Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

3873 lines
115 KiB

/*++
Copyright (c) 1992 Microsoft Corporation
Module Name:
memory.c
Abstract:
WinDbg Extension Api
Author:
Lou Perazzoli (loup)
Environment:
User Mode.
Revision History:
--*/
#include "precomp.h"
#pragma hdrstop
#define PACKET_MAX_SIZE 4000
#define USAGE_ALLOC_SIZE 256*1024
#ifdef _KB
#undef _KB
#endif
#define _KB (PageSize/1024)
typedef struct _PFN_INFO {
ULONG64 Master;
ULONG64 OriginalPte;
ULONG ValidCount;
ULONG StandbyCount;
ULONG ModifiedCount;
ULONG SharedCount;
ULONG LockedCount;
ULONG PageTableCount;
struct _PFN_INFO *Next;
} PFN_INFO, *PPFN_INFO;
typedef struct _KERN_MAP1 {
ULONG64 StartVa;
ULONG64 EndVa;
ULONG ValidCount;
ULONG StandbyCount;
ULONG ModifiedCount;
ULONG SharedCount;
ULONG LockedCount;
ULONG PageTableCount;
WCHAR Name[256];
} KERN_MAP1, *PKERN_MAP1;
typedef struct _KERN_MAP {
ULONG Count;
KERN_MAP1 Item[500];
} KERN_MAP, *PKERN_MAP;
typedef struct _MMPFNENTRY {
ULONG Modified : 1;
ULONG ReadInProgress : 1;
ULONG WriteInProgress : 1;
ULONG PrototypePte: 1;
ULONG PageColor : 3;
ULONG ParityError : 1;
ULONG PageLocation : 3;
ULONG RemovalRequested : 1;
ULONG CacheAttribute : 2;
ULONG Rom : 1;
ULONG LockCharged : 1;
ULONG DontUse : 16; //overlays USHORT for reference count field.
} MMPFNENTRY;
typedef struct _MMPFN_READ {
MMPFNENTRY u3_e1;
ULONG u3_e2_ReferenceCount;
ULONG64 u1_Flink, u2_Blink, PteAddress, OriginalPte, PteFrame;
} MMPFN_READ, *PMMPFN_READ;
typedef struct _PFN_DUMP_CTXT {
BOOL PrintIndex;
ULONG64 index;
BOOL ZeroAfterPrint;
PMMPFN_READ pReadPfn;
} PFN_DUMP_CTXT, *PPFN_DUMP_CTXT;
UCHAR *PageLocationList[] = {
(PUCHAR)"Zeroed ",
(PUCHAR)"Free ",
(PUCHAR)"Standby ",
(PUCHAR)"Modified",
(PUCHAR)"ModNoWrt",
(PUCHAR)"Bad ",
(PUCHAR)"Active ",
(PUCHAR)"Trans "
};
UCHAR *PageAttribute[] = {
(PUCHAR)"NonCached",
(PUCHAR)"Cached ",
(PUCHAR)"WriteComb",
(PUCHAR)"NotMapped"
};
ULONG64 MmSubsectionBase;
ULONG64 MaxDirbase;
#define MAX_DIRBASEVECTOR 256
ULONG64 DirBases[MAX_DIRBASEVECTOR];
UCHAR Names[MAX_DIRBASEVECTOR][64];
VOID
PrintPfn64 (
IN ULONG64 PfnAddress
);
VOID
DumpMmThreads (
VOID
);
VOID DumpWholePfn(
IN ULONG64 Address,
IN ULONG Flags
);
PUCHAR
DirbaseToImage(
IN ULONG64 DirBase
);
NTSTATUS
BuildDirbaseList( VOID );
LOGICAL
BuildKernelMap (
OUT PKERN_MAP KernelMap
);
ULONG
DbgGetPfnSize(
VOID
)
{
return GetTypeSize("nt!_MMPFN");
}
LOGICAL
PoolGetTag (
IN PVOID PoolAddress,
IN PULONG PoolTag
);
ULONG64 SystemRangeStart;
DECLARE_API( memusage )
/*++
Routine Description:
Dumps the page frame database table
Arguments:
arg -
Return Value:
None.
--*/
{
ULONG result;
ULONG64 PfnDb;
ULONG64 HighPageAddr;
ULONG64 LowPageAddr;
ULONG64 HighPage=0;
ULONG64 LowPage=0;
ULONG64 PageCount;
ULONG64 ReadCount;
ULONG WasZeroedPage;
ULONG WasFreePage;
ULONG Total;
ULONG WasStandbyPage;
ULONG WasModifiedPage;
ULONG WasModifiedNoWritePage;
ULONG WasBadPage;
ULONG WasActiveAndValidPage;
ULONG WasTransitionPage;
ULONG WasUnknownPage;
ULONG64 NPPoolStart;
ULONG64 NPSystemStart;
ULONG64 Pfn;
ULONG64 PfnStart;
PCHAR PfnArray;
ULONG PfnSize;
ULONG NumberOfPfnToRead;
ULONG CompleteSoFar = (ULONG) ~0;
ULONG64 CacheSize;
UNREFERENCED_PARAMETER (args);
UNREFERENCED_PARAMETER (Client);
LowPageAddr = GetNtDebuggerData(MmLowestPhysicalPage);
HighPageAddr = GetNtDebuggerData(MmHighestPhysicalPage);
PfnDb = GetNtDebuggerData(MmPfnDatabase);
NPPoolStart = GetNtDebuggerData(MmNonPagedPoolStart);
NPSystemStart = GetNtDebuggerData(MmNonPagedSystemStart);
SystemRangeStart = GetNtDebuggerDataValue(MmSystemRangeStart);
PfnSize = GetTypeSize("nt!_MMPFN");
NumberOfPfnToRead = 300;
if ( LowPageAddr &&
HighPageAddr &&
PfnDb &&
NPPoolStart &&
NPSystemStart ) {
if ( !ReadPointer( LowPageAddr, &LowPage) ) {
dprintf("%08p: Unable to get low physical page\n",LowPageAddr);
return E_INVALIDARG;
}
if ( !ReadPointer( HighPageAddr,&HighPage) ) {
dprintf("%08p: Unable to get high physical page\n",HighPageAddr);
return E_INVALIDARG;
}
if ( !ReadPointer( PfnDb,&PfnStart) ) {
dprintf("%08p: Unable to get PFN database address\n",PfnDb);
return E_INVALIDARG;
}
#ifdef IG_GET_CACHE_SIZE
if (GetDebuggerCacheSize(&CacheSize)) {
if (CacheSize < (HighPage - LowPage)*PfnSize) {
dprintf("*** WARNING Cache size too low, !memusage might take long time to run\n"
" Increase Cache to %#lx kb for better performance.\n",
(HighPage - LowPage)*PfnSize / 1024);
}
}
#endif
dprintf(" loading PFN database\n");
PfnArray = VirtualAlloc ( NULL,
(ULONG) ((HighPage-LowPage+1) * PfnSize),
MEM_RESERVE | MEM_COMMIT,
PAGE_READWRITE);
if (!PfnArray) {
dprintf("Unable to get allocate memory of %I64ld bytes\n",
(HighPage+1) * PfnSize);
} else {
for (PageCount = LowPage;
PageCount <= HighPage;
PageCount += NumberOfPfnToRead) {
//dprintf("getting PFN table block - "
// "address %lx - count %lu - page %lu\n",
// Pfn, ReadCount, PageCount);
if ( CheckControlC() ) {
VirtualFree (PfnArray,0,MEM_RELEASE);
return E_INVALIDARG;
}
ReadCount = HighPage - PageCount > NumberOfPfnToRead ?
NumberOfPfnToRead :
HighPage - PageCount + 1;
ReadCount *= PfnSize;
Pfn = (PfnStart + PageCount * PfnSize);
if (CompleteSoFar != (ULONG) (((PageCount + LowPage) * 100)/ HighPage)) {
CompleteSoFar = (ULONG) (((PageCount + LowPage) * 100)/ HighPage);
dprintf("loading (%d%% complete)\r", CompleteSoFar);
}
// Let KD cache the data - we won't be reading from the array.
if ( !ReadMemory( Pfn,
PfnArray + PageCount * PfnSize,
(ULONG) ReadCount,
&result) ) {
dprintf("Unable to get PFN table block - "
"address %p - count %lu - page %lu\n",
Pfn, ReadCount, PageCount);
VirtualFree (PfnArray,0,MEM_RELEASE);
return E_INVALIDARG;
}
}
dprintf("\n");
// Now we have a local copy: let's take a look
WasZeroedPage = 0;
WasFreePage = 0;
WasStandbyPage = 0;
WasModifiedPage = 0;
WasModifiedNoWritePage = 0;
WasBadPage = 0;
WasActiveAndValidPage = 0;
WasTransitionPage = 0;
WasUnknownPage = 0;
CompleteSoFar = 0;
for (PageCount = LowPage;
PageCount <= HighPage;
PageCount++) {
ULONG PageLocation=0;
ULONG64 Flink=0, Blink=0;
if ( CheckControlC() ) {
VirtualFree (PfnArray,0,MEM_RELEASE);
return E_INVALIDARG;
}
if (CompleteSoFar < (ULONG) (((PageCount + LowPage) * 100)/ HighPage)) {
CompleteSoFar = (ULONG) (((PageCount + LowPage) * 100)/ HighPage);
dprintf("Compiling memory usage data (%d%% Complete).\r", CompleteSoFar);
}
Pfn = (PfnStart + PageCount * PfnSize);
GetFieldValue(Pfn, "nt!_MMPFN", "u3.e1.PageLocation", PageLocation);
switch (PageLocation) {
case ZeroedPageList:
GetFieldValue(Pfn, "nt!_MMPFN", "u1.Flink", Flink);
GetFieldValue(Pfn, "nt!_MMPFN", "u2.Blink", Blink);
if ((Flink == 0) &&
(Blink == 0)) {
WasActiveAndValidPage++;
} else {
WasZeroedPage++;
}
break;
case FreePageList:
WasFreePage++;
break;
case StandbyPageList:
WasStandbyPage++;
break;
case ModifiedPageList:
WasModifiedPage++;
break;
case ModifiedNoWritePageList:
WasModifiedNoWritePage++;
break;
case BadPageList:
WasModifiedNoWritePage++;
break;
case ActiveAndValid:
WasActiveAndValidPage++;
break;
case TransitionPage:
WasTransitionPage++;
break;
default:
WasUnknownPage++;
break;
}
}
dprintf("\n");
dprintf( " Zeroed: %6lu (%6lu kb)\n",
WasZeroedPage, WasZeroedPage * _KB);
dprintf( " Free: %6lu (%6lu kb)\n",
WasFreePage, WasFreePage * _KB);
dprintf( " Standby: %6lu (%6lu kb)\n",
WasStandbyPage, WasStandbyPage * _KB);
dprintf( " Modified: %6lu (%6lu kb)\n",
WasModifiedPage,
WasModifiedPage * _KB);
dprintf( " ModifiedNoWrite: %6lu (%6lu kb)\n",
WasModifiedNoWritePage,WasModifiedNoWritePage * _KB);
dprintf( " Active/Valid: %6lu (%6lu kb)\n",
WasActiveAndValidPage, WasActiveAndValidPage * _KB);
dprintf( " Transition: %6lu (%6lu kb)\n",
WasTransitionPage, WasTransitionPage * _KB);
dprintf( " Unknown: %6lu (%6lu kb)\n",
WasUnknownPage, WasUnknownPage * _KB);
Total = WasZeroedPage +
WasFreePage +
WasStandbyPage +
WasModifiedPage +
WasModifiedNoWritePage +
WasActiveAndValidPage +
WasTransitionPage +
WasUnknownPage +
WasUnknownPage;
dprintf( " TOTAL: %6lu (%6lu kb)\n",
Total, Total * _KB);
}
MemoryUsage (PfnStart, LowPage, HighPage, 0);
VirtualFree (PfnArray,0,MEM_RELEASE);
}
return S_OK;
}
DECLARE_API( lockedpages )
/*++
Routine Description:
Displays the driver-locked pages.
Arguments:
None.
Return Value:
None.
--*/
{
ULONG64 LockHeader;
ULONG64 LockTracker;
ULONG64 NextEntry;
ULONG GlistOff;
ULONG64 Count;
CHAR Buffer[256];
ULONG64 displacement;
UNREFERENCED_PARAMETER (args);
UNREFERENCED_PARAMETER (Client);
LockHeader = GetExpression ("nt!MmLockedPagesHead");
if (GetFieldValue(LockHeader,
"nt!_LOCK_HEADER",
"Count",
Count)) {
dprintf("%08p: Unable to get lock header data.\n", LockHeader);
return E_INVALIDARG;
}
GetFieldValue(LockHeader,"nt!_LOCK_HEADER","ListHead.Flink", NextEntry);
if (NextEntry == 0) {
dprintf("Locked pages tracking not enabled\n");
return E_INVALIDARG;
}
if (NextEntry == LockHeader) {
dprintf("There are no pages currently locked.\n");
return E_INVALIDARG;
}
dprintf("%I64d locked pages...\n", Count);
dprintf("Tracker MDL PageCount Caller/CallersCaller\n");
GetFieldOffset("LOCK_TRACKER", "GlobalListEntry", &GlistOff);
while (NextEntry != LockHeader) {
LockTracker = (NextEntry - GlistOff);
if (GetFieldValue(LockTracker, "nt!LOCK_TRACKER",
"GlobalListEntry.Flink", NextEntry)) {
dprintf("%08p: Unable to get lock tracker data.\n", LockTracker);
return E_INVALIDARG;
}
InitTypeRead(LockTracker, nt!LOCK_TRACKER);
dprintf("Tracker %p : MDL @ %p, PageCount = %I64x, Caller = %p %p\n",
LockTracker,
ReadField(Mdl),
ReadField(Count));
Buffer[0] = '!';
GetSymbol (ReadField(CallingAddress),
(PCHAR)Buffer,
&displacement);
dprintf("%s", Buffer);
if (displacement) {
dprintf( "+0x%1p", displacement );
}
dprintf("/");
Buffer[0] = '!';
GetSymbol (ReadField(CallersCaller),
(PCHAR)Buffer,
&displacement);
dprintf("%s", Buffer);
if (displacement) {
dprintf( "+0x%1p", displacement );
}
dprintf("\n");
if (CheckControlC()) {
break;
}
}
return S_OK;
}
DECLARE_API( pfnperf )
/*++
Routine Description:
Displays the PFN spinlock duration list.
Arguments:
None.
Return Value:
None.
