAddress); if ((VirtualAddress >= pKernelMap->Item[i].StartVa) && (VirtualAddress < pKernelMap->Item[i].EndVa)) {
if ((PageLocation == ModifiedPageList) || (PageLocation == ModifiedNoWritePageList)) { pKernelMap->Item[i].ModifiedCount += _KB; if (ReferenceCount > 0) { pKernelMap->Item[i].LockedCount += _KB; } } else if ((PageLocation == StandbyPageList) || (PageLocation == TransitionPage)) {
pKernelMap->Item[i].StandbyCount += _KB; if (ReferenceCount > 0) { pKernelMap->Item[i].LockedCount += _KB; } } else { pKernelMap->Item[i].ValidCount += _KB; if (ShareCount > 1) { pKernelMap->Item[i].SharedCount += _KB; if (ReferenceCount > 1) { pKernelMap->Item[i].LockedCount += _KB; } } } goto NextPfn; } } }
if (PteAddress >= 0xFFFFFFFFF0000000UI64) {
//
// This is paged pool, put it in the paged pool cell.
//
Info = &PagedPoolBlock; Found = TRUE;
} else {
//
// See if there is already a master info block.
//
Info = InfoStart; Found = FALSE; while (Info < InfoEnd) { if (Info->Master == Master) { Found = TRUE; break; } Info += 1; } } if (!Found) {
Info = InfoEnd; InfoEnd += 1; if ((PUCHAR)Info >= ((PUCHAR)InfoStart + InfoSize) - sizeof(PFN_INFO)) { //
// Don't bother copying the old array - free it instead to
// improve our chances of getting a bigger contiguous chunk.
//
VirtualFree (InfoStart,0,MEM_RELEASE);
InfoSize += USAGE_ALLOC_SIZE;
goto restart; } RtlZeroMemory (Info, sizeof (PFN_INFO));
Info->Master = Master; GetFieldValue(Pfn1, "nt!_MMPFN", "OriginalPte.u.Long", Info->OriginalPte); }
// dprintf("Pfn1 %p, PageLoc %x, Master %I64x\n", Pfn1, PageLocation, Master);
if ((PageLocation == ModifiedPageList) || (PageLocation == ModifiedNoWritePageList)) { Info->ModifiedCount += _KB; if (ReferenceCount > 0) { Info->LockedCount += _KB; } } else if ((PageLocation == StandbyPageList) || (PageLocation == TransitionPage)) {
Info->StandbyCount += _KB; if (ReferenceCount > 0) { Info->LockedCount += _KB; } } else {
Info->ValidCount += _KB; if (ShareCount > 1) { Info->SharedCount += _KB; if (ReferenceCount > 1) { Info->LockedCount += _KB; } } } if ((PteAddress >= DbgGetPdeAddress (0x0)) && (PteAddress <= DbgGetPdeAddress (0xFFFFFFFFFFFFFFFF))) { Info->PageTableCount += _KB; } }NextPfn: Pfn1 = (Pfn1 + PfnSize); }
//
// dump the results.
//
#if 0
dprintf("Physical Page Summary:\n"); dprintf(" - number of physical pages: %ld\n", MmNumberOfPhysicalPages); dprintf(" - Zeroed Pages %ld\n", MmZeroedPageListHead.Total); dprintf(" - Free Pages %ld\n", MmFreePageListHead.Total); dprintf(" - Standby Pages %ld\n", MmStandbyPageListHead.Total); dprintf(" - Modfified Pages %ld\n", MmModifiedPageListHead.Total); dprintf(" - Modfified NoWrite Pages %ld\n", MmModifiedNoWritePageListHead.Total); dprintf(" - Bad Pages %ld\n", MmBadPageListHead.Total);#endif //0
dprintf("\n\n Usage Summary (in Kb):\n");
Info = InfoStart; while (Info < InfoEnd) { if (CheckControlC()) { VirtualFree (InfoStart,0,MEM_RELEASE); free(pKernelMap); free(NameString.Buffer); return; }
if (Info->Master > 0x200000) {
//
// Get the control area from the subsection.
//
if (GetFieldValue(Info->Master, "nt!_SUBSECTION", "ControlArea", ControlArea1)) { dprintf("unable to get subsection va %p %lx\n",Info->Master,Info->OriginalPte); }
// ControlArea1 = Subsection.ControlArea;
Info->Master = ControlArea1;
//
// Loop through the array so far for matching control areas
//
Info1 = InfoStart; while (Info1 < Info) { if (Info1->Master == ControlArea1) { //
// Found a match, collapse these values.
//
Info1->ValidCount += Info->ValidCount; Info1->StandbyCount += Info->StandbyCount; Info1->ModifiedCount += Info->ModifiedCount; Info1->SharedCount += Info->SharedCount; Info1->LockedCount += Info->LockedCount; Info1->PageTableCount += Info->PageTableCount; Info->Master = 0; break; } Info1++; } } else { LastProcessInfo->Next = Info; LastProcessInfo = Info; } Info++; }
Info = InfoStart; dprintf("Control Valid Standby Dirty Shared Locked PageTables name\n"); while (Info < InfoEnd) { ULONG64 FilePointer;
if (CheckControlC()) { VirtualFree (InfoStart,0,MEM_RELEASE); free(pKernelMap); free(NameString.Buffer); return; }
if (Info->Master > 0x200000) {
//
// Get the control area.
//
if (GetFieldValue(Info->Master, "nt!_CONTROL_AREA", "FilePointer", FilePointer)) {
dprintf("%8p %5ld %5ld %5ld %5ld %5ld %5ld Bad Control Area\n", Info->Master, Info->ValidCount, Info->StandbyCount, Info->ModifiedCount, Info->SharedCount, Info->LockedCount, Info->PageTableCount );
} else if (FilePointer == 0) {
dprintf("%8p %5ld %5ld %5ld %5ld %5ld %5ld Page File Section\n", Info->Master, Info->ValidCount, Info->StandbyCount, Info->ModifiedCount, Info->SharedCount, Info->LockedCount, Info->PageTableCount );
} else { ULONG64 NameBuffer;
//
// Get the file pointer.
//
if (GetFieldValue(FilePointer, "nt!_FILE_OBJECT", "FileName.Length", NameString.Length)) { dprintf("unable to get subsection %p\n",FilePointer); }
if (NameString.Length != 0) {
//
// Get the name string.
//
if (NameString.Length > NameString.MaximumLength) { NameString.Length = NameString.MaximumLength-1; }
GetFieldValue(FilePointer, "nt!_FILE_OBJECT", "FileName.Buffer", NameBuffer);
if ((!ReadMemory(NameBuffer, NameString.Buffer, NameString.Length, &result)) || (result < NameString.Length)) { dprintf("%8p %5ld %5ld %5ld %5ld %5ld %5ld Name Not Available\n", Info->Master, Info->ValidCount, Info->StandbyCount, Info->ModifiedCount, Info->SharedCount, Info->LockedCount, Info->PageTableCount ); } else {
{
WCHAR FileName[MAX_PATH]; WCHAR FullFileName[MAX_PATH]; WCHAR *FilePart;
ZeroMemory(FileName,sizeof(FileName)); if (NameString.Length > sizeof(FileName)) { wcscpy(FileName, L"File name length too big - possibly corrupted"); } else { CopyMemory(FileName,NameString.Buffer,NameString.Length); } GetFullPathNameW( FileName, MAX_PATH, FullFileName, &FilePart );
dprintf("%8p %5ld %5ld %5ld %5ld %5ld %5ld mapped_file( %ws )\n", Info->Master, Info->ValidCount, Info->StandbyCount, Info->ModifiedCount, Info->SharedCount, Info->LockedCount, Info->PageTableCount, FilePart); } } } else { dprintf("%8p %5ld %5ld %5ld %5ld %5ld %5ld No Name for File\n", Info->Master, Info->ValidCount, Info->StandbyCount, Info->ModifiedCount, Info->SharedCount, Info->LockedCount, Info->PageTableCount ); } }
} Info += 1; }
Info = &PagedPoolBlock; if ((Info->ValidCount != 0) || (Info->StandbyCount != 0) || (Info->ModifiedCount != 0)) {
dprintf("00000000 %4ld %5ld %5ld %5ld %5ld %5ld PagedPool\n", Info->ValidCount, Info->StandbyCount, Info->ModifiedCount, Info->SharedCount, Info->LockedCount, Info->PageTableCount ); }
//
// dump the process information.
//
BuildDirbaseList(); Info = ProcessPfns.Next; while (Info != NULL) { if (Info->Master != 0) { PUCHAR ImageName;
ImageName = DirbaseToImage(Info->Master);
if ( ImageName ) { dprintf("-------- %4ld %5ld %5ld ----- ----- %5ld process ( %s )\n", Info->ValidCount, Info->StandbyCount, Info->ModifiedCount, Info->PageTableCount, ImageName ); } else { dprintf("-------- %4ld %5ld %5ld ----- ----- %5ld pagefile section (%lx)\n", Info->ValidCount, Info->StandbyCount, Info->ModifiedCount, Info->PageTableCount, Info->Master ); }
} Info = Info->Next; }
if (!IgnoreInvalidFrames) { for (i=0;i<pKernelMap->Count ;i++) { dprintf("-------- %4ld %5ld %5ld ----- %5ld ----- driver ( %ws )\n", pKernelMap->Item[i].ValidCount, pKernelMap->Item[i].StandbyCount, pKernelMap->Item[i].ModifiedCount, pKernelMap->Item[i].LockedCount, pKernelMap->Item[i].Name ); } }
VirtualFree (InfoStart,0,MEM_RELEASE); free(pKernelMap); free(NameString.Buffer);
return;}
NTSTATUSBuildDirbaseList ( VOID ){ ULONG64 Next; ULONG64 ProcessHead; ULONG64 Process; NTSTATUS status=0; ULONG ActiveProcessLinksOffset, DirectoryTableBaseOffset; FIELD_INFO offField[] = { {"ActiveProcessLinks", NULL, 0, DBG_DUMP_FIELD_RETURN_ADDRESS, 0, NULL}, {"Pcb.DirectoryTableBase", NULL, 0, DBG_DUMP_FIELD_RETURN_ADDRESS, 0, NULL} }; SYM_DUMP_PARAM TypeSym ={ sizeof (SYM_DUMP_PARAM), "_EPROCESS", DBG_DUMP_NO_PRINT, 0, NULL, NULL, NULL, 2, &offField[0] };
// Get the offset of ActiveProcessLinks in EPROCESS
if (Ioctl(IG_DUMP_SYMBOL_INFO, &TypeSym, TypeSym.size)) { return FALSE; }
ActiveProcessLinksOffset = (ULONG) offField[0].address; DirectoryTableBaseOffset = (ULONG) offField[1].address; MaxDirbase = 0;
ProcessHead = GetNtDebuggerData(PsActiveProcessHead ); if (!ProcessHead) { return STATUS_OBJECT_NAME_NOT_FOUND; }
if (GetFieldValue(ProcessHead, "nt!_LIST_ENTRY", "Flink", Next)) { return STATUS_OBJECT_NAME_NOT_FOUND; }
//Next = List.Flink;
if (Next == 0) { dprintf("PsActiveProcessHead is NULL!\n"); return STATUS_INVALID_PARAMETER; }
while(Next != ProcessHead) { ULONG64 PageFrameNumber=0;
Process = Next - ActiveProcessLinksOffset;
if (GetFieldValue(Process, "nt!_EPROCESS", "ImageFileName", Names[MaxDirbase])) { dprintf("Unable to read _EPROCESS at %p\n",Process); MaxDirbase = 0; return status; }
if ( (Names[ MaxDirbase ])[0] == '\0' ) { strcpy((PCHAR)&Names[MaxDirbase][0],(PCHAR)"SystemProcess"); }
GetFieldValue(Process,"_EPROCESS","ImageFileName",Names[MaxDirbase]);
GetFieldValue(Process + DirectoryTableBaseOffset, "nt!HARDWARE_PTE", "PageFrameNumber", PageFrameNumber);
DirBases[MaxDirbase++] = PageFrameNumber;
GetFieldValue(Process, "_EPROCESS", "ActiveProcessLinks.Flink", Next);
if (CheckControlC()) { MaxDirbase = 0; return STATUS_INVALID_PARAMETER; } } return STATUS_INVALID_PARAMETER;}
PUCHARDirbaseToImage( IN ULONG64 DirBase ){ ULONG i;
for(i=0;i<MaxDirbase;i++) { if ( DirBases[i] == DirBase ) { return &Names[i][0]; } } return NULL;}�LOGICALBuildKernelMap ( OUT PKERN_MAP KernelMap )
{ ULONG64 Next; ULONG64 ListHead; NTSTATUS Status = 0; ULONG Result; ULONG64 DataTable; ULONG i = 0; ULONG64 Flink; ULONG InLoadOrderLinksOffset; FIELD_INFO offField = {"InLoadOrderLinks", NULL, 0, DBG_DUMP_FIELD_RETURN_ADDRESS, 0, NULL}; SYM_DUMP_PARAM TypeSym ={ sizeof (SYM_DUMP_PARAM), "nt!_LDR_DATA_TABLE_ENTRY", DBG_DUMP_NO_PRINT, 0, NULL, NULL, NULL, 1, &offField };
// Get the offset of InLoadOrderLinks in LDR_DATA_TABLE_ENTRY
if (Ioctl(IG_DUMP_SYMBOL_INFO, &TypeSym, TypeSym.size)) { return FALSE; }
InLoadOrderLinksOffset = (ULONG) offField.address;
ListHead = GetNtDebuggerData(PsLoadedModuleList );
if (!ListHead) { dprintf("Couldn't get offset of PsLoadedModuleListHead\n"); return FALSE; }
if (GetFieldValue(ListHead, "nt!_LIST_ENTRY", "Flink", Flink)) { dprintf("Unable to get value of PsLoadedModuleListHead\n"); return FALSE; }
Next = Flink; if (Next == 0) { dprintf("PsLoadedModuleList is NULL!\n"); return FALSE; }
while (Next != ListHead) { ULONG64 BaseDllNameBuffer, DllBase; ULONG BaseDllNameLength=0, SizeOfImage;
if (CheckControlC()) { return FALSE; } DataTable = (Next - InLoadOrderLinksOffset);
if (GetFieldValue(DataTable, "nt!_LDR_DATA_TABLE_ENTRY", "BaseDllName.Buffer", BaseDllNameBuffer)) { dprintf("Unable to read LDR_DATA_TABLE_ENTRY at %08p\n", DataTable); return FALSE; } GetFieldValue(DataTable, "nt!_LDR_DATA_TABLE_ENTRY","BaseDllName.Length",BaseDllNameLength); GetFieldValue(DataTable, "nt!_LDR_DATA_TABLE_ENTRY","DllBase",DllBase); GetFieldValue(DataTable, "nt!_LDR_DATA_TABLE_ENTRY","SizeOfImage",SizeOfImage);
//
// Get the base DLL name.