--*/
{
ULONG64 PfnDuration;
ULONG64 PfnEntry;
ULONG64 displacement;
ULONG64 AcquiredAddress;
ULONG64 ReleasedAddress;
CHAR SymbolBuffer[80];
PCHAR SymPointer;
ULONG EntrySize;
ULONG result;
ULONG64 ReadCount;
ULONG64 i;
PCHAR LocalData;
PCHAR local;
ULONG64 NumberOfPfnEntries;
UNREFERENCED_PARAMETER (args);
UNREFERENCED_PARAMETER (Client);
PfnDuration = GetExpression ("nt!MiPfnSorted");
if (PfnDuration == 0) {
dprintf("%08p: Unable to get PFN duration data.\n", PfnDuration);
return E_INVALIDARG;
}
PfnEntry = PfnDuration;
EntrySize = GetTypeSize("nt!_MMPFNTIMINGS");
NumberOfPfnEntries = GetUlongValue ("MiMaxPfnTimings");
dprintf("Top %ld PFN lock holders sorted by duration\n", NumberOfPfnEntries);
LocalData = LocalAlloc(LPTR, (ULONG) (NumberOfPfnEntries * EntrySize));
if (!LocalData) {
dprintf("unable to get allocate %ld bytes of memory\n",
NumberOfPfnEntries * EntrySize);
return E_INVALIDARG;
}
ReadCount = NumberOfPfnEntries * EntrySize;
if ((!ReadMemory(PfnDuration,
LocalData,
(ULONG) ReadCount,
&result)) || (result < (ULONG) ReadCount)) {
dprintf("unable to get PFN duration table - "
"address %p - count %I64u\n",
LocalData, ReadCount);
}
else {
dprintf("\nDuration LockAcquirer LockReleaser\n");
local = LocalData;
for (i = 0; i < NumberOfPfnEntries; i += 1) {
ULONG64 HoldTime=0, Address = 0;
GetFieldValue(PfnEntry, "nt!_MMPFNTIMINGS", "HoldTime", HoldTime);
GetFieldValue(PfnEntry, "nt!_MMPFNTIMINGS", "AcquiredAddress", AcquiredAddress);
GetFieldValue(PfnEntry, "nt!_MMPFNTIMINGS", "ReleasedAddress", ReleasedAddress);
//
// Sign extend if necessary.
//
if (!IsPtr64()) {
AcquiredAddress = (ULONG64)(LONG64)(LONG)AcquiredAddress;
ReleasedAddress = (ULONG64)(LONG64)(LONG)ReleasedAddress;
}
//
// Output a '*' if the lock was contended for, '.' if not.
//
dprintf( "%3d%c %I64ld ", (ULONG)i, HoldTime & 0x1 ? '*' : '.', HoldTime );
SymbolBuffer[0] = '!';
GetSymbol(AcquiredAddress, (PCHAR)SymbolBuffer, &displacement);
SymPointer = SymbolBuffer;
while (*SymPointer != '!') {
SymPointer += 1;
}
SymPointer += 1;
dprintf ("%s", SymPointer);
if (displacement) {
dprintf( "+0x%x", displacement );
}
dprintf( ", ");
SymbolBuffer[0] = '!';
GetSymbol(ReleasedAddress, (PCHAR)SymbolBuffer, &displacement);
SymPointer = SymbolBuffer;
while (*SymPointer != '!') {
SymPointer += 1;
}
SymPointer += 1;
dprintf ("%s", SymPointer);
if (displacement) {
dprintf( "+0x%x", displacement );
}
dprintf( "\n");
PfnEntry += EntrySize;
}
}
if (LocalData) {
LocalFree((void *)LocalData);
}
return S_OK;
}
DECLARE_API( pfn )
/*++
Routine Description:
Displays the corresponding PDE and PTE.
Arguments:
arg - Supplies the Page frame number in hex.
Return Value:
None.
--*/
{
ULONG64 Address;
ULONG64 PfnDb;
ULONG64 Pfn;
ULONG64 PfnStart;
ULONG Flags;
ULONG PfnSize;
PfnSize = GetTypeSize("nt!_MMPFN");
if (!PfnSize) {
dprintf("unable to _MMPFN type.\n");
return E_INVALIDARG;
}
PfnDb = GetNtDebuggerData( MmPfnDatabase );
if (!PfnDb) {
dprintf("unable to get PFN0 database address\n");
return E_INVALIDARG;
}
PfnStart = 0;
if (!ReadPointer(PfnDb,&PfnStart)) {
dprintf("unable to get PFN database address %p\n", PfnDb);
return E_INVALIDARG;
}
Address = 0;
Flags = 0;
if (GetExpressionEx(args, &Address, &args)) {
Flags = (ULONG) GetExpression(args);
}
if (Flags != 0) {
if (!TargetIsDump) {
ULONG64 CacheSize;
Ioctl(IG_GET_CACHE_SIZE, &CacheSize, sizeof(CacheSize));
if (TargetMachine == IMAGE_FILE_MACHINE_IA64) {
if (CacheSize < 0x10000000) {
dprintf("CacheSize too low - increasing to 10M\n");
ExecuteCommand(Client, ".cache 10000");
}
} else if (CacheSize < 0x1000000) {
dprintf("CacheSize too low - increasing to 1M\n");
ExecuteCommand(Client, ".cache 1000");
}
}
DumpWholePfn ( Address, Flags);
return E_INVALIDARG;
}
if (Address >= PfnStart) {
//
// Ensure any passed in address is offsetted correctly.
//
Address = (Address - PfnStart) / PfnSize;
}
Pfn = (PfnStart + Address * PfnSize);
PrintPfn64(Pfn);
return S_OK;
}
VOID
DumpTerminalServerMemory (
VOID
)
{
ULONG64 Next;
ULONG64 SessionListPointer;
ULONG64 SessionData;
ULONG SessionId;
ULONG SessionWsListLinksOffset;
ULONG64 NonPagedPoolBytes;
ULONG64 PagedPoolBytes;
ULONG64 CommittedPages;
ULONG Failures;
ULONG TotalFailures;
ULONG64 SessionPoolSize;
ULONG64 SessionViewSize;
dprintf("\n\tTerminal Server Memory Usage By Session:\n\n");
// Get the offset of ActiveProcessLinks in _EPROCESS
if (GetFieldOffset("nt!_MM_SESSION_SPACE", "WsListEntry", &SessionWsListLinksOffset)) {
return;
}
SessionListPointer = GetExpression ("nt!MiSessionWsList");
if (!SessionListPointer) {
dprintf("Unable to get value of SessionListPointer\n");
return;
}
if (GetFieldValue( SessionListPointer, "nt!_LIST_ENTRY", "Flink", Next )) {
dprintf("Unable to read _LIST_ENTRY @ %p\n", SessionListPointer);
return;
}
SessionPoolSize = GetUlongValue ("MmSessionPoolSize");
SessionViewSize = GetUlongValue ("MmSessionViewSize");
dprintf("\tSession Paged Pool Maximum is %ldK\n", SessionPoolSize / 1024);
dprintf("\tSession View Space Maximum is %ldK\n", SessionViewSize / 1024);
while(Next != SessionListPointer) {
SessionData = Next - SessionWsListLinksOffset;
if (GetFieldValue( SessionData, "nt!_MM_SESSION_SPACE", "SessionId", SessionId )) {
dprintf("Unable to read _MM_SESSION_SPACE at %p\n",SessionData);
return;
}
TotalFailures = 0;
dprintf("\n\tSession ID %x @ %p:\n",SessionId, SessionData);
GetFieldValue( SessionData, "nt!_MM_SESSION_SPACE", "NonPagedPoolBytes",
NonPagedPoolBytes );
GetFieldValue( SessionData, "nt!_MM_SESSION_SPACE", "PagedPoolBytes",
PagedPoolBytes );
GetFieldValue( SessionData, "nt!_MM_SESSION_SPACE", "CommittedPages",
CommittedPages );
GetFieldValue( SessionData, "nt!_MM_SESSION_SPACE", "SessionPoolAllocationFailures[0]",
Failures);
TotalFailures += Failures;
GetFieldValue( SessionData, "nt!_MM_SESSION_SPACE", "SessionPoolAllocationFailures[1]",
Failures);
TotalFailures += Failures;
GetFieldValue( SessionData, "nt!_MM_SESSION_SPACE", "SessionPoolAllocationFailures[2]",
Failures);
TotalFailures += Failures;
GetFieldValue( SessionData, "nt!_MM_SESSION_SPACE", "SessionPoolAllocationFailures[3]",
Failures);
TotalFailures += Failures;
dprintf("\tNonpaged Pool Usage: %8I64ldK\n",NonPagedPoolBytes / 1024);
dprintf("\tPaged Pool Usage: %8I64ldK\n",PagedPoolBytes / 1024);
if (TotalFailures != 0) {
dprintf("\n\t*** %ld Pool Allocation Failures ***\n\n",TotalFailures);
}
dprintf("\tCommit Usage: %8I64ldK\n",CommittedPages * _KB);
GetFieldValue(SessionData, "nt!_MM_SESSION_SPACE", "WsListEntry.Flink", Next);
if (CheckControlC()) {
return;
}
}
return;
}
#if (_MSC_VER < 1200) && defined(_M_IX86)
#pragma optimize("g", off)
#endif
DECLARE_API( vm )
/*++
Routine Description:
Displays physical memory usage by driver.
Arguments:
arg - Flags : 0 (default) == systemwide vm & per-process output.
1 == just systemwide vm counts, no per-process output.
2 == systemwide vm, per-process & Mm thread output.
3 == systemwide vm & Mm thread display, no per-process output.
Return Value:
None.
--*/
{
ULONG Flags;
ULONG Index;
ULONG64 MemorySize;
ULONG64 CommitLimit;
ULONG64 CommitTotal;
ULONG64 SharedCommit;
ULONG64 SpecialPoolPages;
ULONG64 ProcessCommit;
ULONG64 PagedPoolCommit;
ULONG64 DriverCommit;
ULONG64 ZeroPages;
ULONG64 FreePages;
ULONG64 StandbyPages;
ULONG64 ModifiedPages;
ULONG64 ModifiedNoWrite;
ULONG64 NumberOfPagedPools;
ULONG64 NumberOfPagingFiles;
ULONG64 AvailablePages;
ULONG64 LockPagesCount;
ULONG64 SpecialPagesNonPaged;
ULONG64 SpecialPagesNonPagedMaximum;
ULONG64 FreePtesPointer;
ULONG64 FreeNonPagedPtes;
ULONG64 ResidentAvailablePages;
ULONG64 PoolLoc;
ULONG64 PoolLocBase;
ULONG result;
ULONG TotalPages;
ULONG ExtendedCommit;
ULONG64 TotalProcessCommit;
PPROCESS_COMMIT_USAGE ProcessCommitUsage;
ULONG i;
ULONG NumberOfProcesses;
ULONG64 PagedPoolBytesMax;
ULONG64 PagedPoolBytes;
ULONG64 NonPagedPoolBytesMax;
ULONG64 NonPagedPoolBytes;
ULONG64 PageFileBase;
ULONG64 PageFilePointer;
ULONG PageFileFullExtendPages;
ULONG PageFileFullExtendCount;
PUCHAR tempbuffer;
UNICODE_STRING unicodeString;
ULONG64 PagedPoolInfoPointer;
ULONG64 FreeSystemPtes;
UCHAR PagedPoolType[] = "nt!_MM_PAGED_POOL_INFO";
ULONG64 AllocatedPagedPool=0;
ULONG Desc_TotalPages=0, TotalBigPages=0, Desc_size;
ULONG PtrSize = DBG_PTR_SIZE;
ULONG NumberOfNonPagedPools;
ULONG64 ExpNumberOfNonPagedPools;
Flags = 0;
Flags = (ULONG) GetExpression(args);
dprintf("\n*** Virtual Memory Usage ***\n");
MemorySize = GetNtDebuggerDataValue(MmNumberOfPhysicalPages);
dprintf ("\tPhysical Memory: %8I64ld (%8I64ld Kb)\n",MemorySize,_KB*MemorySize);
NumberOfPagingFiles = GetNtDebuggerDataValue(MmNumberOfPagingFiles);
PageFilePointer = GetExpression ("nt!MmPagingFile");
if (NumberOfPagingFiles == 0) {
dprintf("\n************ NO PAGING FILE *********************\n\n");
} else {
for (i = 0; i < NumberOfPagingFiles; i++) {
ULONG64 PageFileName_Buffer=0;
if (!ReadPointer(PageFilePointer, &PageFileBase)) {
dprintf("%08p: Unable to get page file\n",PageFilePointer);
break;
}
if (GetFieldValue(PageFileBase,
"nt!_MMPAGING_FILE",
"PageFileName.Buffer",
PageFileName_Buffer)) {
dprintf("%08p: Unable to get page file\n",PageFilePointer);
break;
}
InitTypeRead(PageFileBase, nt!_MMPAGING_FILE);
if (PageFileName_Buffer == 0) {
dprintf("\tNo Name for Paging File\n\n");
} else {
unicodeString.Length = (USHORT) ReadField(PageFileName.Length);
tempbuffer = LocalAlloc(LPTR, unicodeString.Length);
unicodeString.Buffer = (PWSTR)tempbuffer;
unicodeString.MaximumLength = unicodeString.Length;
if (!ReadMemory ( PageFileName_Buffer,
tempbuffer,
unicodeString.Length,
&result)) {
dprintf("\tPaging File Name paged out\n");
} else {
dprintf("\tPage File: %wZ\n", &unicodeString);
}
LocalFree(tempbuffer);
}
dprintf("\t Current: %9I64ldKb Free Space: %9I64ldKb\n",
ReadField(Size)*_KB,
ReadField(FreeSpace)*_KB);
dprintf("\t Minimum: %9I64ldKb Maximum: %9I64ldKb\n",
ReadField(MinimumSize)*_KB,
ReadField(MaximumSize)*_KB);
PageFilePointer += PtrSize;
}
}
PagedPoolInfoPointer = GetExpression ("nt!MmPagedPoolInfo");
if (GetFieldValue(PagedPoolInfoPointer,
PagedPoolType,
"AllocatedPagedPool",
AllocatedPagedPool)) {
dprintf("%08p: Unable to get paged pool info %p\n",PagedPoolInfoPointer);
}
PagedPoolBytesMax = GetNtDebuggerDataValue(MmSizeOfPagedPoolInBytes);
PagedPoolBytes = AllocatedPagedPool;
PagedPoolBytes *= PageSize;
NonPagedPoolBytesMax = GetNtDebuggerDataValue(MmMaximumNonPagedPoolInBytes);
NonPagedPoolBytes = GetUlongValue ("MmAllocatedNonPagedPool");
NonPagedPoolBytes *= PageSize;
CommitLimit = GetNtDebuggerDataValue(MmTotalCommitLimit);
CommitTotal = GetNtDebuggerDataValue(MmTotalCommittedPages);
SharedCommit = GetNtDebuggerDataValue(MmSharedCommit);
DriverCommit = GetNtDebuggerDataValue(MmDriverCommit);
ProcessCommit = GetNtDebuggerDataValue(MmProcessCommit);
PagedPoolCommit = GetNtDebuggerDataValue(MmPagedPoolCommit);
ZeroPages = GetNtDebuggerDataValue(MmZeroedPageListHead);
FreePages = GetNtDebuggerDataValue(MmFreePageListHead);
StandbyPages = GetNtDebuggerDataValue(MmStandbyPageListHead);
ModifiedPages = GetNtDebuggerDataValue(MmModifiedPageListHead);
ModifiedNoWrite = GetNtDebuggerDataValue(MmModifiedNoWritePageListHead);
AvailablePages = GetNtDebuggerDataValue(MmAvailablePages);
ResidentAvailablePages = GetNtDebuggerDataValue(MmResidentAvailablePages);
if (BuildNo < 2257) {
ExtendedCommit = GetUlongValue("MmExtendedCommit");
PageFileFullExtendPages = GetUlongValue("MmPageFileFullExtendPages");
PageFileFullExtendCount = GetUlongValue("MmPageFileFullExtendCount");
}
FreeSystemPtes = GetUlongValue("MmTotalFreeSystemPtes");
LockPagesCount = GetUlongValue("MmSystemLockPagesCount");
SpecialPagesNonPaged = GetUlongValue("MiSpecialPagesNonPaged");
SpecialPagesNonPagedMaximum = GetUlongValue("MiSpecialPagesNonPagedMaximum");
FreePtesPointer = GetExpression ("nt!MmTotalFreeSystemPtes");
FreePtesPointer += sizeof(ULONG);
FreeNonPagedPtes = 0;
if (!ReadMemory (FreePtesPointer, &FreeNonPagedPtes, sizeof(ULONG), &result)) {
dprintf("\tError reading free nonpaged PTEs %p\n", FreePtesPointer);
}
SpecialPoolPages = GetUlongValue("nt!MmSpecialPagesInUse");
dprintf("\tAvailable Pages: %8I64ld (%8I64ld Kb)\n",AvailablePages, AvailablePages*_KB);
dprintf("\tResAvail Pages: %8I64ld (%8I64ld Kb)\n",ResidentAvailablePages, ResidentAvailablePages*_KB);
if ((LONG64) (ResidentAvailablePages - LockPagesCount) < 100) {
dprintf("\n\t********** Running out of physical memory **********\n\n");
}
dprintf("\tLocked IO Pages: %8I64ld (%8I64ld Kb)\n",LockPagesCount,_KB*LockPagesCount);
dprintf("\tFree System PTEs: %8I64ld (%8I64ld Kb)\n",FreeSystemPtes,_KB*FreeSystemPtes);
dprintf("\tFree NP PTEs: %8I64ld (%8I64ld Kb)\n",FreeNonPagedPtes,_KB*FreeNonPagedPtes);
dprintf("\tFree Special NP: %8I64ld (%8I64ld Kb)\n",
(SpecialPagesNonPagedMaximum - SpecialPagesNonPaged),
_KB*(SpecialPagesNonPagedMaximum - SpecialPagesNonPaged));
dprintf("\tModified Pages: %8I64ld (%8I64ld Kb)\n",ModifiedPages,ModifiedPages*_KB);
if ((AvailablePages < 50) && (ModifiedPages > 200)) {
dprintf("\t********** High Number Of Modified Pages ********\n");
}
if (ModifiedNoWrite > ((MemorySize / 100) * 3)) {
dprintf("\t********** High Number Of Modified No Write Pages ********\n");
dprintf("\tModified No Write Pages: %I64ld (%8I64ld Kb)\n",
ModifiedNoWrite,_KB*ModifiedNoWrite);
}
//
// Dump all the nonpaged pools.