//
if ((!ReadMemory(BaseDllNameBuffer, &KernelMap->Item[i].Name[0], BaseDllNameLength, &Result)) || (Result < BaseDllNameLength)) { dprintf("Unable to read name string at %08p - status %08lx\n", DataTable, Status); return FALSE; }
KernelMap->Item[i].Name[BaseDllNameLength/2] = L'\0'; KernelMap->Item[i].StartVa = DllBase; KernelMap->Item[i].EndVa = KernelMap->Item[i].StartVa + (ULONG)SizeOfImage; i += 1;
GetFieldValue(DataTable, "nt!_LDR_DATA_TABLE_ENTRY","InLoadOrderLinks.Flink", Next); }
KernelMap->Item[i].StartVa = GetNtDebuggerDataPtrValue(MmPagedPoolStart); KernelMap->Item[i].EndVa = GetNtDebuggerDataPtrValue(MmPagedPoolEnd); wcscpy (&KernelMap->Item[i].Name[0], (PUSHORT) &L"Paged Pool"); i+= 1;
#if 0
KernelMap->Item[i].StartVa = DbgGetPteAddress (0xffffffff80000000UI64); KernelMap->Item[i].EndVa = DbgGetPteAddress (0xffffffffffffffffUI64); wcscpy (&KernelMap->Item[i].Name[0], (PUSHORT) &L"System Page Tables"); i+= 1;
KernelMap->Item[i].StartVa = DbgGetPdeAddress (0x80000000); KernelMap->Item[i].EndVa = DbgGetPdeAddress (0xffffffff); wcscpy (&KernelMap->Item[i].Name[0], (PUSHORT) &L"System Page Tables"); i+= 1;#endif 0
// LWFIX: Both PTEs and nonpaged pool can be in multiple virtually discontiguous
// areas. Fix this.
KernelMap->Item[i].StartVa = DbgGetVirtualAddressMappedByPte ( GetNtDebuggerDataValue(MmSystemPtesStart)); KernelMap->Item[i].EndVa = DbgGetVirtualAddressMappedByPte ( GetNtDebuggerDataValue(MmSystemPtesEnd)) + 1; wcscpy (&KernelMap->Item[i].Name[0], (PUSHORT) &L"Kernel Stacks"); i+= 1;
KernelMap->Item[i].StartVa = GetNtDebuggerDataValue(MmNonPagedPoolStart); KernelMap->Item[i].EndVa = GetNtDebuggerDataValue(MmNonPagedPoolEnd); wcscpy (&KernelMap->Item[i].Name[0], (PUSHORT) &L"NonPaged Pool"); i+= 1;
KernelMap->Count = i;
return TRUE;}
ULONG64 SpecialPoolStart;ULONG64 SpecialPoolEnd;#define VI_POOL_FREELIST_END ((ULONG64)-1)
LOGICALVerifierDumpPool ( IN ULONG64 Verifier ){ ULONG64 HashTableAddress; ULONG PoolTag; ULONG i; ULONG64 HashEntry; ULONG64 PoolHashSize; ULONG SizeofEntry; LONG64 FreeListNext;
//
// Display the current and peak pool usage by allocation & bytes.
//
#define PP(x) isprint(((x)&0xff))?((x)&0xff):('.')
InitTypeRead(Verifier, nt!_MI_VERIFIER_DRIVER_ENTRY);
dprintf("\n");
dprintf("Current Pool Allocations %08I64lx %08I64lx\n", ReadField(CurrentPagedPoolAllocations), ReadField(CurrentNonPagedPoolAllocations));
dprintf("Current Pool Bytes %08I64lx %08I64lx\n", ReadField(PagedBytes), ReadField(NonPagedBytes));
dprintf("Peak Pool Allocations %08I64lx %08I64lx\n", ReadField(PeakPagedPoolAllocations), ReadField(PeakNonPagedPoolAllocations));
dprintf("Peak Pool Bytes %08I64lx %08I64lx\n", ReadField(PeakPagedBytes), ReadField(PeakNonPagedBytes));
//
// If no current allocations then the dump is over.
//
if ((ReadField(CurrentPagedPoolAllocations) == 0) && (ReadField(CurrentNonPagedPoolAllocations) == 0)) { dprintf("\n"); return FALSE; }
dprintf("\n");
PoolHashSize = ReadField(PoolHashSize); HashTableAddress = ReadField(PoolHash);
dprintf("PoolAddress SizeInBytes Tag CallersAddress\n");
i = 0; HashEntry = HashTableAddress; SizeofEntry = GetTypeSize("nt!_VI_POOL_ENTRY");
for (i = 0; i < PoolHashSize; i += 1, HashEntry += SizeofEntry) {
if (GetFieldValue(HashEntry, "nt!_VI_POOL_ENTRY", "FreeListNext", FreeListNext)) { dprintf("%08p: Unable to get verifier hash page\n", HashEntry); return FALSE; }
//
// Sign extend if necessary.
//
if (!IsPtr64()) { FreeListNext = (ULONG64)(LONG64)(LONG)FreeListNext; }
//
// Skip freelist entries.
//
if ((FreeListNext == VI_POOL_FREELIST_END) || ((FreeListNext & MINLONG64_PTR) == 0)) { continue; }
InitTypeRead(HashEntry, nt!_VI_POOL_ENTRY);
PoolTag = (ULONG) ReadField(InUse.Tag);
dprintf("%p 0x%08p %c%c%c%c ", ReadField(InUse.VirtualAddress), ReadField(InUse.NumberOfBytes), (PP(PoolTag) & ~0x80), PP(PoolTag >> 8), PP(PoolTag >> 16), PP(PoolTag >> 24) );
dprintf("%p\n", ReadField(InUse.CallingAddress));
if (CheckControlC()) { return TRUE; } }
#undef PP
dprintf("\n");
return FALSE;}
#if 0
typedef struct _COMMIT_INFO { LPSTR Name; ULONG Index;} COMMIT_INFO, *PCOMMIT_INFO;