//
PoolLoc = GetNtDebuggerData(NonPagedPoolDescriptor );
Desc_TotalPages = 0; TotalBigPages=0;
if ( !PoolLoc ||
GetFieldValue(PoolLoc,
"nt!_POOL_DESCRIPTOR",
"TotalPages",
Desc_TotalPages)) {
dprintf("%08p: Unable to get pool descriptor\n",PoolLoc);
return E_INVALIDARG;
}
Desc_size = GetTypeSize("nt!_POOL_DESCRIPTOR");
if (ExpNumberOfNonPagedPools = GetExpression("nt!ExpNumberOfNonPagedPools")) {
NumberOfNonPagedPools = GetUlongFromAddress (ExpNumberOfNonPagedPools);
} else {
NumberOfNonPagedPools = 0;
}
if (NumberOfNonPagedPools > 1) {
TotalPages = 0;
PoolLocBase = GetExpression ("nt!ExpNonPagedPoolDescriptor");
if (PoolLocBase != 0) {
for (Index = 0; Index < NumberOfNonPagedPools; Index += 1) {
if (!ReadPointer(PoolLocBase, &PoolLoc)) {
dprintf("%08p: Unable to get nonpaged pool info\n",PoolLocBase);
break;
}
if (GetFieldValue(PoolLoc,
"nt!_POOL_DESCRIPTOR",
"TotalPages",
Desc_TotalPages)) {
dprintf("%08p: Unable to get pool descriptor\n",PoolLoc);
return E_INVALIDARG;
}
GetFieldValue(PoolLoc,"_POOL_DESCRIPTOR","TotalBigPages",TotalBigPages);
dprintf("\tNonPagedPool %1ld Used: %5ld (%8ld Kb)\n",
Index,
Desc_TotalPages + TotalBigPages,
_KB*(Desc_TotalPages + TotalBigPages));
TotalPages += Desc_TotalPages + TotalBigPages;
PoolLocBase += PtrSize;
}
}
}
GetFieldValue(PoolLoc,"nt!_POOL_DESCRIPTOR","TotalBigPages",TotalBigPages);
if (NumberOfNonPagedPools > 1) {
dprintf("\tNonPagedPool Usage: %5ld (%8ld Kb)\n", TotalPages,_KB*TotalPages);
}
else {
dprintf("\tNonPagedPool Usage: %5ld (%8ld Kb)\n", Desc_TotalPages + TotalBigPages,
_KB*(Desc_TotalPages + TotalBigPages));
}
dprintf("\tNonPagedPool Max: %5I64ld (%8I64ld Kb)\n", NonPagedPoolBytesMax/PageSize,_KB*(NonPagedPoolBytesMax/PageSize));
if ((Desc_TotalPages + TotalBigPages) > 4 * ((NonPagedPoolBytesMax / PageSize) / 5)) {
dprintf("\t********** Excessive NonPaged Pool Usage *****\n");
}
//
// Dump all the paged pools.
//
NumberOfPagedPools = GetNtDebuggerDataValue(ExpNumberOfPagedPools);
TotalPages = 0;
PoolLocBase = GetExpression ("nt!ExpPagedPoolDescriptor");
if ((PoolLocBase != 0) && (NumberOfPagedPools != 0)) {
for (Index = 0; (Index < (NumberOfPagedPools + 1)) ; Index += 1) {
if (Index && (BuildNo <= 2464)) {
PoolLoc += Desc_size;
} else {
if (!ReadPointer(PoolLocBase, &PoolLoc)) {
dprintf("%08p: Unable to get paged pool info\n",PoolLocBase);
break;
}
}
if (GetFieldValue(PoolLoc,
"nt!_POOL_DESCRIPTOR",
"TotalPages",
Desc_TotalPages)) {
dprintf("%08p: Unable to get pool descriptor, PagedPool usage may be wrong\n",PoolLoc);
break;
}
GetFieldValue(PoolLoc,"nt!_POOL_DESCRIPTOR","TotalBigPages",TotalBigPages);
dprintf("\tPagedPool %1ld Usage: %5ld (%8ld Kb)\n",
Index,
Desc_TotalPages + TotalBigPages,
_KB*(Desc_TotalPages + TotalBigPages));
TotalPages += Desc_TotalPages + TotalBigPages;
PoolLocBase += PtrSize;
}
}
if (PagedPoolBytes > 95 * (PagedPoolBytesMax/ 100)) {
dprintf("\t********** Excessive Paged Pool Usage *****\n");
}
dprintf("\tPagedPool Usage: %5ld (%8ld Kb)\n", TotalPages,_KB*TotalPages);
dprintf("\tPagedPool Maximum: %5I64ld (%8I64ld Kb)\n", PagedPoolBytesMax/PageSize,_KB*(PagedPoolBytesMax/PageSize));
dprintf("\tShared Commit: %8I64ld (%8I64ld Kb)\n",SharedCommit,_KB*SharedCommit );
dprintf("\tSpecial Pool: %8I64ld (%8I64ld Kb)\n",SpecialPoolPages,_KB*SpecialPoolPages );
dprintf("\tShared Process: %8I64ld (%8I64ld Kb)\n",ProcessCommit,_KB*ProcessCommit );
dprintf("\tPagedPool Commit: %8I64ld (%8I64ld Kb)\n",PagedPoolCommit,_KB*PagedPoolCommit);
dprintf("\tDriver Commit: %8I64ld (%8I64ld Kb)\n",DriverCommit, _KB*DriverCommit );
dprintf("\tCommitted pages: %8I64ld (%8I64ld Kb)\n",CommitTotal, _KB*CommitTotal );
dprintf("\tCommit limit: %8I64ld (%8I64ld Kb)\n",CommitLimit, _KB*CommitLimit );
if ((CommitTotal + 100) > CommitLimit) {
dprintf("\n\t********** Number of committed pages is near limit ********\n");
}
if (BuildNo < 2257) {
if (ExtendedCommit != 0) {
dprintf("\n\t********** Commit has been extended with VM popup ********\n");
dprintf("\tExtended by: %8ld (%8ld Kb)\n", ExtendedCommit,_KB*ExtendedCommit);
}
if (PageFileFullExtendCount) {
if (PageFileFullExtendCount == 1) {
dprintf("\n\t****** ALL PAGING FILE BECAME FULL ONCE - COMMITMENT ADJUSTED ****\n", PageFileFullExtendCount);
}
else {
dprintf("\n\t****** ALL PAGING FILE BECAME FULL (%u times) - COMMITMENT ADJUSTED ****\n", PageFileFullExtendCount);
}
dprintf("\tCurrent adjust: %8ld (%8ld Kb)\n",
PageFileFullExtendPages,
_KB*PageFileFullExtendPages);
}
}
dprintf("\n");
if ((Flags & 0x1) == 0) {
ProcessCommitUsage = GetProcessCommit( &TotalProcessCommit, &NumberOfProcesses );
if (ProcessCommitUsage == NULL)
{
dprintf("\nProcessCommitUsage could not be calculated\n");
}
else
{
if (TotalProcessCommit != 0) {
dprintf("\tTotal Private: %8I64ld (%8I64ld Kb)\n",
TotalProcessCommit,_KB*TotalProcessCommit);
}
for (i=0; i<NumberOfProcesses; i++) {
dprintf( " %04I64lx %-15s %6I64d (%8I64ld Kb)\n",
ProcessCommitUsage[i].ClientId,
ProcessCommitUsage[i].ImageFileName,
ProcessCommitUsage[i].CommitCharge,
_KB*(ProcessCommitUsage[i].CommitCharge)
);
}
HeapFree(GetProcessHeap(), 0, ProcessCommitUsage);
}
}
if (Flags & 0x2) {
if (Client &&
(ExtQuery(Client) == S_OK)) {
dprintf("\n\tMemory Management Thread Stacks:\n");
DumpMmThreads ();
ExtRelease();
}
}
if (Flags & 0x4) {
if (Client &&
(ExtQuery(Client) == S_OK)) {
DumpTerminalServerMemory ();
ExtRelease();
}
}
return S_OK;
}
#if (_MSC_VER < 1200) && defined(_M_IX86)
#pragma optimize("", on)
#endif
VOID
DumpWholePfn(
IN ULONG64 Address,
IN ULONG Flags
)
/*++
Routine Description:
Dumps the PFN database
Arguments:
Address - address to dump at
Flags -
Return Value:
None.
--*/
{
ULONG result;
ULONG64 HighPage;
ULONG64 LowPage;
ULONG64 PageCount;
ULONG64 ReadCount;
ULONG64 i;
ULONG64 Pfn;
ULONG64 PfnStart;
PUCHAR PfnArray;
PUCHAR PfnArrayPointer;
ULONG64 VirtualAddress;
ULONG MatchLocation;
BOOLEAN foundlink;
BOOLEAN RandomAccessRequired;
ULONG PfnSize;
ULONG NumberOfPfnToRead;
ULONG sz;
MMPFNENTRY u3_e1;
CHAR InPageError;
LowPage = GetNtDebuggerDataValue(MmLowestPhysicalPage);
HighPage = GetNtDebuggerDataValue(MmHighestPhysicalPage);
PfnStart = GetNtDebuggerDataPtrValue(MmPfnDatabase);
PfnSize = GetTypeSize("nt!_MMPFN");
//
// Read sufficient pages such that htere isn't lot of wait
// before first page dump.
//
NumberOfPfnToRead = 2000;
PfnArray = NULL;
if (Flags == 7) {
RandomAccessRequired = TRUE;
}
else {
RandomAccessRequired = FALSE;
}
if (RandomAccessRequired == FALSE) {
dprintf("\n Page Flink Blk/Shr Ref V PTE Address SavedPTE Frame State\n");
}
//
// If asked to dump the whole database or we're going to need the ability
// to look up random frames, then read in the whole database now.
//
if (Address == 0 || RandomAccessRequired == TRUE) {
PfnArray = LocalAlloc(LPTR, (ULONG) (HighPage+1) * PfnSize);
if (!PfnArray) {
dprintf("unable to get allocate %ld bytes of memory\n",
(HighPage+1) * PfnSize);
return;
}
for (PageCount = LowPage;
PageCount <= HighPage;
PageCount += NumberOfPfnToRead) {
if (CheckControlC()) {
goto alldone;
}
ReadCount = HighPage - PageCount > NumberOfPfnToRead ?