COMMIT_INFO CommitInfo[] = {"MM_DBG_COMMIT_NONPAGED_POOL_EXPANSION", 0,"MM_DBG_COMMIT_PAGED_POOL_PAGETABLE", 1,"MM_DBG_COMMIT_PAGED_POOL_PAGES", 2,"MM_DBG_COMMIT_SESSION_POOL_PAGE_TABLES", 3,"MM_DBG_COMMIT_ALLOCVM1", 4,"MM_DBG_COMMIT_ALLOCVM_SEGMENT", 5,"MM_DBG_COMMIT_IMAGE", 6,"MM_DBG_COMMIT_PAGEFILE_BACKED_SHMEM", 7,"MM_DBG_COMMIT_INDEPENDENT_PAGES", 8,"MM_DBG_COMMIT_CONTIGUOUS_PAGES", 9,"MM_DBG_COMMIT_MDL_PAGES", 0xA,"MM_DBG_COMMIT_NONCACHED_PAGES", 0xB,"MM_DBG_COMMIT_MAPVIEW_DATA", 0xC,"MM_DBG_COMMIT_FILL_SYSTEM_DIRECTORY", 0xD,"MM_DBG_COMMIT_EXTRA_SYSTEM_PTES", 0xE,"MM_DBG_COMMIT_DRIVER_PAGING_AT_INIT", 0xF,"MM_DBG_COMMIT_PAGEFILE_FULL", 0x10,"MM_DBG_COMMIT_PROCESS_CREATE", 0x11,"MM_DBG_COMMIT_KERNEL_STACK_CREATE", 0x12,"MM_DBG_COMMIT_SET_PROTECTION", 0x13,"MM_DBG_COMMIT_SESSION_CREATE", 0x14,"MM_DBG_COMMIT_SESSION_IMAGE_PAGES", 0x15,"MM_DBG_COMMIT_SESSION_PAGETABLE_PAGES", 0x16,"MM_DBG_COMMIT_SESSION_SHARED_IMAGE", 0x17,"MM_DBG_COMMIT_DRIVER_PAGES", 0x18,"MM_DBG_COMMIT_INSERT_VAD", 0x19,"MM_DBG_COMMIT_SESSION_WS_INIT", 0x1A,"MM_DBG_COMMIT_SESSION_ADDITIONAL_WS_PAGES", 0x1B,"MM_DBG_COMMIT_SESSION_ADDITIONAL_WS_HASHPAGES", 0x1C,"MM_DBG_COMMIT_SPECIAL_POOL_PAGES", 0x1D,
"MM_DBG_COMMIT_SMALL", 0x1F,"MM_DBG_COMMIT_EXTRA_WS_PAGES", 0x20,"MM_DBG_COMMIT_EXTRA_INITIAL_SESSION_WS_PAGES", 0x21,"MM_DBG_COMMIT_ALLOCVM_PROCESS", 0x22,"MM_DBG_COMMIT_INSERT_VAD_PT", 0x23,"MM_DBG_COMMIT_ALLOCVM_PROCESS2", 0x24,"MM_DBG_COMMIT_CHARGE_NORMAL", 0x25,"MM_DBG_COMMIT_CHARGE_CAUSE_POPUP", 0x26,"MM_DBG_COMMIT_CHARGE_CANT_EXPAND", 0x27,
"MM_DBG_COMMIT_RETURN_NONPAGED_POOL_EXPANSION", 0x40,"MM_DBG_COMMIT_RETURN_PAGED_POOL_PAGES", 0x41,"MM_DBG_COMMIT_RETURN_SESSION_DATAPAGE", 0x42,"MM_DBG_COMMIT_RETURN_ALLOCVM_SEGMENT", 0x43,"MM_DBG_COMMIT_RETURN_ALLOCVM2", 0x44,
"MM_DBG_COMMIT_RETURN_IMAGE_NO_LARGE_CA", 0x46,"MM_DBG_COMMIT_RETURN_PTE_RANGE", 0x47,"MM_DBG_COMMIT_RETURN_NTFREEVM1", 0x48,"MM_DBG_COMMIT_RETURN_NTFREEVM2", 0x49,"MM_DBG_COMMIT_RETURN_INDEPENDENT_PAGES", 0x4A,"MM_DBG_COMMIT_RETURN_AWE_EXCESS", 0x4B,"MM_DBG_COMMIT_RETURN_MDL_PAGES", 0x4C,"MM_DBG_COMMIT_RETURN_NONCACHED_PAGES", 0x4D,"MM_DBG_COMMIT_RETURN_SESSION_CREATE_FAILURE", 0x4E,"MM_DBG_COMMIT_RETURN_PAGETABLES", 0x4F,"MM_DBG_COMMIT_RETURN_PROTECTION", 0x50,"MM_DBG_COMMIT_RETURN_SEGMENT_DELETE1", 0x51,"MM_DBG_COMMIT_RETURN_SEGMENT_DELETE2", 0x52,"MM_DBG_COMMIT_RETURN_PAGEFILE_FULL", 0x53,"MM_DBG_COMMIT_RETURN_SESSION_DEREFERENCE", 0x54,"MM_DBG_COMMIT_RETURN_VAD", 0x55,"MM_DBG_COMMIT_RETURN_PROCESS_CREATE_FAILURE1", 0x56,"MM_DBG_COMMIT_RETURN_PROCESS_DELETE", 0x57,"MM_DBG_COMMIT_RETURN_PROCESS_CLEAN_PAGETABLES", 0x58,"MM_DBG_COMMIT_RETURN_KERNEL_STACK_DELETE", 0x59,"MM_DBG_COMMIT_RETURN_SESSION_DRIVER_LOAD_FAILURE1",0x5A,"MM_DBG_COMMIT_RETURN_DRIVER_INIT_CODE", 0x5B,"MM_DBG_COMMIT_RETURN_DRIVER_UNLOAD", 0x5C,"MM_DBG_COMMIT_RETURN_DRIVER_UNLOAD1", 0x5D,"MM_DBG_COMMIT_RETURN_NORMAL", 0x5E,"MM_DBG_COMMIT_RETURN_PF_FULL_EXTEND", 0x5F,"MM_DBG_COMMIT_RETURN_EXTENDED", 0x60,"MM_DBG_COMMIT_RETURN_SEGMENT_DELETE3", 0x61,};
VOIDDumpCommitTracker (){ ULONG64 MmTrackCommit; ULONG64 PfnEntry; ULONG64 displacement; ULONG64 AcquiredAddress; ULONG64 ReleasedAddress; CHAR SymbolBuffer[80]; PCHAR SymPointer; ULONG EntrySize; ULONG result; ULONG64 ReadCount; ULONG64 i; ULONG64 j; PSIZE_T LocalData; PCHAR local; ULONG64 NumberOfCommitEntries;
MmTrackCommit = GetExpression ("nt!MmTrackCommit");
if (MmTrackCommit == 0) { dprintf("%08p: Unable to get commit track data.\n", MmTrackCommit); return; }
PfnEntry = MmTrackCommit;
#if 0
NumberOfCommitEntries = GetUlongValue ("MiMaxPfnTimings"); EntrySize = GetTypeSize("SIZE_T");#else
NumberOfCommitEntries = 128; EntrySize = 4;#endif
ReadCount = NumberOfCommitEntries * EntrySize;
dprintf("Scanning %I64u %I64u commit points\n", NumberOfCommitEntries, ReadCount);
LocalData = LocalAlloc(LPTR, (ULONG) (NumberOfCommitEntries * EntrySize));
if (!LocalData) { dprintf("unable to get allocate %ld bytes of memory\n", (ULONG)(NumberOfCommitEntries * EntrySize)); return; }
if ((!ReadMemory(MmTrackCommit, LocalData, (ULONG) ReadCount, &result)) || (result < (ULONG) ReadCount)) { dprintf("unable to get track commit table - " "address %p - count %I64u\n", LocalData, ReadCount); } else {
dprintf("\n%-50s %s\n", "Instance", "HexCount");
for (i = 0; i < NumberOfCommitEntries; i += 1) {
if (LocalData[i] != 0) { for (j = 0; j < sizeof(CommitInfo) / sizeof (COMMIT_INFO); j += 1) { if (CommitInfo[j].Index == i) { dprintf ("%-50s %8x\n", CommitInfo[j].Name, LocalData[i]); break; } } } } }
if (LocalData) { LocalFree((void *)LocalData); }
return;}
#endif
VOIDDumpFaultInjectionTraceLog ( PCSTR Args );
VOIDDumpTrackIrqlLog ( PCSTR args );
DECLARE_API( verifier )
/*++
Routine Description:
Displays the current Driver Verifier data.
Arguments:
arg - Supplies 7 for full listing
Return Value:
None.
--*/
{ ULONG result; ULONG Flags; ULONG VerifierFlags; ULONG64 VerifierDataPointer; ULONG64 SuspectPointer; ULONG64 NextEntry; ULONG64 VerifierDriverEntry; PUCHAR tempbuffer; UNICODE_STRING unicodeString; LOGICAL Interrupted; CHAR Buf[256]; PCHAR ImageFileName; ANSI_STRING AnsiString; UNICODE_STRING InputDriverName; NTSTATUS st; ULONG Level; PCHAR state; ULONG64 tmp;
UNREFERENCED_PARAMETER (Client);
//
// Display option usage.
//
if (strstr (args, "?") != NULL) {
dprintf ("!verifier \n"); dprintf (" \n"); dprintf (" Dump verifier summary information. \n"); dprintf (" \n"); dprintf ("!verifier [FLAGS [IMAGE]] \n"); dprintf (" \n"); dprintf (" 0x01 : Dump verified drivers pool statistics \n"); dprintf (" \n"); dprintf (" 0x02 : not used \n"); dprintf (" \n"); dprintf (" 0x04 [N] : Dump N traces from fault injection trace log. \n"); dprintf (" \n"); dprintf (" 0x08 [N] : Dump N traces from track IRQL trace log\n"); dprintf (" \n"); dprintf ("To display everything use: \n"); dprintf (" \n"); dprintf (" !verifier 0xf \n"); dprintf (" \n");
return S_OK; }
//
// Read the Flags parameter.
//
Flags = 0; Flags = (ULONG) GetExpression (args);
//
// Display fault injection stacks.
//
if ((Flags == 0x04)) { DumpFaultInjectionTraceLog (args); return S_OK; }
//
// Display track irql stacks.
//
if ((Flags == 0x08)) { DumpTrackIrqlLog (args); return S_OK; }
//
// Continue with normal processing: !verifier [FLAGS [NAME]]
//
Flags = 0; RtlZeroMemory(Buf, 256); if (GetExpressionEx(args, &tmp, &args)) { Flags = (ULONG) tmp; while (args && (*args == ' ')) { ++args; } strcpy(Buf, args); }
if (Buf[0] != '\0') { ImageFileName = Buf; RtlInitAnsiString(&AnsiString, ImageFileName); st = RtlAnsiStringToUnicodeString(&InputDriverName, &AnsiString, TRUE); if (!NT_SUCCESS(st)) { dprintf("%08lx: Unable to initialize unicode string\n", st); return E_INVALIDARG; } } else { ImageFileName = NULL; }
VerifierDataPointer = GetExpression ("nt!MmVerifierData");
if (GetFieldValue(VerifierDataPointer, "nt!_MM_DRIVER_VERIFIER_DATA", "Level", Level)) {
dprintf("%08p: Unable to get verifier list.\n",VerifierDataPointer); return E_INVALIDARG; }
dprintf("\nVerify Level %x ... enabled options are:", Level);
if (Level & DRIVER_VERIFIER_SPECIAL_POOLING) { dprintf("\n\tspecial pool"); } if (Level & DRIVER_VERIFIER_FORCE_IRQL_CHECKING) { dprintf("\n\tspecial irql"); } if (Level & DRIVER_VERIFIER_INJECT_ALLOCATION_FAILURES) { dprintf("\n\tinject random low-resource API failures"); } if (Level & DRIVER_VERIFIER_TRACK_POOL_ALLOCATIONS) { dprintf("\n\tall pool allocations checked on unload"); } if (Level & DRIVER_VERIFIER_IO_CHECKING) { dprintf("\n\tIo subsystem checking enabled"); } if (Level & DRIVER_VERIFIER_DEADLOCK_DETECTION) { dprintf("\n\tDeadlock detection enabled"); } if (Level & DRIVER_VERIFIER_ENHANCED_IO_CHECKING) { dprintf("\n\tEnhanced Io checking enabled"); } if (Level & DRIVER_VERIFIER_DMA_VERIFIER) { dprintf("\n\tDMA checking enabled"); }
if (InitTypeRead(VerifierDataPointer, nt!MM_DRIVER_VERIFIER_DATA)) { dprintf("Unable to read type nt!MM_DRIVER_VERIFIER_DATA @ %p\n", VerifierDataPointer); } dprintf("\n\nSummary of All Verifier Statistics\n\n");
dprintf("RaiseIrqls 0x%x\n", (ULONG) ReadField(RaiseIrqls)); dprintf("AcquireSpinLocks 0x%x\n", (ULONG) ReadField(AcquireSpinLocks)); dprintf("Synch Executions 0x%x\n", (ULONG) ReadField(SynchronizeExecutions)); dprintf("Trims 0x%x\n", (ULONG) ReadField(Trims));
dprintf("\n");
dprintf("Pool Allocations Attempted 0x%x\n", (ULONG) ReadField(AllocationsAttempted)); dprintf("Pool Allocations Succeeded 0x%x\n", (ULONG) ReadField(AllocationsSucceeded)); dprintf("Pool Allocations Succeeded SpecialPool 0x%x\n", (ULONG) ReadField(AllocationsSucceededSpecialPool)); dprintf("Pool Allocations With NO TAG 0x%x\n", (ULONG) ReadField(AllocationsWithNoTag));
dprintf("Pool Allocations Failed 0x%x\n", (ULONG) ReadField(AllocationsFailed)); dprintf("Resource Allocations Failed Deliberately 0x%x\n", (ULONG) ReadField(AllocationsFailedDeliberately) + (ULONG) ReadField(BurstAllocationsFailedDeliberately));
dprintf("\n");
dprintf("Current paged pool allocations 0x%x for %08P bytes\n", (ULONG) ReadField(CurrentPagedPoolAllocations), ReadField(PagedBytes));
dprintf("Peak paged pool allocations 0x%x for %08P bytes\n", (ULONG)ReadField(PeakPagedPoolAllocations), ReadField(PeakPagedBytes));
dprintf("Current nonpaged pool allocations 0x%x for %08P bytes\n", (ULONG) ReadField(CurrentNonPagedPoolAllocations), ReadField(NonPagedBytes));
dprintf("Peak nonpaged pool allocations 0x%x for %08P bytes\n", (ULONG)ReadField(PeakNonPagedPoolAllocations), ReadField(PeakNonPagedBytes));
dprintf("\n");
SpecialPoolStart = GetPointerValue("nt!MmSpecialPoolStart"); SpecialPoolEnd = GetPointerValue("nt!MmSpecialPoolEnd");
if (Flags & 0x1) { ULONG Off;
SuspectPointer = GetExpression ("nt!MiSuspectDriverList");
GetFieldOffset("nt!_MI_VERIFIER_DRIVER_ENTRY", "Links", &Off);
if (!ReadPointer(SuspectPointer,&NextEntry)) {
dprintf("%08p: Unable to get verifier list %p\n",SuspectPointer); return E_INVALIDARG; }
dprintf("Driver Verification List\n\n");
dprintf("Entry State NonPagedPool PagedPool Module\n\n"); while (NextEntry != SuspectPointer) {
VerifierDriverEntry = NextEntry - Off;
if (GetFieldValue( VerifierDriverEntry, "nt!_MI_VERIFIER_DRIVER_ENTRY", "Flags", VerifierFlags)) {
dprintf("%08p: Unable to get verifier data\n", VerifierDriverEntry); return E_INVALIDARG; }
InitTypeRead(VerifierDriverEntry, nt!_MI_VERIFIER_DRIVER_ENTRY); if ((VerifierFlags & VI_VERIFYING_DIRECTLY) == 0) { NextEntry = ReadField(Links.Flink); continue; }
unicodeString.Length = (USHORT) ReadField(BaseName.Length); tempbuffer = LocalAlloc(LPTR, unicodeString.Length);
unicodeString.Buffer = (PWSTR)tempbuffer; unicodeString.MaximumLength = unicodeString.Length;
if (!ReadMemory (ReadField(BaseName.Buffer), tempbuffer, unicodeString.Length, &result)) { dprintf("%08p: Unable to get verifier driver name\n", ReadField(BaseName.Buffer)); }
if (ImageFileName != NULL) { if (RtlEqualUnicodeString(&InputDriverName, &unicodeString, TRUE) == 0) { NextEntry = ReadField(Links.Flink); continue; } }
if (ReadField(Loads) == 0 && ReadField(Unloads) == 0) { state = "Hasn't loaded"; } else if (ReadField(Loads) != ReadField(Unloads)) { if (ReadField(Unloads) != 0) { state = "Loaded&Unloaded"; } else { state = "Loaded"; } } else { state = "Unloaded"; }
dprintf("%p %-16s %08p %08p %wZ\n", VerifierDriverEntry, state, ReadField(NonPagedBytes), ReadField(PagedBytes), &unicodeString);
Interrupted = FALSE; NextEntry = ReadField(Links.Flink);
if ((Flags & 0x2) && (Level & DRIVER_VERIFIER_TRACK_POOL_ALLOCATIONS)) {
Interrupted = VerifierDumpPool (VerifierDriverEntry); }
LocalFree(tempbuffer);
if ((Interrupted == TRUE) || (ImageFileName != NULL) || (CheckControlC())) { break; } } }
if ((Flags & 0x04)) { dprintf ("----------------------------------------------- \n"); dprintf ("Fault injection trace log \n"); dprintf ("----------------------------------------------- \n");
DumpFaultInjectionTraceLog (NULL); }
if ((Flags & 0x08)) { dprintf ("----------------------------------------------- \n"); dprintf ("Track irql trace log \n"); dprintf ("----------------------------------------------- \n");
DumpTrackIrqlLog (NULL); }
return S_OK;}
DECLARE_API( fpsearch )
/*++
Routine Description:
Free pool searcher.