NumberOfPfnToRead :
HighPage - PageCount + 1;
ReadCount *= PfnSize;
Pfn = (PfnStart + PageCount * PfnSize);
PfnArrayPointer = (PUCHAR)(PfnArray + (ULONG) PageCount * PfnSize);
//
// KD caches the Pfns
//
if ((!ReadMemory(Pfn,
PfnArrayPointer,
(ULONG) ReadCount,
&result)) || (result < (ULONG) ReadCount)) {
dprintf("unable to get PFN table block - "
"address %p - count %I64u - page %I64lu\n",
Pfn, ReadCount, PageCount);
goto alldone;
}
for (i = PageCount;
(i < PageCount + NumberOfPfnToRead) && (i < HighPage);
i += 1, Pfn = (Pfn + PfnSize)) {
ULONG u3_e2_ReferenceCount=0;
ULONG64 u1_Flink=0, u2_Blink=0, PteAddress=0, OriginalPte=0, PteFrame=0;
if (RandomAccessRequired == TRUE) {
if ((i % 256 ) == 0) {
dprintf("."); // every 256 pages, print a dot
}
}
else {
GetFieldValue(Pfn, "nt!_MMPFN", "u1.Flink", u1_Flink);
GetFieldValue(Pfn, "nt!_MMPFN", "u2.Blink", u2_Blink);
GetFieldValue(Pfn, "nt!_MMPFN", "PteAddress",PteAddress);
GetFieldValue(Pfn, "nt!_MMPFN", "OriginalPte",OriginalPte);
GetFieldValue(Pfn, "nt!_MMPFN", "u3.e2.ReferenceCount", u3_e2_ReferenceCount);
GetFieldValue(Pfn, "nt!_MMPFN", "u3.e1", u3_e1);
if (GetFieldValue(Pfn, "nt!_MMPFN", "u4.PteFrame", PteFrame) == FIELDS_DID_NOT_MATCH) {
GetFieldValue(Pfn, "nt!_MMPFN", "u3.e1.InPageError", InPageError);
GetFieldValue(Pfn, "nt!_MMPFN", "PteFrame", PteFrame);
} else {
GetFieldValue(Pfn, "nt!_MMPFN", "u4.InPageError", InPageError);
}
if (u3_e1.PrototypePte == 0) {
VirtualAddress = DbgGetVirtualAddressMappedByPte(PteAddress);
} else {
VirtualAddress = 0;
}
dprintf("%5I64lx %8p %8p%6x %8p %8p ",
i,
u1_Flink,
u2_Blink,
u3_e2_ReferenceCount,
PteAddress,
VirtualAddress);
dprintf("%8p ", OriginalPte);
dprintf("%6I64lx ", PteFrame);
dprintf("%s %c%c%c%c%c%c\n",
PageLocationList[u3_e1.PageLocation],
u3_e1.Modified ? 'M':' ',
u3_e1.PrototypePte ? 'P':' ',
u3_e1.ReadInProgress ? 'R':' ',
u3_e1.WriteInProgress ? 'W':' ',
InPageError ? 'E':' ',
u3_e1.ParityError ? 'X':' '
);
}
if (CheckControlC()) {
goto alldone;
}
}
}
if (RandomAccessRequired == TRUE) {
dprintf("\n");
}
else {
goto alldone;
}
}
dprintf("\n Page Flink Blk/Shr Ref V PTE Address SavedPTE Frame State\n");
Pfn = (PfnStart + Address * PfnSize);
if (GetFieldValue(Pfn, "nt!_MMPFN", "u3.e1", u3_e1)) {
dprintf("unable to get PFN element\n");
goto alldone;
}
MatchLocation = u3_e1.PageLocation;
do {
ULONG u3_e2_ReferenceCount=0;
ULONG64 u1_Flink=0, u2_Blink=0, PteAddress=0, OriginalPte=0, PteFrame=0;
if (CheckControlC()) {
goto alldone;
}
Pfn = (PfnStart + Address * PfnSize);
sz = sizeof (u3_e1);
GetFieldValue(Pfn, "nt!_MMPFN", "u3.e1", u3_e1);
if (u3_e1.PrototypePte == 0) {
VirtualAddress = DbgGetVirtualAddressMappedByPte ( PteAddress);
} else {
VirtualAddress = 0;
}
if (u3_e1.PageLocation == MatchLocation) {
GetFieldValue(Pfn, "nt!_MMPFN", "u1.Flink", u1_Flink);
GetFieldValue(Pfn, "nt!_MMPFN", "u2.Blink", u2_Blink);
GetFieldValue(Pfn, "nt!_MMPFN", "PteAddress", PteAddress);
GetFieldValue(Pfn, "nt!_MMPFN", "OriginalPte",OriginalPte);
GetFieldValue(Pfn, "nt!_MMPFN", "u3.e2.ReferenceCount", u3_e2_ReferenceCount);
if(GetFieldValue(Pfn, "nt!_MMPFN", "u4.PteFrame", PteFrame) == FIELDS_DID_NOT_MATCH) {
GetFieldValue(Pfn, "nt!_MMPFN", "u3.e1.InPageError", InPageError);
GetFieldValue(Pfn, "nt!_MMPFN", "PteFrame", PteFrame);
} else {
GetFieldValue(Pfn, "nt!_MMPFN", "u4.InPageError", InPageError);
}
dprintf("%5I64lx %8p %8p%6x %8p %8p ",
Address,
u1_Flink,
u2_Blink,
u3_e2_ReferenceCount,
PteAddress,
VirtualAddress);
dprintf("%8p ", OriginalPte);
dprintf("%6I64lx ", PteFrame);
dprintf("%s %c%c%c%c%c%c\n",
PageLocationList[u3_e1.PageLocation],
u3_e1.Modified ? 'M':' ',
u3_e1.PrototypePte ? 'P':' ',
u3_e1.ReadInProgress ? 'R':' ',
u3_e1.WriteInProgress ? 'W':' ',
InPageError ? 'E':' ',
u3_e1.ParityError ? 'X':' '
);
}
if (MatchLocation > 5) {
Address += 1;
} else {
ULONG64 OriginalPte_u_Long=0;
sz = sizeof (OriginalPte_u_Long);
if (Flags == 7) {
ULONG64 P;
//
// Search the whole database for an OriginalPte field that
// points to this PFN - we must do this because this chain
// is singly (not doubly) linked.
//
foundlink = FALSE;
P = PfnStart;
for (i = 0; i <= HighPage; i += 1, P += PfnSize) {
GetFieldValue(P, "nt!_MMPFN", "OriginalPte.u.Long", OriginalPte_u_Long);
if (OriginalPte_u_Long == Address) {
Address = i;
foundlink = TRUE;
break;
}
}
if (foundlink == FALSE) {
dprintf("No OriginalPte chain found for %lx\n", Address);
break;
}
} else if (Flags == 5) {
GetFieldValue(Pfn, "nt!_MMPFN", "OriginalPte.u.Long", OriginalPte_u_Long);
Address = OriginalPte_u_Long;
} else if (Flags == 3) {
Address = u2_Blink;
} else {
Address = u1_Flink;
}
}
if (CheckControlC()) {
goto alldone;
}
} while (Address < HighPage);
alldone:
if (PfnArray) {
LocalFree((void *)PfnArray);
}
}
VOID
PrintPfn64 (
IN ULONG64 PfnAddress
)
{
MMPFNENTRY u3_e1;
ULONG64 PfnDb, PfnStart;
ULONG PfnSize;
ULONG CacheAttribute;
CHAR InPageError, VerifierAllocation;
if ((PfnSize = GetTypeSize("nt!_MMPFN")) == 0) {
dprintf("Type _MMPFN not found.\n");
return;
}
PfnDb = GetNtDebuggerData(MmPfnDatabase);
if (!ReadPointer(PfnDb, &PfnStart)) {
dprintf("%08P: Unable to get PFN database start\n",PfnDb);
return;
}
if (!IsPtr64()) {
PfnAddress = (ULONG64) (LONG64) (LONG) PfnAddress;
}
dprintf(" PFN %08P at address %08P\n",
(PfnAddress - PfnStart) / PfnSize,
PfnAddress);
InitTypeRead(PfnAddress, nt!_MMPFN);
dprintf(" flink %08P", ReadField(u1.Flink));
dprintf(" blink / share count %08P", ReadField(u2.Blink));
dprintf(" pteaddress %08P\n", ReadField(PteAddress));
GetFieldValue(PfnAddress, "nt!_MMPFN", "u3.e1", u3_e1);
switch (TargetMachine) {
case IMAGE_FILE_MACHINE_IA64:
case IMAGE_FILE_MACHINE_AMD64:
dprintf(" reference count %04hX used entry count %04hX %s color %01hX\n",
(ULONG) ReadField(u3.e2.ReferenceCount),
(ULONG) ReadField(UsedPageTableEntries),
PageAttribute[u3_e1.CacheAttribute],
u3_e1.PageColor);
break;
default:
dprintf(" reference count %04hX %s color %01hX\n",
(ULONG) ReadField(u3.e2.ReferenceCount),
PageAttribute[u3_e1.CacheAttribute],
u3_e1.PageColor);
break;
}
dprintf(" restore pte %08I64X ", ReadField(OriginalPte));
if (BuildNo < 2440) {
dprintf("containing page %06P ", ReadField(PteFrame));
InPageError = (CHAR) ReadField(u3.e1.InPageError);
VerifierAllocation = (CHAR) ReadField(u3.e1.VerifierAllocation);
} else {
dprintf("containing page %06P ", ReadField(u4.PteFrame));
InPageError = (CHAR) ReadField(u4.InPageError);
VerifierAllocation = (CHAR) ReadField(u4.VerifierAllocation);
}
dprintf("%s %c%c%c%c%c%c\n",
PageLocationList[u3_e1.PageLocation],
u3_e1.Modified ? 'M':' ',
u3_e1.PrototypePte ? 'P':' ',
u3_e1.ReadInProgress ? 'R':' ',
u3_e1.WriteInProgress ? 'W':' ',
InPageError ? 'E':' ',
u3_e1.ParityError ? 'X':' ',
u3_e1.RemovalRequested ? 'Y':' ',
VerifierAllocation ? 'V':' '
);
dprintf(" %s %s %s %s %s %s\n",
u3_e1.Modified ? "Modified":" ",
u3_e1.PrototypePte ? "Shared":" ",
u3_e1.ReadInProgress ? "ReadInProgress":" ",
u3_e1.WriteInProgress ? "WriteInProgress":" ",
InPageError ? "InPageError":" ",
u3_e1.ParityError ? "ParityError":" ",
u3_e1.RemovalRequested ? "RemovalRequested":" ",
VerifierAllocation ? "VerifierAllocation":" ");
return;
}
VOID
MemoryUsage (
IN ULONG64 PfnStart,
IN ULONG64 LowPage,
IN ULONG64 HighPage,
IN ULONG IgnoreInvalidFrames
)
/*++
Routine Description:
This routine (debugging only) dumps the current memory usage by
walking the PFN database.
Arguments:
None.
Return Value:
None.
--*/
{
ULONG PfnSize;
ULONG64 LastPfn;
ULONG64 Pfn1;
ULONG64 Pfn2;
ULONG64 Subsection1;
UNICODE_STRING NameString;
PPFN_INFO Info;
PPFN_INFO Info1;
PPFN_INFO InfoStart;
PPFN_INFO InfoEnd;
ULONG InfoSize;
PFN_INFO ProcessPfns;
PFN_INFO PagedPoolBlock;
PPFN_INFO LastProcessInfo = &ProcessPfns;
ULONG64 Master;
ULONG64 ControlArea1;
BOOLEAN Found;
ULONG result;
ULONG i;
ULONG64 PagedPoolStart;
ULONG64 VirtualAddress;
ULONG64 MmNonPagedPoolEnd;
ULONG64 PteFrame;
ULONG OriginalPteOffset;
ULONG PercentComplete=0;
PKERN_MAP pKernelMap;
// Get the offset of OriginalPte in MMPFN
if (GetFieldOffset("nt!_MMPFN", "OriginalPte", &OriginalPteOffset)) {
dprintf("Cannot find _MMPFN type");
return ;
}
ProcessPfns.Next = NULL;
MmNonPagedPoolEnd = GetNtDebuggerDataPtrValue(MmNonPagedPoolEnd);
NameString.MaximumLength = sizeof(WCHAR) * 1000;
NameString.Buffer = calloc(1, NameString.MaximumLength);
if (!NameString.Buffer) {
return;
}
PagedPoolStart = GetNtDebuggerDataPtrValue(MmPagedPoolStart);
pKernelMap = calloc(1, sizeof(*pKernelMap));
if (!pKernelMap) {
free(NameString.Buffer);
return;
}
dprintf (" Building kernel map\n");
if (BuildKernelMap (pKernelMap) == FALSE) {
free(pKernelMap);
free(NameString.Buffer);
return;
}
dprintf (" Finished building kernel map\n");
RtlZeroMemory (&PagedPoolBlock, sizeof (PFN_INFO));
PfnSize = GetTypeSize("nt!_MMPFN");
LastPfn = (PfnStart + HighPage * PfnSize);
if (MmSubsectionBase == 0) {
MmSubsectionBase = GetNtDebuggerDataValue(MmSubsectionBase);
}
//
// Allocate a chunk of memory to hold PFN information. This is resized
// if it is later determined that the current size is not large enough.
//
InfoSize = USAGE_ALLOC_SIZE;
restart:
InfoStart = VirtualAlloc (NULL,
InfoSize,
MEM_COMMIT,
PAGE_READWRITE);
if (InfoStart == NULL) {
dprintf ("heap allocation for %d bytes failed\n", InfoSize);
free(pKernelMap);
free(NameString.Buffer);
return;
}
InfoEnd = InfoStart;
Pfn1 = (PfnStart + LowPage * PfnSize);
while (Pfn1 < LastPfn) {
ULONG PageLocation=0, PrototypePte=0, ReferenceCount=0;
ULONG Comp;
ULONG64 ShareCount=0, PteFrame1=0, PteAddress;
Comp = ((ULONG) (Pfn1 - (PfnStart + LowPage * PfnSize)))*100 /
((ULONG) (LastPfn -(PfnStart + LowPage * PfnSize)));
if (Comp > PercentComplete) {
PercentComplete = Comp;
dprintf("Scanning PFN database - (%02d%% complete) \r", PercentComplete);
}
if (CheckControlC()) {
VirtualFree (InfoStart,0,MEM_RELEASE);
free(pKernelMap);
free(NameString.Buffer);
return;
}
GetFieldValue(Pfn1, "nt!_MMPFN", "u3.e1.PageLocation", PageLocation);
if ((PageLocation != FreePageList) &&
(PageLocation != ZeroedPageList) &&
(PageLocation != BadPageList)) {
GetFieldValue(Pfn1, "nt!_MMPFN", "u3.e1.PrototypePte", PrototypePte);
GetFieldValue(Pfn1, "nt!_MMPFN", "u3.e2.ReferenceCount", ReferenceCount);
GetFieldValue(Pfn1, "nt!_MMPFN", "u2.ShareCount", ShareCount);
GetFieldValue(Pfn1, "nt!_MMPFN", "PteAddress", PteAddress);
if (GetFieldValue(Pfn1, "nt!_MMPFN", "u4.PteFrame", PteFrame1) == FIELDS_DID_NOT_MATCH) {
GetFieldValue(Pfn1, "nt!_MMPFN", "PteFrame", PteFrame1);
}
Subsection1 = 0;
if (PrototypePte) {
Subsection1 = DbgGetSubsectionAddress (Pfn1 + OriginalPteOffset);
}
if ((Subsection1) && (Subsection1 < 0xffffffffffbff000UI64)) {
Master = Subsection1;
} else {
PteFrame = PteFrame1;
if (IgnoreInvalidFrames) {
Master = PteFrame;
} else {
// dprintf("Pteaddr %p, PagedPoolStart %I64x ", PteAddress, PagedPoolStart);
if (PteAddress > PagedPoolStart) {
Master = PteFrame;
} else {
Master=0;
Pfn2 = PfnStart + PteFrame*PfnSize;
if (GetFieldValue(Pfn2, "nt!_MMPFN", "PteFrame", Master) == FIELDS_DID_NOT_MATCH) {
GetFieldValue(Pfn2, "nt!_MMPFN", "u4.PteFrame", Master);
}
// Master = MI_PFN_PTE FRAME(Pfn2);
if ((Master == 0) || (Master > HighPage)) {
dprintf("Invalid PTE frame\n");
// PrintPfn((PVOID)(((PCHAR)Pfn1-(PCHAR)PfnStart)/PfnSize),Pfn1);
PrintPfn64(Pfn1);
PrintPfn64(Pfn2);
dprintf(" subsection address: %p\n",Subsection1);
goto NextPfn;
}
}
}
}
//
// Tally any pages which are not protos and have a valid PTE
// address field.
//
if ((PteAddress < PagedPoolStart) && (PteAddress >= DbgGetPteAddress(SystemRangeStart) )) {
for (i=0; i<pKernelMap->Count; i++) {
VirtualAddress = DbgGetVirtualAddressMappedByPte (PteAddress);
if ((VirtualAddress >= pKernelMap->Item[i].StartVa) &&
(VirtualAddress < pKernelMap->Item[i].EndVa)) {
if ((PageLocation == ModifiedPageList) ||
(PageLocation == ModifiedNoWritePageList)) {
pKernelMap->Item[i].ModifiedCount += _KB;
if (ReferenceCount > 0) {
pKernelMap->Item[i].LockedCount += _KB;
}
} else if ((PageLocation == StandbyPageList) ||
(PageLocation == TransitionPage)) {
pKernelMap->Item[i].StandbyCount += _KB;
if (ReferenceCount > 0) {
pKernelMap->Item[i].LockedCount += _KB;
}
} else {
pKernelMap->Item[i].ValidCount += _KB;
if (ShareCount > 1) {
pKernelMap->Item[i].SharedCount += _KB;
if (ReferenceCount > 1) {
pKernelMap->Item[i].LockedCount += _KB;
}
}
}
goto NextPfn;
}
}
}
if (PteAddress >= 0xFFFFFFFFF0000000UI64) {
//
// This is paged pool, put it in the paged pool cell.
//
Info = &PagedPoolBlock;
Found = TRUE;
} else {
//
// See if there is already a master info block.
//
Info = InfoStart;
Found = FALSE;
while (Info < InfoEnd) {
if (Info->Master == Master) {
Found = TRUE;
break;
}
Info += 1;
}
}
if (!Found) {
Info = InfoEnd;
InfoEnd += 1;
if ((PUCHAR)Info >= ((PUCHAR)InfoStart + InfoSize) - sizeof(PFN_INFO)) {
//
// Don't bother copying the old array - free it instead to
// improve our chances of getting a bigger contiguous chunk.
//
VirtualFree (InfoStart,0,MEM_RELEASE);
InfoSize += USAGE_ALLOC_SIZE;
goto restart;
}
RtlZeroMemory (Info, sizeof (PFN_INFO));
Info->Master = Master;
GetFieldValue(Pfn1, "nt!_MMPFN", "OriginalPte.u.Long", Info->OriginalPte);
}
// dprintf("Pfn1 %p, PageLoc %x, Master %I64x\n", Pfn1, PageLocation, Master);
if ((PageLocation == ModifiedPageList) ||
(PageLocation == ModifiedNoWritePageList)) {
Info->ModifiedCount += _KB;
if (ReferenceCount > 0) {
Info->LockedCount += _KB;
}
} else if ((PageLocation == StandbyPageList) ||
(PageLocation == TransitionPage)) {
Info->StandbyCount += _KB;
if (ReferenceCount > 0) {
Info->LockedCount += _KB;
}
} else {
Info->ValidCount += _KB;
if (ShareCount > 1) {
Info->SharedCount += _KB;
if (ReferenceCount > 1) {
Info->LockedCount += _KB;
}
}
}
if ((PteAddress >= DbgGetPdeAddress (0x0)) &&
(PteAddress <= DbgGetPdeAddress (0xFFFFFFFFFFFFFFFF))) {
Info->PageTableCount += _KB;
}
}
NextPfn:
Pfn1 = (Pfn1 + PfnSize);
}
//
// dump the results.
//
#if 0
dprintf("Physical Page Summary:\n");
dprintf(" - number of physical pages: %ld\n",
MmNumberOfPhysicalPages);
dprintf(" - Zeroed Pages %ld\n", MmZeroedPageListHead.Total);
dprintf(" - Free Pages %ld\n", MmFreePageListHead.Total);
dprintf(" - Standby Pages %ld\n", MmStandbyPageListHead.Total);
dprintf(" - Modfified Pages %ld\n", MmModifiedPageListHead.Total);
dprintf(" - Modfified NoWrite Pages %ld\n", MmModifiedNoWritePageListHead.Total);
dprintf(" - Bad Pages %ld\n", MmBadPageListHead.Total);
#endif //0
dprintf("\n\n Usage Summary (in Kb):\n");
Info = InfoStart;
while (Info < InfoEnd) {
if (CheckControlC()) {
VirtualFree (InfoStart,0,MEM_RELEASE);
free(pKernelMap);
free(NameString.Buffer);
return;
}
if (Info->Master > 0x200000) {
//
// Get the control area from the subsection.
//
if (GetFieldValue(Info->Master,
"nt!_SUBSECTION",
"ControlArea",
ControlArea1)) {
dprintf("unable to get subsection va %p %lx\n",Info->Master,Info->OriginalPte);
}
// ControlArea1 = Subsection.ControlArea;
Info->Master = ControlArea1;
//
// Loop through the array so far for matching control areas
//
Info1 = InfoStart;
while (Info1 < Info) {
if (Info1->Master == ControlArea1) {
//
// Found a match, collapse these values.
//
Info1->ValidCount += Info->ValidCount;
Info1->StandbyCount += Info->StandbyCount;
Info1->ModifiedCount += Info->ModifiedCount;
Info1->SharedCount += Info->SharedCount;
Info1->LockedCount += Info->LockedCount;
Info1->PageTableCount += Info->PageTableCount;
Info->Master = 0;
break;
}
Info1++;
}
} else {
LastProcessInfo->Next = Info;
LastProcessInfo = Info;
}
Info++;
}
Info = InfoStart;
dprintf("Control Valid Standby Dirty Shared Locked PageTables name\n");
while (Info < InfoEnd) {
ULONG64 FilePointer;
if (CheckControlC()) {
VirtualFree (InfoStart,0,MEM_RELEASE);
free(pKernelMap);
free(NameString.Buffer);
return;
}
if (Info->Master > 0x200000) {
//
// Get the control area.
//
if (GetFieldValue(Info->Master,
"nt!_CONTROL_AREA",
"FilePointer",
FilePointer)) {
dprintf("%8p %5ld %5ld %5ld %5ld %5ld %5ld Bad Control Area\n",
Info->Master,
Info->ValidCount,
Info->StandbyCount,
Info->ModifiedCount,
Info->SharedCount,
Info->LockedCount,
Info->PageTableCount
);
} else if (FilePointer == 0) {
dprintf("%8p %5ld %5ld %5ld %5ld %5ld %5ld Page File Section\n",
Info->Master,
Info->ValidCount,
Info->StandbyCount,
Info->ModifiedCount,
Info->SharedCount,
Info->LockedCount,
Info->PageTableCount
);
} else {
ULONG64 NameBuffer;
//
// Get the file pointer.
//
if (GetFieldValue(FilePointer,
"nt!_FILE_OBJECT",
"FileName.Length",
NameString.Length)) {
dprintf("unable to get subsection %p\n",FilePointer);
}
if (NameString.Length != 0) {
//
// Get the name string.
//
if (NameString.Length > NameString.MaximumLength) {
NameString.Length = NameString.MaximumLength-1;
}
GetFieldValue(FilePointer,
"nt!_FILE_OBJECT",
"FileName.Buffer",
NameBuffer);
if ((!ReadMemory(NameBuffer,
NameString.Buffer,
NameString.Length,
&result)) || (result < NameString.Length)) {
dprintf("%8p %5ld %5ld %5ld %5ld %5ld %5ld Name Not Available\n",
Info->Master,
Info->ValidCount,
Info->StandbyCount,
Info->ModifiedCount,
Info->SharedCount,
Info->LockedCount,
Info->PageTableCount
);
} else {
{
WCHAR FileName[MAX_PATH];
WCHAR FullFileName[MAX_PATH];
WCHAR *FilePart;
ZeroMemory(FileName,sizeof(FileName));
if (NameString.Length > sizeof(FileName)) {
wcscpy(FileName, L"File name length too big - possibly corrupted");
} else {
CopyMemory(FileName,NameString.Buffer,NameString.Length);
}
GetFullPathNameW(
FileName,
MAX_PATH,
FullFileName,
&FilePart
);
dprintf("%8p %5ld %5ld %5ld %5ld %5ld %5ld mapped_file( %ws )\n",
Info->Master,
Info->ValidCount,
Info->StandbyCount,
Info->ModifiedCount,
Info->SharedCount,
Info->LockedCount,
Info->PageTableCount,
FilePart);
}
}
} else {
dprintf("%8p %5ld %5ld %5ld %5ld %5ld %5ld No Name for File\n",
Info->Master,
Info->ValidCount,
Info->StandbyCount,
Info->ModifiedCount,
Info->SharedCount,
Info->LockedCount,
Info->PageTableCount
);
}
}
}
Info += 1;
}
Info = &PagedPoolBlock;
if ((Info->ValidCount != 0) ||
(Info->StandbyCount != 0) ||
(Info->ModifiedCount != 0)) {
dprintf("00000000 %4ld %5ld %5ld %5ld %5ld %5ld PagedPool\n",
Info->ValidCount,
Info->StandbyCount,
Info->ModifiedCount,
Info->SharedCount,
Info->LockedCount,
Info->PageTableCount
);
}
//
// dump the process information.
//
BuildDirbaseList();
Info = ProcessPfns.Next;
while (Info != NULL) {
if (Info->Master != 0) {
PUCHAR ImageName;
ImageName = DirbaseToImage(Info->Master);
if ( ImageName ) {
dprintf("-------- %4ld %5ld %5ld ----- ----- %5ld process ( %s )\n",
Info->ValidCount,
Info->StandbyCount,
Info->ModifiedCount,
Info->PageTableCount,
ImageName
);
}
else {
dprintf("-------- %4ld %5ld %5ld ----- ----- %5ld pagefile section (%lx)\n",
Info->ValidCount,
Info->StandbyCount,
Info->ModifiedCount,
Info->PageTableCount,
Info->Master
);
}
}
Info = Info->Next;
}
if (!IgnoreInvalidFrames) {
for (i=0;i<pKernelMap->Count ;i++) {
dprintf("-------- %4ld %5ld %5ld ----- %5ld ----- driver ( %ws )\n",
pKernelMap->Item[i].ValidCount,
pKernelMap->Item[i].StandbyCount,
pKernelMap->Item[i].ModifiedCount,
pKernelMap->Item[i].LockedCount,
pKernelMap->Item[i].Name
);
}
}
VirtualFree (InfoStart,0,MEM_RELEASE);
free(pKernelMap);
free(NameString.Buffer);
return;
}
NTSTATUS
BuildDirbaseList (
VOID
)
{
ULONG64 Next;
ULONG64 ProcessHead;
ULONG64 Process;
NTSTATUS status=0;
ULONG ActiveProcessLinksOffset, DirectoryTableBaseOffset;
FIELD_INFO offField[] = {
{"ActiveProcessLinks", NULL, 0, DBG_DUMP_FIELD_RETURN_ADDRESS, 0, NULL},
{"Pcb.DirectoryTableBase", NULL, 0, DBG_DUMP_FIELD_RETURN_ADDRESS, 0, NULL}
};
SYM_DUMP_PARAM TypeSym ={
sizeof (SYM_DUMP_PARAM), "_EPROCESS", DBG_DUMP_NO_PRINT, 0,
NULL, NULL, NULL, 2, &offField[0]
};
// Get the offset of ActiveProcessLinks in EPROCESS
if (Ioctl(IG_DUMP_SYMBOL_INFO, &TypeSym, TypeSym.size)) {
return FALSE;
}
ActiveProcessLinksOffset = (ULONG) offField[0].address;
DirectoryTableBaseOffset = (ULONG) offField[1].address;
MaxDirbase = 0;
ProcessHead = GetNtDebuggerData(PsActiveProcessHead );
if (!ProcessHead) {
return STATUS_OBJECT_NAME_NOT_FOUND;
}
if (GetFieldValue(ProcessHead, "nt!_LIST_ENTRY", "Flink", Next)) {
return STATUS_OBJECT_NAME_NOT_FOUND;
}
//Next = List.Flink;
if (Next == 0) {
dprintf("PsActiveProcessHead is NULL!\n");
return STATUS_INVALID_PARAMETER;
}
while(Next != ProcessHead) {
ULONG64 PageFrameNumber=0;
Process = Next - ActiveProcessLinksOffset;
if (GetFieldValue(Process,
"nt!_EPROCESS",
"ImageFileName",
Names[MaxDirbase])) {
dprintf("Unable to read _EPROCESS at %p\n",Process);
MaxDirbase = 0;
return status;
}
if ( (Names[ MaxDirbase ])[0] == '\0' ) {
strcpy((PCHAR)&Names[MaxDirbase][0],(PCHAR)"SystemProcess");
}
GetFieldValue(Process,"_EPROCESS","ImageFileName",Names[MaxDirbase]);
GetFieldValue(Process + DirectoryTableBaseOffset, "nt!HARDWARE_PTE", "PageFrameNumber", PageFrameNumber);
DirBases[MaxDirbase++] = PageFrameNumber;
GetFieldValue(Process, "_EPROCESS", "ActiveProcessLinks.Flink", Next);
if (CheckControlC()) {
MaxDirbase = 0;
return STATUS_INVALID_PARAMETER;
}
}
return STATUS_INVALID_PARAMETER;
}
PUCHAR
DirbaseToImage(
IN ULONG64 DirBase
)
{
ULONG i;
for(i=0;i<MaxDirbase;i++) {
if ( DirBases[i] == DirBase ) {
return &Names[i][0];
}
}
return NULL;
}
LOGICAL
BuildKernelMap (
OUT PKERN_MAP KernelMap
)
{
ULONG64 Next;
ULONG64 ListHead;
NTSTATUS Status = 0;
ULONG Result;
ULONG64 DataTable;
ULONG i = 0;
ULONG64 Flink;
ULONG InLoadOrderLinksOffset;
FIELD_INFO offField = {"InLoadOrderLinks", NULL, 0, DBG_DUMP_FIELD_RETURN_ADDRESS, 0, NULL};
SYM_DUMP_PARAM TypeSym ={
sizeof (SYM_DUMP_PARAM), "nt!_LDR_DATA_TABLE_ENTRY", DBG_DUMP_NO_PRINT, 0,
NULL, NULL, NULL, 1, &offField
};
// Get the offset of InLoadOrderLinks in LDR_DATA_TABLE_ENTRY
if (Ioctl(IG_DUMP_SYMBOL_INFO, &TypeSym, TypeSym.size)) {
return FALSE;
}
InLoadOrderLinksOffset = (ULONG) offField.address;
ListHead = GetNtDebuggerData(PsLoadedModuleList );
if (!ListHead) {
dprintf("Couldn't get offset of PsLoadedModuleListHead\n");
return FALSE;
}
if (GetFieldValue(ListHead, "nt!_LIST_ENTRY", "Flink", Flink)) {
dprintf("Unable to get value of PsLoadedModuleListHead\n");
return FALSE;
}
Next = Flink;
if (Next == 0) {
dprintf("PsLoadedModuleList is NULL!\n");
return FALSE;
}
while (Next != ListHead) {
ULONG64 BaseDllNameBuffer, DllBase;
ULONG BaseDllNameLength=0, SizeOfImage;
if (CheckControlC()) {
return FALSE;
}
DataTable = (Next - InLoadOrderLinksOffset);
if (GetFieldValue(DataTable,
"nt!_LDR_DATA_TABLE_ENTRY",
"BaseDllName.Buffer",
BaseDllNameBuffer)) {
dprintf("Unable to read LDR_DATA_TABLE_ENTRY at %08p\n",
DataTable);
return FALSE;
}
GetFieldValue(DataTable, "nt!_LDR_DATA_TABLE_ENTRY","BaseDllName.Length",BaseDllNameLength);
GetFieldValue(DataTable, "nt!_LDR_DATA_TABLE_ENTRY","DllBase",DllBase);
GetFieldValue(DataTable, "nt!_LDR_DATA_TABLE_ENTRY","SizeOfImage",SizeOfImage);
//
// Get the base DLL name.