Arguments:
arg - Supplies virtual address to match.
Return Value:
None.
--*/
{ ULONG i; ULONG BufferSize; ULONG RawCount; PULONG RawPointer; ULONG Flags; ULONG ActualRead; ULONG64 PageFrameNumber; ULONG64 PAddress; ULONG64 Address; ULONG result; ULONG64 PfnDb; ULONG64 Pfn; ULONG64 PfnStart; ULONG PfnSize; ULONG64 ChainedBp; ULONG64 ValidBp; ULONG64 LastBp; ULONG64 ReturnAddress; PCHAR Buffer; ULONG64 MmFreePageListHeadAddress; CHAR SymbolBuffer[80]; ULONG64 displacement; ULONG64 Total; ULONG StkOffset; ULONG PtrSize; ULONG PoolTag; ULONG StackBytes; ULONG64 StackPointer; ULONG64 ChainedBpVal; ULONG64 LastBpVal; ULONG64 Blink;
PtrSize = IsPtr64() ? 8 : 4; PfnSize = GetTypeSize("nt!_MMPFN");
BufferSize = GetTypeSize("nt!_MI_FREED_SPECIAL_POOL");
if (BufferSize == 0) { dprintf("Type MI_FREED_SPECIAL_POOL not found.\n"); return E_INVALIDARG; }
PfnDb = GetNtDebuggerData(MmPfnDatabase );
if (!PfnDb) { dprintf("unable to get PFN0 database address\n"); return E_INVALIDARG; }
result = !ReadPointer(PfnDb,&PfnStart); if (result != 0) { dprintf("unable to get PFN database address %p %x\n", PfnDb, result); return E_INVALIDARG; }
Address = 0; Flags = 0;
if (!sscanf(args,"%I64lx %lx",&Address, &Flags)) { Address = 0; } // Do not use GetExpression here - the actual address to be searched is phy address
// and it can be >32bit for 32bit targets
// Address = GetExpression (args);
if (Address == 0) { dprintf("Usage: fpsearch address\n"); return E_INVALIDARG; }
MmFreePageListHeadAddress = GetExpression ("nt!MmFreePageListHead");
if (GetFieldValue(MmFreePageListHeadAddress, "nt!_MMPFNLIST", "Total", Total)) {
dprintf("%08p: Unable to get MmFreePageLocationList\n",MmFreePageListHeadAddress); return E_INVALIDARG; }
if (Total == 0) { dprintf("No pages on free list to search\n"); return E_INVALIDARG; }
if (Address != (ULONG64)-1) {
dprintf("Searching the free page list (%I64x entries) for VA %p\n\n", Total, Address);
Address &= ~(ULONG64)(PageSize - 1); } else { dprintf("Searching the free page list (%x entries) for all freed special pool\n\n", Total); }
GetFieldValue (MmFreePageListHeadAddress, "nt!_MMPFNLIST", "Blink", PageFrameNumber);
GetFieldOffset("_MI_FREED_SPECIAL_POOL", "StackData", &StkOffset);
Buffer = LocalAlloc(LPTR, BufferSize);
if (Buffer == NULL) { dprintf("Could not allocate a buffer for the search\n"); return E_INVALIDARG; }
while (PageFrameNumber != (ULONG64)-1) {
PAddress = (ULONG64)PageFrameNumber * PageSize;
ReadPhysical (PAddress, Buffer, BufferSize, &ActualRead);
if (ActualRead != BufferSize) { dprintf("Physical memory read %I64X %x %x failed\n", PAddress, ActualRead, BufferSize); // break;
}
if (Flags & 0x1) {
//
// Print a preview of the raw buffer.
//
#define PP(x) isprint(((x)&0xff))?((x)&0xff):('.')
RawPointer = (PULONG)Buffer; RawCount = BufferSize / sizeof (ULONG); if (RawCount > 32) { RawCount = 32; }
RawCount &= ~0x3;
for (i = 0; i < RawCount; i += 4) { dprintf ("%I64X %08x %08x %08x %08x %c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c\n", PageFrameNumber * PageSize,
*RawPointer, *(RawPointer + 1), *(RawPointer + 2), *(RawPointer + 3),
PP(*RawPointer), PP(*RawPointer >> 8), PP(*RawPointer >> 16), PP(*RawPointer >> 24),
PP(*(RawPointer + 1)), PP(*(RawPointer + 1) >> 8), PP(*(RawPointer + 1) >> 16), PP(*(RawPointer + 1) >> 24),
PP(*(RawPointer + 2)), PP(*(RawPointer + 2) >> 8), PP(*(RawPointer + 2) >> 16), PP(*(RawPointer + 2) >> 24),
PP(*(RawPointer + 3)), PP(*(RawPointer + 3) >> 8), PP(*(RawPointer + 3) >> 16), PP(*(RawPointer + 3) >> 24));
RawPointer += 4; } dprintf ("\n"); }
Pfn = (PfnStart + PageFrameNumber * PfnSize);
if (GetFieldValue(Pfn,"nt!_MMPFN","u2.Blink", Blink)) { dprintf("%08p: unable to get PFN element %x\n", Pfn, PfnSize); break; }
if ((ULONG)Blink == (ULONG)-1) { Blink = (ULONG64)-1; }
#define MI_FREED_SPECIAL_POOL_SIGNATURE 0x98764321
InitTypeReadPhysical (PAddress, nt!MI_FREED_SPECIAL_POOL);
if ((ULONG) ReadField(Signature) == MI_FREED_SPECIAL_POOL_SIGNATURE) {
if ((Address == (ULONG64)-1) ||
(((ULONG)(ReadField(VirtualAddress)) & ~(ULONG)(PageSize - 1)) == (ULONG)Address)) {
PoolTag = (ULONG) ReadField(OverlaidPoolHeader.PoolTag);
dprintf("VA PFN Tag Size Pagable Thread Tick\n"); dprintf("%p %6p %c%c%c%c %6x %s %08p %x\n", ReadField(VirtualAddress), PageFrameNumber, #define PP(x) isprint(((x)&0xff))?((x)&0xff):('.')