//
if ((!ReadMemory(BaseDllNameBuffer,
&KernelMap->Item[i].Name[0],
BaseDllNameLength,
&Result)) || (Result < BaseDllNameLength)) {
dprintf("Unable to read name string at %08p - status %08lx\n",
DataTable,
Status);
return FALSE;
}
KernelMap->Item[i].Name[BaseDllNameLength/2] = L'\0';
KernelMap->Item[i].StartVa = DllBase;
KernelMap->Item[i].EndVa = KernelMap->Item[i].StartVa +
(ULONG)SizeOfImage;
i += 1;
GetFieldValue(DataTable, "nt!_LDR_DATA_TABLE_ENTRY","InLoadOrderLinks.Flink", Next);
}
KernelMap->Item[i].StartVa = GetNtDebuggerDataPtrValue(MmPagedPoolStart);
KernelMap->Item[i].EndVa = GetNtDebuggerDataPtrValue(MmPagedPoolEnd);
wcscpy (&KernelMap->Item[i].Name[0], (PUSHORT) &L"Paged Pool");
i+= 1;
#if 0
KernelMap->Item[i].StartVa = DbgGetPteAddress (0xffffffff80000000UI64);
KernelMap->Item[i].EndVa = DbgGetPteAddress (0xffffffffffffffffUI64);
wcscpy (&KernelMap->Item[i].Name[0], (PUSHORT) &L"System Page Tables");
i+= 1;
KernelMap->Item[i].StartVa = DbgGetPdeAddress (0x80000000);
KernelMap->Item[i].EndVa = DbgGetPdeAddress (0xffffffff);
wcscpy (&KernelMap->Item[i].Name[0], (PUSHORT) &L"System Page Tables");
i+= 1;
#endif 0
// LWFIX: Both PTEs and nonpaged pool can be in multiple virtually discontiguous
// areas. Fix this.
KernelMap->Item[i].StartVa = DbgGetVirtualAddressMappedByPte (
GetNtDebuggerDataValue(MmSystemPtesStart));
KernelMap->Item[i].EndVa = DbgGetVirtualAddressMappedByPte (
GetNtDebuggerDataValue(MmSystemPtesEnd)) + 1;
wcscpy (&KernelMap->Item[i].Name[0], (PUSHORT) &L"Kernel Stacks");
i+= 1;
KernelMap->Item[i].StartVa = GetNtDebuggerDataValue(MmNonPagedPoolStart);
KernelMap->Item[i].EndVa = GetNtDebuggerDataValue(MmNonPagedPoolEnd);
wcscpy (&KernelMap->Item[i].Name[0], (PUSHORT) &L"NonPaged Pool");
i+= 1;
KernelMap->Count = i;
return TRUE;
}
ULONG64 SpecialPoolStart;
ULONG64 SpecialPoolEnd;
#define VI_POOL_FREELIST_END ((ULONG64)-1)
LOGICAL
VerifierDumpPool (
IN ULONG64 Verifier
)
{
ULONG64 HashTableAddress;
ULONG PoolTag;
ULONG i;
ULONG64 HashEntry;
ULONG64 PoolHashSize;
ULONG SizeofEntry;
LONG64 FreeListNext;
//
// Display the current and peak pool usage by allocation & bytes.
//
#define PP(x) isprint(((x)&0xff))?((x)&0xff):('.')
InitTypeRead(Verifier, nt!_MI_VERIFIER_DRIVER_ENTRY);
dprintf("\n");
dprintf("Current Pool Allocations %08I64lx %08I64lx\n",
ReadField(CurrentPagedPoolAllocations),
ReadField(CurrentNonPagedPoolAllocations));
dprintf("Current Pool Bytes %08I64lx %08I64lx\n",
ReadField(PagedBytes),
ReadField(NonPagedBytes));
dprintf("Peak Pool Allocations %08I64lx %08I64lx\n",
ReadField(PeakPagedPoolAllocations),
ReadField(PeakNonPagedPoolAllocations));
dprintf("Peak Pool Bytes %08I64lx %08I64lx\n",
ReadField(PeakPagedBytes),
ReadField(PeakNonPagedBytes));
//
// If no current allocations then the dump is over.
//
if ((ReadField(CurrentPagedPoolAllocations) == 0) &&
(ReadField(CurrentNonPagedPoolAllocations) == 0)) {
dprintf("\n");
return FALSE;
}
dprintf("\n");
PoolHashSize = ReadField(PoolHashSize);
HashTableAddress = ReadField(PoolHash);
dprintf("PoolAddress SizeInBytes Tag CallersAddress\n");
i = 0;
HashEntry = HashTableAddress;
SizeofEntry = GetTypeSize("nt!_VI_POOL_ENTRY");
for (i = 0; i < PoolHashSize; i += 1, HashEntry += SizeofEntry) {
if (GetFieldValue(HashEntry, "nt!_VI_POOL_ENTRY", "FreeListNext", FreeListNext)) {
dprintf("%08p: Unable to get verifier hash page\n", HashEntry);
return FALSE;
}
//
// Sign extend if necessary.
//
if (!IsPtr64()) {
FreeListNext = (ULONG64)(LONG64)(LONG)FreeListNext;
}
//
// Skip freelist entries.
//
if ((FreeListNext == VI_POOL_FREELIST_END) ||
((FreeListNext & MINLONG64_PTR) == 0)) {
continue;
}
InitTypeRead(HashEntry, nt!_VI_POOL_ENTRY);
PoolTag = (ULONG) ReadField(InUse.Tag);
dprintf("%p 0x%08p %c%c%c%c ",
ReadField(InUse.VirtualAddress),
ReadField(InUse.NumberOfBytes),
(PP(PoolTag) & ~0x80),
PP(PoolTag >> 8),
PP(PoolTag >> 16),
PP(PoolTag >> 24)
);
dprintf("%p\n", ReadField(InUse.CallingAddress));
if (CheckControlC()) {
return TRUE;
}
}
#undef PP
dprintf("\n");
return FALSE;
}
#if 0
typedef struct _COMMIT_INFO {
LPSTR Name;
ULONG Index;
} COMMIT_INFO, *PCOMMIT_INFO;
COMMIT_INFO CommitInfo[] = {
"MM_DBG_COMMIT_NONPAGED_POOL_EXPANSION", 0,
"MM_DBG_COMMIT_PAGED_POOL_PAGETABLE", 1,
"MM_DBG_COMMIT_PAGED_POOL_PAGES", 2,
"MM_DBG_COMMIT_SESSION_POOL_PAGE_TABLES", 3,
"MM_DBG_COMMIT_ALLOCVM1", 4,
"MM_DBG_COMMIT_ALLOCVM_SEGMENT", 5,
"MM_DBG_COMMIT_IMAGE", 6,
"MM_DBG_COMMIT_PAGEFILE_BACKED_SHMEM", 7,
"MM_DBG_COMMIT_INDEPENDENT_PAGES", 8,
"MM_DBG_COMMIT_CONTIGUOUS_PAGES", 9,
"MM_DBG_COMMIT_MDL_PAGES", 0xA,
"MM_DBG_COMMIT_NONCACHED_PAGES", 0xB,
"MM_DBG_COMMIT_MAPVIEW_DATA", 0xC,
"MM_DBG_COMMIT_FILL_SYSTEM_DIRECTORY", 0xD,
"MM_DBG_COMMIT_EXTRA_SYSTEM_PTES", 0xE,
"MM_DBG_COMMIT_DRIVER_PAGING_AT_INIT", 0xF,
"MM_DBG_COMMIT_PAGEFILE_FULL", 0x10,
"MM_DBG_COMMIT_PROCESS_CREATE", 0x11,
"MM_DBG_COMMIT_KERNEL_STACK_CREATE", 0x12,
"MM_DBG_COMMIT_SET_PROTECTION", 0x13,
"MM_DBG_COMMIT_SESSION_CREATE", 0x14,
"MM_DBG_COMMIT_SESSION_IMAGE_PAGES", 0x15,
"MM_DBG_COMMIT_SESSION_PAGETABLE_PAGES", 0x16,
"MM_DBG_COMMIT_SESSION_SHARED_IMAGE", 0x17,
"MM_DBG_COMMIT_DRIVER_PAGES", 0x18,
"MM_DBG_COMMIT_INSERT_VAD", 0x19,
"MM_DBG_COMMIT_SESSION_WS_INIT", 0x1A,
"MM_DBG_COMMIT_SESSION_ADDITIONAL_WS_PAGES", 0x1B,
"MM_DBG_COMMIT_SESSION_ADDITIONAL_WS_HASHPAGES", 0x1C,
"MM_DBG_COMMIT_SPECIAL_POOL_PAGES", 0x1D,
"MM_DBG_COMMIT_SMALL", 0x1F,
"MM_DBG_COMMIT_EXTRA_WS_PAGES", 0x20,
"MM_DBG_COMMIT_EXTRA_INITIAL_SESSION_WS_PAGES", 0x21,
"MM_DBG_COMMIT_ALLOCVM_PROCESS", 0x22,
"MM_DBG_COMMIT_INSERT_VAD_PT", 0x23,
"MM_DBG_COMMIT_ALLOCVM_PROCESS2", 0x24,
"MM_DBG_COMMIT_CHARGE_NORMAL", 0x25,
"MM_DBG_COMMIT_CHARGE_CAUSE_POPUP", 0x26,
"MM_DBG_COMMIT_CHARGE_CANT_EXPAND", 0x27,
"MM_DBG_COMMIT_RETURN_NONPAGED_POOL_EXPANSION", 0x40,
"MM_DBG_COMMIT_RETURN_PAGED_POOL_PAGES", 0x41,
"MM_DBG_COMMIT_RETURN_SESSION_DATAPAGE", 0x42,
"MM_DBG_COMMIT_RETURN_ALLOCVM_SEGMENT", 0x43,
"MM_DBG_COMMIT_RETURN_ALLOCVM2", 0x44,
"MM_DBG_COMMIT_RETURN_IMAGE_NO_LARGE_CA", 0x46,
"MM_DBG_COMMIT_RETURN_PTE_RANGE", 0x47,
"MM_DBG_COMMIT_RETURN_NTFREEVM1", 0x48,
"MM_DBG_COMMIT_RETURN_NTFREEVM2", 0x49,
"MM_DBG_COMMIT_RETURN_INDEPENDENT_PAGES", 0x4A,
"MM_DBG_COMMIT_RETURN_AWE_EXCESS", 0x4B,
"MM_DBG_COMMIT_RETURN_MDL_PAGES", 0x4C,
"MM_DBG_COMMIT_RETURN_NONCACHED_PAGES", 0x4D,
"MM_DBG_COMMIT_RETURN_SESSION_CREATE_FAILURE", 0x4E,
"MM_DBG_COMMIT_RETURN_PAGETABLES", 0x4F,
"MM_DBG_COMMIT_RETURN_PROTECTION", 0x50,
"MM_DBG_COMMIT_RETURN_SEGMENT_DELETE1", 0x51,
"MM_DBG_COMMIT_RETURN_SEGMENT_DELETE2", 0x52,
"MM_DBG_COMMIT_RETURN_PAGEFILE_FULL", 0x53,
"MM_DBG_COMMIT_RETURN_SESSION_DEREFERENCE", 0x54,
"MM_DBG_COMMIT_RETURN_VAD", 0x55,
"MM_DBG_COMMIT_RETURN_PROCESS_CREATE_FAILURE1", 0x56,
"MM_DBG_COMMIT_RETURN_PROCESS_DELETE", 0x57,
"MM_DBG_COMMIT_RETURN_PROCESS_CLEAN_PAGETABLES", 0x58,
"MM_DBG_COMMIT_RETURN_KERNEL_STACK_DELETE", 0x59,
"MM_DBG_COMMIT_RETURN_SESSION_DRIVER_LOAD_FAILURE1",0x5A,
"MM_DBG_COMMIT_RETURN_DRIVER_INIT_CODE", 0x5B,
"MM_DBG_COMMIT_RETURN_DRIVER_UNLOAD", 0x5C,
"MM_DBG_COMMIT_RETURN_DRIVER_UNLOAD1", 0x5D,
"MM_DBG_COMMIT_RETURN_NORMAL", 0x5E,
"MM_DBG_COMMIT_RETURN_PF_FULL_EXTEND", 0x5F,
"MM_DBG_COMMIT_RETURN_EXTENDED", 0x60,
"MM_DBG_COMMIT_RETURN_SEGMENT_DELETE3", 0x61,
};
VOID
DumpCommitTracker ()
{
ULONG64 MmTrackCommit;
ULONG64 PfnEntry;
ULONG64 displacement;
ULONG64 AcquiredAddress;
ULONG64 ReleasedAddress;
CHAR SymbolBuffer[80];
PCHAR SymPointer;
ULONG EntrySize;
ULONG result;
ULONG64 ReadCount;
ULONG64 i;
ULONG64 j;
PSIZE_T LocalData;
PCHAR local;
ULONG64 NumberOfCommitEntries;
MmTrackCommit = GetExpression ("nt!MmTrackCommit");
if (MmTrackCommit == 0) {
dprintf("%08p: Unable to get commit track data.\n", MmTrackCommit);
return;
}
PfnEntry = MmTrackCommit;
#if 0
NumberOfCommitEntries = GetUlongValue ("MiMaxPfnTimings");
EntrySize = GetTypeSize("SIZE_T");
#else
NumberOfCommitEntries = 128;
EntrySize = 4;
#endif
ReadCount = NumberOfCommitEntries * EntrySize;
dprintf("Scanning %I64u %I64u commit points\n", NumberOfCommitEntries, ReadCount);
LocalData = LocalAlloc(LPTR, (ULONG) (NumberOfCommitEntries * EntrySize));
if (!LocalData) {
dprintf("unable to get allocate %ld bytes of memory\n",
(ULONG)(NumberOfCommitEntries * EntrySize));
return;
}
if ((!ReadMemory(MmTrackCommit,
LocalData,
(ULONG) ReadCount,
&result)) || (result < (ULONG) ReadCount)) {
dprintf("unable to get track commit table - "
"address %p - count %I64u\n",
LocalData, ReadCount);
}
else {
dprintf("\n%-50s %s\n", "Instance", "HexCount");
for (i = 0; i < NumberOfCommitEntries; i += 1) {
if (LocalData[i] != 0) {
for (j = 0; j < sizeof(CommitInfo) / sizeof (COMMIT_INFO); j += 1) {
if (CommitInfo[j].Index == i) {
dprintf ("%-50s %8x\n", CommitInfo[j].Name, LocalData[i]);
break;
}
}
}
}
}
if (LocalData) {
LocalFree((void *)LocalData);
}
return;
}
#endif
VOID
DumpFaultInjectionTraceLog (
PCSTR Args
);
VOID
DumpTrackIrqlLog (
PCSTR args
);
DECLARE_API( verifier )
/*++
Routine Description:
Displays the current Driver Verifier data.
Arguments:
arg - Supplies 7 for full listing
Return Value:
None.
--*/
{
ULONG result;
ULONG Flags;
ULONG VerifierFlags;
ULONG64 VerifierDataPointer;
ULONG64 SuspectPointer;
ULONG64 NextEntry;
ULONG64 VerifierDriverEntry;
PUCHAR tempbuffer;
UNICODE_STRING unicodeString;
LOGICAL Interrupted;
CHAR Buf[256];
PCHAR ImageFileName;
ANSI_STRING AnsiString;
UNICODE_STRING InputDriverName;
NTSTATUS st;
ULONG Level;
PCHAR state;
ULONG64 tmp;
UNREFERENCED_PARAMETER (Client);
//
// Display option usage.