PP(PoolTag), PP(PoolTag >> 8), PP(PoolTag >> 16), PP(PoolTag >> 24), #undef PP
(ULONG) ReadField(NumberOfBytesRequested), ReadField(Pagable) ? "Yes" : "No ", ReadField(Thread), ReadField(TickCount));
dprintf("\tCALL STACK AT TIME OF DEALLOCATION\n");
//
// Calculate the relative stack and print it here symbolically.
//
StackBytes = (ULONG) ReadField(StackBytes);
StackPointer = ReadField(StackPointer);
ValidBp = (StackPointer & ~(ULONG64)(PageSize - 1)); ChainedBp = (PAddress + StkOffset); LastBp = (ChainedBp + (ULONG) ReadField(StackBytes));
while (ChainedBp < LastBp) {
//
// Read directly from physical memory.
//
InitTypeReadPhysical(ChainedBp, nt!_LIST_ENTRY); ChainedBpVal = ReadField(Flink); InitTypeReadPhysical(LastBp, nt!_LIST_ENTRY); LastBpVal = ReadField(Flink);
//
// Find a valid frame register chain.
//
if ((((ChainedBpVal) & ~(ULONG64)(PageSize - 1)) == ValidBp) && (ChainedBpVal > StackPointer) && ((ChainedBpVal - (StackPointer)) <= StackBytes)) { ULONG64 ReturnAddressVal;
//
// Increment to the stacked return address.
//
ReturnAddress = ChainedBp + PtrSize; InitTypeReadPhysical(ReturnAddress, nt!_LIST_ENTRY); ReturnAddressVal = ReadField(Flink);
SymbolBuffer[0] = '!'; GetSymbol((ReturnAddressVal), (PUCHAR)SymbolBuffer, &displacement);
dprintf ("\t%s", SymbolBuffer);
if (displacement) { dprintf( "+0x%x", displacement ); }
dprintf( "\n" );
#ifdef SLOW_BUT_THOROUGH
ChainedBp += PtrSize;#else
if ((ReturnAddressVal & ~MAXLONG64_PTR) == 0) { break; }
//
// Subtract the stackpointer & add stackdata offset.
//
ChainedBp = (ChainedBpVal - StackPointer + StkOffset);
//
// Adjust for relative.
//
ChainedBp = (PAddress + ChainedBp);#endif
} else { ChainedBp += PtrSize; } }
dprintf("\n");
if (Address != (ULONG64)-1) { break; } } }
if (CheckControlC()) { break; }
PageFrameNumber = Blink; }
LocalFree(Buffer);
return S_OK;}
USHORTGetPfnRefCount( IN ULONG64 PageFrameNumber ){ ULONG64 PfnDb; ULONG64 Pfn; ULONG64 PfnStart; ULONG PfnSize; ULONG ReferenceCount;
PfnSize = GetTypeSize("nt!_MMPFN");
PfnDb = GetNtDebuggerData(MmPfnDatabase );
if (!PfnDb) { dprintf("unable to get PFN0 database address\n"); return 0; }
if (!ReadPointer(PfnDb,&PfnStart)) { dprintf("unable to get PFN database address %p\n", PfnDb); return 0; }
Pfn = (PfnStart + PageFrameNumber * PfnSize);
if (GetFieldValue(Pfn,"nt!_MMPFN","u3.e2.ReferenceCount", ReferenceCount)) { dprintf("%08p: unable to get PFN element %x\n", Pfn, PfnSize); return 0; }
return (USHORT) ReferenceCount;}
/////////////////////////////////////////////////////////////////////
////////////////////////////////////// Dump irql tracking log
/////////////////////////////////////////////////////////////////////
VOIDDumpTrackIrqlLog ( PCSTR args ){ ULONG64 TrackIrqlQueueAddress; ULONG64 TrackIrqlIndexAddress; ULONG64 TrackIrqlQueueLengthAddress; ULONG64 TrackIrqlQueue; ULONG TrackIrqlIndex; ULONG TrackIrqlQueueLength; ULONG I, Index; ULONG64 Address; ULONG TrackIrqlTypeSize; UCHAR SymbolName[256]; ULONG64 SymbolAddress; ULONG64 SymbolOffset; ULONG Result; ULONG ShowCount; ULONG Flags;
//
// Read how many traces we want to see.
//
ShowCount = 0;
if (args) { ULONG64 tmp;
if (GetExpressionEx(args, &tmp, &args)) { Flags = (ULONG) tmp; if (!sscanf (args, "%u", &ShowCount)) { ShowCount = 0; } }
if (ShowCount == 0) { ShowCount = 4; } } else { ShowCount = 4; }
//
// Read track irql package data
//
TrackIrqlQueueAddress = GetExpression ("nt!ViTrackIrqlQueue"); TrackIrqlIndexAddress = GetExpression ("nt!ViTrackIrqlIndex"); TrackIrqlQueueLengthAddress = GetExpression ("nt!ViTrackIrqlQueueLength");
if (TrackIrqlQueueAddress == 0 || TrackIrqlIndexAddress == 0 || TrackIrqlIndexAddress == 0) {
dprintf ("Incorrect symbols. \n"); return; }
ReadPointer (TrackIrqlQueueAddress, &TrackIrqlQueue);
if (TrackIrqlQueue == 0) {
dprintf ("Irql tracking is not enabled. You need to enable driver verifier \n"); dprintf ("for at least one driver to activate irql tracking. \n"); return; }
ReadMemory (TrackIrqlIndexAddress, &TrackIrqlIndex, sizeof(ULONG), &Result);
if (Result != sizeof(ULONG)) { dprintf ("Trackirql: read error \n"); return; }
ReadMemory (TrackIrqlQueueLengthAddress, &TrackIrqlQueueLength, sizeof(ULONG), &Result);
if (Result != sizeof(ULONG)) { dprintf ("Trackirql: read error \n"); return; }
TrackIrqlTypeSize = GetTypeSize("nt!_VI_TRACK_IRQL");
//
// Dump information
//
dprintf ("\nSize of track irql queue is 0x%X \n", TrackIrqlQueueLength);
for (I = 0, Index = TrackIrqlIndex; I < TrackIrqlQueueLength; I += 1) {
if (I >= ShowCount) { break; }
Index -= 1; Index &= (TrackIrqlQueueLength - 1);
Address = TrackIrqlQueue + Index * TrackIrqlTypeSize; InitTypeRead (Address, nt!_VI_TRACK_IRQL);
dprintf ("\n"); dprintf ("Thread: %I64X\n", ReadField (Thread)); dprintf ("Old irql: %I64X\n", ReadField (OldIrql)); dprintf ("New irql: %I64X\n", ReadField (NewIrql)); dprintf ("Processor: %I64X\n", ReadField (Processor)); dprintf ("Time stamp: %I64X\n", ReadField (TickCount)); dprintf ("\n");
SymbolAddress = ReadField(StackTrace[0]); if (SymbolAddress == 0) { continue; } GetSymbol(SymbolAddress, SymbolName, &SymbolOffset); dprintf (" %I64X %s+0x%I64x\n", SymbolAddress, SymbolName, SymbolOffset);
SymbolAddress = ReadField(StackTrace[1]); if (SymbolAddress == 0) { continue; } GetSymbol(SymbolAddress, SymbolName, &SymbolOffset); dprintf (" %I64X %s+0x%I64x\n", SymbolAddress, SymbolName, SymbolOffset);