//
if (strstr (args, "?") != NULL) {
dprintf ("!verifier \n");
dprintf (" \n");
dprintf (" Dump verifier summary information. \n");
dprintf (" \n");
dprintf ("!verifier [FLAGS [IMAGE]] \n");
dprintf (" \n");
dprintf (" 0x01 : Dump verified drivers pool statistics \n");
dprintf (" \n");
dprintf (" 0x02 : not used \n");
dprintf (" \n");
dprintf (" 0x04 [N] : Dump N traces from fault injection trace log. \n");
dprintf (" \n");
dprintf (" 0x08 [N] : Dump N traces from track IRQL trace log\n");
dprintf (" \n");
dprintf ("To display everything use: \n");
dprintf (" \n");
dprintf (" !verifier 0xf \n");
dprintf (" \n");
return S_OK;
}
//
// Read the Flags parameter.
//
Flags = 0;
Flags = (ULONG) GetExpression (args);
//
// Display fault injection stacks.
//
if ((Flags == 0x04)) {
DumpFaultInjectionTraceLog (args);
return S_OK;
}
//
// Display track irql stacks.
//
if ((Flags == 0x08)) {
DumpTrackIrqlLog (args);
return S_OK;
}
//
// Continue with normal processing: !verifier [FLAGS [NAME]]
//
Flags = 0;
RtlZeroMemory(Buf, 256);
if (GetExpressionEx(args, &tmp, &args)) {
Flags = (ULONG) tmp;
while (args && (*args == ' ')) {
++args;
}
strcpy(Buf, args);
}
if (Buf[0] != '\0') {
ImageFileName = Buf;
RtlInitAnsiString(&AnsiString, ImageFileName);
st = RtlAnsiStringToUnicodeString(&InputDriverName, &AnsiString, TRUE);
if (!NT_SUCCESS(st)) {
dprintf("%08lx: Unable to initialize unicode string\n", st);
return E_INVALIDARG;
}
} else {
ImageFileName = NULL;
}
VerifierDataPointer = GetExpression ("nt!MmVerifierData");
if (GetFieldValue(VerifierDataPointer,
"nt!_MM_DRIVER_VERIFIER_DATA",
"Level",
Level)) {
dprintf("%08p: Unable to get verifier list.\n",VerifierDataPointer);
return E_INVALIDARG;
}
dprintf("\nVerify Level %x ... enabled options are:", Level);
if (Level & DRIVER_VERIFIER_SPECIAL_POOLING) {
dprintf("\n\tspecial pool");
}
if (Level & DRIVER_VERIFIER_FORCE_IRQL_CHECKING) {
dprintf("\n\tspecial irql");
}
if (Level & DRIVER_VERIFIER_INJECT_ALLOCATION_FAILURES) {
dprintf("\n\tinject random low-resource API failures");
}
if (Level & DRIVER_VERIFIER_TRACK_POOL_ALLOCATIONS) {
dprintf("\n\tall pool allocations checked on unload");
}
if (Level & DRIVER_VERIFIER_IO_CHECKING) {
dprintf("\n\tIo subsystem checking enabled");
}
if (Level & DRIVER_VERIFIER_DEADLOCK_DETECTION) {
dprintf("\n\tDeadlock detection enabled");
}
if (Level & DRIVER_VERIFIER_ENHANCED_IO_CHECKING) {
dprintf("\n\tEnhanced Io checking enabled");
}
if (Level & DRIVER_VERIFIER_DMA_VERIFIER) {
dprintf("\n\tDMA checking enabled");
}
if (InitTypeRead(VerifierDataPointer, nt!MM_DRIVER_VERIFIER_DATA)) {
dprintf("Unable to read type nt!MM_DRIVER_VERIFIER_DATA @ %p\n", VerifierDataPointer);
}
dprintf("\n\nSummary of All Verifier Statistics\n\n");
dprintf("RaiseIrqls 0x%x\n", (ULONG) ReadField(RaiseIrqls));
dprintf("AcquireSpinLocks 0x%x\n", (ULONG) ReadField(AcquireSpinLocks));
dprintf("Synch Executions 0x%x\n", (ULONG) ReadField(SynchronizeExecutions));
dprintf("Trims 0x%x\n", (ULONG) ReadField(Trims));
dprintf("\n");
dprintf("Pool Allocations Attempted 0x%x\n", (ULONG) ReadField(AllocationsAttempted));
dprintf("Pool Allocations Succeeded 0x%x\n", (ULONG) ReadField(AllocationsSucceeded));
dprintf("Pool Allocations Succeeded SpecialPool 0x%x\n", (ULONG) ReadField(AllocationsSucceededSpecialPool));
dprintf("Pool Allocations With NO TAG 0x%x\n", (ULONG) ReadField(AllocationsWithNoTag));
dprintf("Pool Allocations Failed 0x%x\n", (ULONG) ReadField(AllocationsFailed));
dprintf("Resource Allocations Failed Deliberately 0x%x\n", (ULONG) ReadField(AllocationsFailedDeliberately) + (ULONG) ReadField(BurstAllocationsFailedDeliberately));
dprintf("\n");
dprintf("Current paged pool allocations 0x%x for %08P bytes\n",
(ULONG) ReadField(CurrentPagedPoolAllocations),
ReadField(PagedBytes));
dprintf("Peak paged pool allocations 0x%x for %08P bytes\n",
(ULONG)ReadField(PeakPagedPoolAllocations),
ReadField(PeakPagedBytes));
dprintf("Current nonpaged pool allocations 0x%x for %08P bytes\n",
(ULONG) ReadField(CurrentNonPagedPoolAllocations),
ReadField(NonPagedBytes));
dprintf("Peak nonpaged pool allocations 0x%x for %08P bytes\n",
(ULONG)ReadField(PeakNonPagedPoolAllocations),
ReadField(PeakNonPagedBytes));
dprintf("\n");
SpecialPoolStart = GetPointerValue("nt!MmSpecialPoolStart");
SpecialPoolEnd = GetPointerValue("nt!MmSpecialPoolEnd");
if (Flags & 0x1) {
ULONG Off;
SuspectPointer = GetExpression ("nt!MiSuspectDriverList");
GetFieldOffset("nt!_MI_VERIFIER_DRIVER_ENTRY", "Links", &Off);
if (!ReadPointer(SuspectPointer,&NextEntry)) {
dprintf("%08p: Unable to get verifier list %p\n",SuspectPointer);
return E_INVALIDARG;
}
dprintf("Driver Verification List\n\n");
dprintf("Entry State NonPagedPool PagedPool Module\n\n");
while (NextEntry != SuspectPointer) {
VerifierDriverEntry = NextEntry - Off;
if (GetFieldValue( VerifierDriverEntry,
"nt!_MI_VERIFIER_DRIVER_ENTRY",
"Flags",
VerifierFlags)) {
dprintf("%08p: Unable to get verifier data\n", VerifierDriverEntry);
return E_INVALIDARG;
}
InitTypeRead(VerifierDriverEntry, nt!_MI_VERIFIER_DRIVER_ENTRY);
if ((VerifierFlags & VI_VERIFYING_DIRECTLY) == 0) {
NextEntry = ReadField(Links.Flink);
continue;
}
unicodeString.Length = (USHORT) ReadField(BaseName.Length);
tempbuffer = LocalAlloc(LPTR, unicodeString.Length);
unicodeString.Buffer = (PWSTR)tempbuffer;
unicodeString.MaximumLength = unicodeString.Length;
if (!ReadMemory (ReadField(BaseName.Buffer),
tempbuffer,
unicodeString.Length,
&result)) {
dprintf("%08p: Unable to get verifier driver name\n", ReadField(BaseName.Buffer));
}
if (ImageFileName != NULL) {
if (RtlEqualUnicodeString(&InputDriverName, &unicodeString, TRUE) == 0) {
NextEntry = ReadField(Links.Flink);
continue;
}
}
if (ReadField(Loads) == 0 && ReadField(Unloads) == 0) {
state = "Hasn't loaded";
}
else if (ReadField(Loads) != ReadField(Unloads)) {
if (ReadField(Unloads) != 0) {
state = "Loaded&Unloaded";
}
else {
state = "Loaded";
}
}
else {
state = "Unloaded";
}
dprintf("%p %-16s %08p %08p %wZ\n",
VerifierDriverEntry,
state,
ReadField(NonPagedBytes),
ReadField(PagedBytes),
&unicodeString);
Interrupted = FALSE;
NextEntry = ReadField(Links.Flink);
if ((Flags & 0x2) &&
(Level & DRIVER_VERIFIER_TRACK_POOL_ALLOCATIONS)) {
Interrupted = VerifierDumpPool (VerifierDriverEntry);
}
LocalFree(tempbuffer);
if ((Interrupted == TRUE) ||
(ImageFileName != NULL) ||
(CheckControlC())) {
break;
}
}
}
if ((Flags & 0x04)) {
dprintf ("----------------------------------------------- \n");
dprintf ("Fault injection trace log \n");
dprintf ("----------------------------------------------- \n");
DumpFaultInjectionTraceLog (NULL);
}
if ((Flags & 0x08)) {
dprintf ("----------------------------------------------- \n");
dprintf ("Track irql trace log \n");
dprintf ("----------------------------------------------- \n");
DumpTrackIrqlLog (NULL);
}
return S_OK;
}
DECLARE_API( fpsearch )
/*++
Routine Description:
Free pool searcher.
Arguments:
arg - Supplies virtual address to match.
Return Value:
None.
--*/
{
ULONG i;
ULONG BufferSize;
ULONG RawCount;
PULONG RawPointer;
ULONG Flags;
ULONG ActualRead;
ULONG64 PageFrameNumber;
ULONG64 PAddress;
ULONG64 Address;
ULONG result;
ULONG64 PfnDb;
ULONG64 Pfn;
ULONG64 PfnStart;
ULONG PfnSize;
ULONG64 ChainedBp;
ULONG64 ValidBp;
ULONG64 LastBp;
ULONG64 ReturnAddress;
PCHAR Buffer;
ULONG64 MmFreePageListHeadAddress;
CHAR SymbolBuffer[80];
ULONG64 displacement;
ULONG64 Total;
ULONG StkOffset;
ULONG PtrSize;
ULONG PoolTag;
ULONG StackBytes;
ULONG64 StackPointer;
ULONG64 ChainedBpVal;
ULONG64 LastBpVal;
ULONG64 Blink;
PtrSize = IsPtr64() ? 8 : 4;
PfnSize = GetTypeSize("nt!_MMPFN");
BufferSize = GetTypeSize("nt!_MI_FREED_SPECIAL_POOL");
if (BufferSize == 0) {
dprintf("Type MI_FREED_SPECIAL_POOL not found.\n");
return E_INVALIDARG;
}
PfnDb = GetNtDebuggerData(MmPfnDatabase );
if (!PfnDb) {
dprintf("unable to get PFN0 database address\n");
return E_INVALIDARG;
}
result = !ReadPointer(PfnDb,&PfnStart);
if (result != 0) {
dprintf("unable to get PFN database address %p %x\n", PfnDb, result);
return E_INVALIDARG;
}
Address = 0;
Flags = 0;
if (!sscanf(args,"%I64lx %lx",&Address, &Flags)) {
Address = 0;
}
// Do not use GetExpression here - the actual address to be searched is phy address
// and it can be >32bit for 32bit targets
// Address = GetExpression (args);
if (Address == 0) {
dprintf("Usage: fpsearch address\n");
return E_INVALIDARG;
}
MmFreePageListHeadAddress = GetExpression ("nt!MmFreePageListHead");
if (GetFieldValue(MmFreePageListHeadAddress,
"nt!_MMPFNLIST",
"Total",
Total)) {
dprintf("%08p: Unable to get MmFreePageLocationList\n",MmFreePageListHeadAddress);
return E_INVALIDARG;
}
if (Total == 0) {
dprintf("No pages on free list to search\n");
return E_INVALIDARG;
}
if (Address != (ULONG64)-1) {
dprintf("Searching the free page list (%I64x entries) for VA %p\n\n",
Total, Address);
Address &= ~(ULONG64)(PageSize - 1);
}
else {
dprintf("Searching the free page list (%x entries) for all freed special pool\n\n",
Total);
}
GetFieldValue (MmFreePageListHeadAddress,
"nt!_MMPFNLIST",
"Blink",
PageFrameNumber);
GetFieldOffset("_MI_FREED_SPECIAL_POOL", "StackData", &StkOffset);
Buffer = LocalAlloc(LPTR, BufferSize);
if (Buffer == NULL) {
dprintf("Could not allocate a buffer for the search\n");
return E_INVALIDARG;
}
while (PageFrameNumber != (ULONG64)-1) {
PAddress = (ULONG64)PageFrameNumber * PageSize;
ReadPhysical (PAddress, Buffer, BufferSize, &ActualRead);
if (ActualRead != BufferSize) {
dprintf("Physical memory read %I64X %x %x failed\n", PAddress, ActualRead, BufferSize);
// break;
}
if (Flags & 0x1) {
//
// Print a preview of the raw buffer.
//
#define PP(x) isprint(((x)&0xff))?((x)&0xff):('.')
RawPointer = (PULONG)Buffer;
RawCount = BufferSize / sizeof (ULONG);
if (RawCount > 32) {
RawCount = 32;
}
RawCount &= ~0x3;
for (i = 0; i < RawCount; i += 4) {
dprintf ("%I64X %08x %08x %08x %08x %c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c\n",
PageFrameNumber * PageSize,
*RawPointer,
*(RawPointer + 1),
*(RawPointer + 2),
*(RawPointer + 3),
PP(*RawPointer),
PP(*RawPointer >> 8),
PP(*RawPointer >> 16),
PP(*RawPointer >> 24),
PP(*(RawPointer + 1)),
PP(*(RawPointer + 1) >> 8),
PP(*(RawPointer + 1) >> 16),
PP(*(RawPointer + 1) >> 24),
PP(*(RawPointer + 2)),
PP(*(RawPointer + 2) >> 8),
PP(*(RawPointer + 2) >> 16),
PP(*(RawPointer + 2) >> 24),
PP(*(RawPointer + 3)),
PP(*(RawPointer + 3) >> 8),
PP(*(RawPointer + 3) >> 16),
PP(*(RawPointer + 3) >> 24));
RawPointer += 4;
}
dprintf ("\n");
}
Pfn = (PfnStart + PageFrameNumber * PfnSize);
if (GetFieldValue(Pfn,"nt!_MMPFN","u2.Blink", Blink)) {
dprintf("%08p: unable to get PFN element %x\n", Pfn, PfnSize);
break;
}
if ((ULONG)Blink == (ULONG)-1) {
Blink = (ULONG64)-1;
}
#define MI_FREED_SPECIAL_POOL_SIGNATURE 0x98764321
InitTypeReadPhysical (PAddress, nt!MI_FREED_SPECIAL_POOL);
if ((ULONG) ReadField(Signature) == MI_FREED_SPECIAL_POOL_SIGNATURE) {
if ((Address == (ULONG64)-1) ||
(((ULONG)(ReadField(VirtualAddress)) & ~(ULONG)(PageSize - 1)) == (ULONG)Address)) {
PoolTag = (ULONG) ReadField(OverlaidPoolHeader.PoolTag);
dprintf("VA PFN Tag Size Pagable Thread Tick\n");
dprintf("%p %6p %c%c%c%c %6x %s %08p %x\n",
ReadField(VirtualAddress),
PageFrameNumber,
#define PP(x) isprint(((x)&0xff))?((x)&0xff):('.')