SymbolAddress = ReadField(StackTrace[2]); if (SymbolAddress == 0) { continue; } GetSymbol(SymbolAddress, SymbolName, &SymbolOffset); dprintf (" %I64X %s+0x%I64x\n", SymbolAddress, SymbolName, SymbolOffset);
SymbolAddress = ReadField(StackTrace[3]); if (SymbolAddress == 0) { continue; } GetSymbol(SymbolAddress, SymbolName, &SymbolOffset); dprintf (" %I64X %s+0x%I64x\n", SymbolAddress, SymbolName, SymbolOffset);
SymbolAddress = ReadField(StackTrace[4]); if (SymbolAddress == 0) { continue; } GetSymbol(SymbolAddress, SymbolName, &SymbolOffset); dprintf (" %I64X %s+0x%I64x\n", SymbolAddress, SymbolName, SymbolOffset);
if (CheckControlC()) { dprintf ("Interrupted \n"); break; }
}}
/////////////////////////////////////////////////////////////////////
////////////////////////////////////// Dump fault injection trace log
/////////////////////////////////////////////////////////////////////
ULONG64ReadPvoid ( ULONG64 Address ){ ULONG64 RemoteValue = 0; ReadPointer( Address, &RemoteValue); return RemoteValue;}
ULONGReadUlong( ULONG64 Address ){ ULONG RemoteValue = 0; ReadMemory( Address, &RemoteValue, sizeof( ULONG ), NULL ); return RemoteValue;}
VOIDDumpFaultInjectionTrace ( ULONG64 Address ){ ULONG64 ReturnAddress; CHAR SymbolName[ 1024 ]; ULONG64 Displacement; ULONG I; ULONG PvoidSize;
PvoidSize = IsPtr64() ? 8 : 4;
for (I = 0; I < 8; I += 1) {
ReturnAddress = ReadPvoid (Address + I * PvoidSize);
if (ReturnAddress == 0) { break; }
GetSymbol (ReturnAddress, SymbolName, &Displacement);
dprintf (" %p %s+0x%p\n", ReturnAddress, SymbolName, Displacement); }}
VOIDDumpFaultInjectionTraceLog ( PCSTR Args ){ ULONG TracesToDisplay = 0; ULONG64 TraceAddress; ULONG64 Trace; ULONG64 IndexAddress; ULONG Index; ULONG64 LengthAddress; ULONG Length; ULONG I; ULONG PvoidSize; ULONG64 TraceBlockAddress; ULONG64 FirstReturnAddress; ULONG TracesFound = 0; BOOLEAN Interrupted = FALSE; ULONG Flags;
if (Args) {
ULONG64 tmp;
if (GetExpressionEx(Args, &tmp, &Args)) { Flags = (ULONG) tmp; if (!sscanf (Args, "%u", &TracesToDisplay)) { TracesToDisplay = 0; } }
if (TracesToDisplay == 0) { TracesToDisplay = 4; } } else { TracesToDisplay = 4; }
PvoidSize = IsPtr64() ? 8 : 4;
TraceAddress = (ULONG64) GetExpression ("nt!ViFaultTraces"); IndexAddress = (ULONG64) GetExpression ("nt!ViFaultTracesIndex"); LengthAddress = (ULONG64) GetExpression ("nt!ViFaultTracesLength");
Trace = ReadPvoid (TraceAddress);
if (Trace == 0) { dprintf ("Driver fault injection is not enabled for this system. \n"); return; }
Index = ReadUlong (IndexAddress); Length = ReadUlong (LengthAddress);
for (I = 0; I < Length; I += 1) {
Index -= 1; Index &= (Length - 1);
TraceBlockAddress = Trace + Index * PvoidSize * 8; FirstReturnAddress = ReadPvoid (TraceBlockAddress);
if (FirstReturnAddress != 0) { TracesFound += 1;
dprintf ("\n"); DumpFaultInjectionTrace (TraceBlockAddress);
if (TracesFound >= TracesToDisplay) { break; } }
if (CheckControlC()) { Interrupted = TRUE; dprintf ("Interrupted \n"); break; } }
if (Interrupted == FALSE && TracesFound == 0) {
dprintf ("No fault injection traces found. \n"); }}�PUCHAR MemoryDescriptorType[] = { "ExceptionBlock", "SystemBlock", "Free", "Bad", "LoadedProgram", "FirmwareTemporary", "FirmwarePermanent", "OsloaderHeap", "OsloaderStack", "SystemCode", "HalCode", "BootDriver", "ConsoleInDriver", "ConsoleOutDriver", "StartupDpcStack", "StartupKernelStack", "StartupPanicStack", "StartupPcrPage", "StartupPdrPage", "RegistryData", "MemoryData", "NlsData", "SpecialMemory", "BBTMemory", "LoaderReserve", "XIPRom", "HALCachedMemory" };
#define MAXIMUM_MEMORY_TYPE (sizeof(MemoryDescriptorType)/sizeof(UCHAR))
DECLARE_API( loadermemorylist )
/*++
Routine Description:
Displays the memory allocation list. This is the list handed to the OS by the OSLOADER that describes physical memory. Displays the corresponding PDE and PTE.
Arguments:
list - points to the listheader
Return Value:
None.
--*/
{ ULONG64 ListHeaderAddress; ULONG64 EntryAddress; ULONG64 LengthInPages; ULONG64 TypeOfMemory; ULONG Count[MAXIMUM_MEMORY_TYPE]; ULONG i;
UNREFERENCED_PARAMETER (Client);
ListHeaderAddress = 0;
ListHeaderAddress = GetExpression(args); if (ListHeaderAddress == 0) { dprintf("Usage: !loadermemorylist <address_of_listhead>\n"); return E_INVALIDARG; }
if (!ReadPointer(ListHeaderAddress, &EntryAddress)) { dprintf("Unable to read list header at %p\n", ListHeaderAddress); return E_INVALIDARG; }
if (EntryAddress == ListHeaderAddress) { dprintf("List at %p is empty\n", ListHeaderAddress); return S_OK; }
dprintf("Base Length Type\n");
RtlZeroMemory(Count, sizeof(Count));
do { InitTypeRead(EntryAddress, nt!MEMORY_ALLOCATION_DESCRIPTOR); TypeOfMemory = ReadField(MemoryType); if (TypeOfMemory < MAXIMUM_MEMORY_TYPE) { LengthInPages = ReadField(PageCount); dprintf("%08x %08x %s\n", (ULONG)ReadField(BasePage), (ULONG)LengthInPages, MemoryDescriptorType[TypeOfMemory]); Count[TypeOfMemory] += (ULONG)LengthInPages; } else { dprintf("Unrecognized Descriptor at %p\n", EntryAddress); } EntryAddress = ReadField(ListEntry.Flink); } while (EntryAddress != ListHeaderAddress);
dprintf("\nSummary\nMemory Type Pages\n"); LengthInPages = 0; for (i = 0; i < MAXIMUM_MEMORY_TYPE; i++) { if (Count[i]) { dprintf("%-20s%08x (%8d)\n", MemoryDescriptorType[i], Count[i], Count[i]); LengthInPages += Count[i]; } } dprintf(" ======== ========\n"); dprintf("Total %08x (%8d) = ~%dMB\n", (ULONG)LengthInPages, (ULONG)LengthInPages, (ULONG)LengthInPages / (1024 * 1024 / 4096)); return S_OK;}
|