PP(PoolTag),
PP(PoolTag >> 8),
PP(PoolTag >> 16),
PP(PoolTag >> 24),
#undef PP
(ULONG) ReadField(NumberOfBytesRequested),
ReadField(Pagable) ? "Yes" : "No ",
ReadField(Thread),
ReadField(TickCount));
dprintf("\tCALL STACK AT TIME OF DEALLOCATION\n");
//
// Calculate the relative stack and print it here symbolically.
//
StackBytes = (ULONG) ReadField(StackBytes);
StackPointer = ReadField(StackPointer);
ValidBp = (StackPointer & ~(ULONG64)(PageSize - 1));
ChainedBp = (PAddress + StkOffset);
LastBp = (ChainedBp + (ULONG) ReadField(StackBytes));
while (ChainedBp < LastBp) {
//
// Read directly from physical memory.
//
InitTypeReadPhysical(ChainedBp, nt!_LIST_ENTRY);
ChainedBpVal = ReadField(Flink);
InitTypeReadPhysical(LastBp, nt!_LIST_ENTRY);
LastBpVal = ReadField(Flink);
//
// Find a valid frame register chain.
//
if ((((ChainedBpVal) & ~(ULONG64)(PageSize - 1)) == ValidBp) &&
(ChainedBpVal > StackPointer) &&
((ChainedBpVal - (StackPointer)) <= StackBytes)) {
ULONG64 ReturnAddressVal;
//
// Increment to the stacked return address.
//
ReturnAddress = ChainedBp + PtrSize;
InitTypeReadPhysical(ReturnAddress, nt!_LIST_ENTRY);
ReturnAddressVal = ReadField(Flink);
SymbolBuffer[0] = '!';
GetSymbol((ReturnAddressVal), (PUCHAR)SymbolBuffer, &displacement);
dprintf ("\t%s", SymbolBuffer);
if (displacement) {
dprintf( "+0x%x", displacement );
}
dprintf( "\n" );
#ifdef SLOW_BUT_THOROUGH
ChainedBp += PtrSize;
#else
if ((ReturnAddressVal & ~MAXLONG64_PTR) == 0) {
break;
}
//
// Subtract the stackpointer & add stackdata offset.
//
ChainedBp = (ChainedBpVal - StackPointer + StkOffset);
//
// Adjust for relative.
//
ChainedBp = (PAddress + ChainedBp);
#endif
}
else {
ChainedBp += PtrSize;
}
}
dprintf("\n");
if (Address != (ULONG64)-1) {
break;
}
}
}
if (CheckControlC()) {
break;
}
PageFrameNumber = Blink;
}
LocalFree(Buffer);
return S_OK;
}
USHORT
GetPfnRefCount(
IN ULONG64 PageFrameNumber
)
{
ULONG64 PfnDb;
ULONG64 Pfn;
ULONG64 PfnStart;
ULONG PfnSize;
ULONG ReferenceCount;
PfnSize = GetTypeSize("nt!_MMPFN");
PfnDb = GetNtDebuggerData(MmPfnDatabase );
if (!PfnDb) {
dprintf("unable to get PFN0 database address\n");
return 0;
}
if (!ReadPointer(PfnDb,&PfnStart)) {
dprintf("unable to get PFN database address %p\n", PfnDb);
return 0;
}
Pfn = (PfnStart + PageFrameNumber * PfnSize);
if (GetFieldValue(Pfn,"nt!_MMPFN","u3.e2.ReferenceCount", ReferenceCount)) {
dprintf("%08p: unable to get PFN element %x\n", Pfn, PfnSize);
return 0;
}
return (USHORT) ReferenceCount;
}
/////////////////////////////////////////////////////////////////////
////////////////////////////////////// Dump irql tracking log
/////////////////////////////////////////////////////////////////////
VOID
DumpTrackIrqlLog (
PCSTR args
)
{
ULONG64 TrackIrqlQueueAddress;
ULONG64 TrackIrqlIndexAddress;
ULONG64 TrackIrqlQueueLengthAddress;
ULONG64 TrackIrqlQueue;
ULONG TrackIrqlIndex;
ULONG TrackIrqlQueueLength;
ULONG I, Index;
ULONG64 Address;
ULONG TrackIrqlTypeSize;
UCHAR SymbolName[256];
ULONG64 SymbolAddress;
ULONG64 SymbolOffset;
ULONG Result;
ULONG ShowCount;
ULONG Flags;
//
// Read how many traces we want to see.
//
ShowCount = 0;
if (args) {
ULONG64 tmp;
if (GetExpressionEx(args, &tmp, &args)) {
Flags = (ULONG) tmp;
if (!sscanf (args, "%u", &ShowCount)) {
ShowCount = 0;
}
}
if (ShowCount == 0) {
ShowCount = 4;
}
}
else {
ShowCount = 4;
}
//
// Read track irql package data
//
TrackIrqlQueueAddress = GetExpression ("nt!ViTrackIrqlQueue");
TrackIrqlIndexAddress = GetExpression ("nt!ViTrackIrqlIndex");
TrackIrqlQueueLengthAddress = GetExpression ("nt!ViTrackIrqlQueueLength");
if (TrackIrqlQueueAddress == 0
|| TrackIrqlIndexAddress == 0
|| TrackIrqlIndexAddress == 0) {
dprintf ("Incorrect symbols. \n");
return;
}
ReadPointer (TrackIrqlQueueAddress, &TrackIrqlQueue);
if (TrackIrqlQueue == 0) {
dprintf ("Irql tracking is not enabled. You need to enable driver verifier \n");
dprintf ("for at least one driver to activate irql tracking. \n");
return;
}
ReadMemory (TrackIrqlIndexAddress, &TrackIrqlIndex, sizeof(ULONG), &Result);
if (Result != sizeof(ULONG)) {
dprintf ("Trackirql: read error \n");
return;
}
ReadMemory (TrackIrqlQueueLengthAddress, &TrackIrqlQueueLength, sizeof(ULONG), &Result);
if (Result != sizeof(ULONG)) {
dprintf ("Trackirql: read error \n");
return;
}
TrackIrqlTypeSize = GetTypeSize("nt!_VI_TRACK_IRQL");
//
// Dump information
//
dprintf ("\nSize of track irql queue is 0x%X \n", TrackIrqlQueueLength);
for (I = 0, Index = TrackIrqlIndex; I < TrackIrqlQueueLength; I += 1) {
if (I >= ShowCount) {
break;
}
Index -= 1;
Index &= (TrackIrqlQueueLength - 1);
Address = TrackIrqlQueue + Index * TrackIrqlTypeSize;
InitTypeRead (Address, nt!_VI_TRACK_IRQL);
dprintf ("\n");
dprintf ("Thread: %I64X\n", ReadField (Thread));
dprintf ("Old irql: %I64X\n", ReadField (OldIrql));
dprintf ("New irql: %I64X\n", ReadField (NewIrql));
dprintf ("Processor: %I64X\n", ReadField (Processor));
dprintf ("Time stamp: %I64X\n", ReadField (TickCount));
dprintf ("\n");
SymbolAddress = ReadField(StackTrace[0]);
if (SymbolAddress == 0) { continue; }
GetSymbol(SymbolAddress, SymbolName, &SymbolOffset);
dprintf (" %I64X %s+0x%I64x\n", SymbolAddress, SymbolName, SymbolOffset);
SymbolAddress = ReadField(StackTrace[1]);
if (SymbolAddress == 0) { continue; }
GetSymbol(SymbolAddress, SymbolName, &SymbolOffset);
dprintf (" %I64X %s+0x%I64x\n", SymbolAddress, SymbolName, SymbolOffset);
SymbolAddress = ReadField(StackTrace[2]);
if (SymbolAddress == 0) { continue; }
GetSymbol(SymbolAddress, SymbolName, &SymbolOffset);
dprintf (" %I64X %s+0x%I64x\n", SymbolAddress, SymbolName, SymbolOffset);
SymbolAddress = ReadField(StackTrace[3]);
if (SymbolAddress == 0) { continue; }
GetSymbol(SymbolAddress, SymbolName, &SymbolOffset);
dprintf (" %I64X %s+0x%I64x\n", SymbolAddress, SymbolName, SymbolOffset);
SymbolAddress = ReadField(StackTrace[4]);
if (SymbolAddress == 0) { continue; }
GetSymbol(SymbolAddress, SymbolName, &SymbolOffset);
dprintf (" %I64X %s+0x%I64x\n", SymbolAddress, SymbolName, SymbolOffset);
if (CheckControlC()) {
dprintf ("Interrupted \n");
break;
}
}
}
/////////////////////////////////////////////////////////////////////
////////////////////////////////////// Dump fault injection trace log
/////////////////////////////////////////////////////////////////////
ULONG64
ReadPvoid (
ULONG64 Address
)
{
ULONG64 RemoteValue = 0;
ReadPointer( Address, &RemoteValue);
return RemoteValue;
}
ULONG
ReadUlong(
ULONG64 Address
)
{
ULONG RemoteValue = 0;
ReadMemory( Address, &RemoteValue, sizeof( ULONG ), NULL );
return RemoteValue;
}
VOID
DumpFaultInjectionTrace (
ULONG64 Address
)
{
ULONG64 ReturnAddress;
CHAR SymbolName[ 1024 ];
ULONG64 Displacement;
ULONG I;
ULONG PvoidSize;
PvoidSize = IsPtr64() ? 8 : 4;
for (I = 0; I < 8; I += 1) {
ReturnAddress = ReadPvoid (Address + I * PvoidSize);
if (ReturnAddress == 0) {
break;
}
GetSymbol (ReturnAddress, SymbolName, &Displacement);
dprintf (" %p %s+0x%p\n",
ReturnAddress,
SymbolName,
Displacement);
}
}
VOID
DumpFaultInjectionTraceLog (
PCSTR Args
)
{
ULONG TracesToDisplay = 0;
ULONG64 TraceAddress;
ULONG64 Trace;
ULONG64 IndexAddress;
ULONG Index;
ULONG64 LengthAddress;
ULONG Length;
ULONG I;
ULONG PvoidSize;
ULONG64 TraceBlockAddress;
ULONG64 FirstReturnAddress;
ULONG TracesFound = 0;
BOOLEAN Interrupted = FALSE;
ULONG Flags;
if (Args) {
ULONG64 tmp;
if (GetExpressionEx(Args, &tmp, &Args)) {
Flags = (ULONG) tmp;
if (!sscanf (Args, "%u", &TracesToDisplay)) {
TracesToDisplay = 0;
}
}
if (TracesToDisplay == 0) {
TracesToDisplay = 4;
}
}
else {
TracesToDisplay = 4;
}
PvoidSize = IsPtr64() ? 8 : 4;
TraceAddress = (ULONG64) GetExpression ("nt!ViFaultTraces");
IndexAddress = (ULONG64) GetExpression ("nt!ViFaultTracesIndex");
LengthAddress = (ULONG64) GetExpression ("nt!ViFaultTracesLength");
Trace = ReadPvoid (TraceAddress);
if (Trace == 0) {
dprintf ("Driver fault injection is not enabled for this system. \n");
return;
}
Index = ReadUlong (IndexAddress);
Length = ReadUlong (LengthAddress);
for (I = 0; I < Length; I += 1) {
Index -= 1;
Index &= (Length - 1);
TraceBlockAddress = Trace + Index * PvoidSize * 8;
FirstReturnAddress = ReadPvoid (TraceBlockAddress);
if (FirstReturnAddress != 0) {
TracesFound += 1;
dprintf ("\n");
DumpFaultInjectionTrace (TraceBlockAddress);
if (TracesFound >= TracesToDisplay) {
break;
}
}
if (CheckControlC()) {
Interrupted = TRUE;
dprintf ("Interrupted \n");
break;
}
}
if (Interrupted == FALSE && TracesFound == 0) {
dprintf ("No fault injection traces found. \n");
}
}
PUCHAR MemoryDescriptorType[] = {
"ExceptionBlock",
"SystemBlock",
"Free",
"Bad",
"LoadedProgram",
"FirmwareTemporary",
"FirmwarePermanent",
"OsloaderHeap",
"OsloaderStack",
"SystemCode",
"HalCode",
"BootDriver",
"ConsoleInDriver",
"ConsoleOutDriver",
"StartupDpcStack",
"StartupKernelStack",
"StartupPanicStack",
"StartupPcrPage",
"StartupPdrPage",
"RegistryData",
"MemoryData",
"NlsData",
"SpecialMemory",
"BBTMemory",
"LoaderReserve",
"XIPRom",
"HALCachedMemory"
};
#define MAXIMUM_MEMORY_TYPE (sizeof(MemoryDescriptorType)/sizeof(UCHAR))
DECLARE_API( loadermemorylist )
/*++
Routine Description:
Displays the memory allocation list. This is the list
handed to the OS by the OSLOADER that describes physical
memory.
Displays the corresponding PDE and PTE.
Arguments:
list - points to the listheader
Return Value:
None.
--*/
{
ULONG64 ListHeaderAddress;
ULONG64 EntryAddress;
ULONG64 LengthInPages;
ULONG64 TypeOfMemory;
ULONG Count[MAXIMUM_MEMORY_TYPE];
ULONG i;
UNREFERENCED_PARAMETER (Client);
ListHeaderAddress = 0;
ListHeaderAddress = GetExpression(args);
if (ListHeaderAddress == 0) {
dprintf("Usage: !loadermemorylist <address_of_listhead>\n");
return E_INVALIDARG;
}
if (!ReadPointer(ListHeaderAddress, &EntryAddress)) {
dprintf("Unable to read list header at %p\n", ListHeaderAddress);
return E_INVALIDARG;
}
if (EntryAddress == ListHeaderAddress) {
dprintf("List at %p is empty\n", ListHeaderAddress);
return S_OK;
}
dprintf("Base Length Type\n");
RtlZeroMemory(Count, sizeof(Count));
do {
InitTypeRead(EntryAddress, nt!MEMORY_ALLOCATION_DESCRIPTOR);
TypeOfMemory = ReadField(MemoryType);
if (TypeOfMemory < MAXIMUM_MEMORY_TYPE) {
LengthInPages = ReadField(PageCount);
dprintf("%08x %08x %s\n",
(ULONG)ReadField(BasePage),
(ULONG)LengthInPages,
MemoryDescriptorType[TypeOfMemory]);
Count[TypeOfMemory] += (ULONG)LengthInPages;
} else {
dprintf("Unrecognized Descriptor at %p\n", EntryAddress);
}
EntryAddress = ReadField(ListEntry.Flink);
} while (EntryAddress != ListHeaderAddress);
dprintf("\nSummary\nMemory Type Pages\n");
LengthInPages = 0;
for (i = 0; i < MAXIMUM_MEMORY_TYPE; i++) {
if (Count[i]) {
dprintf("%-20s%08x (%8d)\n",
MemoryDescriptorType[i],
Count[i],
Count[i]);
LengthInPages += Count[i];
}
}
dprintf(" ======== ========\n");
dprintf("Total %08x (%8d) = ~%dMB\n",
(ULONG)LengthInPages,
(ULONG)LengthInPages,
(ULONG)LengthInPages / (1024 * 1024 / 4096));
return S_OK;
}