mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3873 lines
115 KiB
3873 lines
115 KiB
/*++
|
|
|
|
Copyright (c) 1992 Microsoft Corporation
|
|
|
|
Module Name:
|
|
|
|
memory.c
|
|
|
|
Abstract:
|
|
|
|
WinDbg Extension Api
|
|
|
|
Author:
|
|
|
|
Lou Perazzoli (loup)
|
|
|
|
Environment:
|
|
|
|
User Mode.
|
|
|
|
Revision History:
|
|
|
|
--*/
|
|
|
|
#include "precomp.h"
|
|
#pragma hdrstop
|
|
|
|
#define PACKET_MAX_SIZE 4000
|
|
|
|
#define USAGE_ALLOC_SIZE 256*1024
|
|
|
|
#ifdef _KB
|
|
#undef _KB
|
|
#endif
|
|
#define _KB (PageSize/1024)
|
|
|
|
|
|
typedef struct _PFN_INFO {
|
|
ULONG64 Master;
|
|
ULONG64 OriginalPte;
|
|
ULONG ValidCount;
|
|
ULONG StandbyCount;
|
|
ULONG ModifiedCount;
|
|
ULONG SharedCount;
|
|
ULONG LockedCount;
|
|
ULONG PageTableCount;
|
|
struct _PFN_INFO *Next;
|
|
} PFN_INFO, *PPFN_INFO;
|
|
|
|
typedef struct _KERN_MAP1 {
|
|
ULONG64 StartVa;
|
|
ULONG64 EndVa;
|
|
ULONG ValidCount;
|
|
ULONG StandbyCount;
|
|
ULONG ModifiedCount;
|
|
ULONG SharedCount;
|
|
ULONG LockedCount;
|
|
ULONG PageTableCount;
|
|
WCHAR Name[256];
|
|
} KERN_MAP1, *PKERN_MAP1;
|
|
|
|
typedef struct _KERN_MAP {
|
|
ULONG Count;
|
|
KERN_MAP1 Item[500];
|
|
} KERN_MAP, *PKERN_MAP;
|
|
|
|
typedef struct _MMPFNENTRY {
|
|
ULONG Modified : 1;
|
|
ULONG ReadInProgress : 1;
|
|
ULONG WriteInProgress : 1;
|
|
ULONG PrototypePte: 1;
|
|
ULONG PageColor : 3;
|
|
ULONG ParityError : 1;
|
|
ULONG PageLocation : 3;
|
|
ULONG RemovalRequested : 1;
|
|
ULONG CacheAttribute : 2;
|
|
ULONG Rom : 1;
|
|
ULONG LockCharged : 1;
|
|
ULONG DontUse : 16; //overlays USHORT for reference count field.
|
|
} MMPFNENTRY;
|
|
|
|
typedef struct _MMPFN_READ {
|
|
MMPFNENTRY u3_e1;
|
|
ULONG u3_e2_ReferenceCount;
|
|
ULONG64 u1_Flink, u2_Blink, PteAddress, OriginalPte, PteFrame;
|
|
} MMPFN_READ, *PMMPFN_READ;
|
|
|
|
typedef struct _PFN_DUMP_CTXT {
|
|
BOOL PrintIndex;
|
|
ULONG64 index;
|
|
BOOL ZeroAfterPrint;
|
|
PMMPFN_READ pReadPfn;
|
|
} PFN_DUMP_CTXT, *PPFN_DUMP_CTXT;
|
|
|
|
UCHAR *PageLocationList[] = {
|
|
(PUCHAR)"Zeroed ",
|
|
(PUCHAR)"Free ",
|
|
(PUCHAR)"Standby ",
|
|
(PUCHAR)"Modified",
|
|
(PUCHAR)"ModNoWrt",
|
|
(PUCHAR)"Bad ",
|
|
(PUCHAR)"Active ",
|
|
(PUCHAR)"Trans "
|
|
};
|
|
|
|
UCHAR *PageAttribute[] = {
|
|
(PUCHAR)"NonCached",
|
|
(PUCHAR)"Cached ",
|
|
(PUCHAR)"WriteComb",
|
|
(PUCHAR)"NotMapped"
|
|
};
|
|
|
|
|
|
ULONG64 MmSubsectionBase;
|
|
ULONG64 MaxDirbase;
|
|
#define MAX_DIRBASEVECTOR 256
|
|
ULONG64 DirBases[MAX_DIRBASEVECTOR];
|
|
UCHAR Names[MAX_DIRBASEVECTOR][64];
|
|
|
|
VOID
|
|
PrintPfn64 (
|
|
IN ULONG64 PfnAddress
|
|
);
|
|
|
|
VOID
|
|
DumpMmThreads (
|
|
VOID
|
|
);
|
|
|
|
VOID DumpWholePfn(
|
|
IN ULONG64 Address,
|
|
IN ULONG Flags
|
|
);
|
|
|
|
PUCHAR
|
|
DirbaseToImage(
|
|
IN ULONG64 DirBase
|
|
);
|
|
|
|
NTSTATUS
|
|
BuildDirbaseList( VOID );
|
|
|
|
LOGICAL
|
|
BuildKernelMap (
|
|
OUT PKERN_MAP KernelMap
|
|
);
|
|
|
|
ULONG
|
|
DbgGetPfnSize(
|
|
VOID
|
|
)
|
|
{
|
|
return GetTypeSize("nt!_MMPFN");
|
|
}
|
|
|
|
LOGICAL
|
|
PoolGetTag (
|
|
IN PVOID PoolAddress,
|
|
IN PULONG PoolTag
|
|
);
|
|
|
|
ULONG64 SystemRangeStart;
|
|
|
|
DECLARE_API( memusage )
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Dumps the page frame database table
|
|
|
|
Arguments:
|
|
|
|
arg -
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
--*/
|
|
|
|
{
|
|
ULONG result;
|
|
ULONG64 PfnDb;
|
|
ULONG64 HighPageAddr;
|
|
ULONG64 LowPageAddr;
|
|
ULONG64 HighPage=0;
|
|
ULONG64 LowPage=0;
|
|
ULONG64 PageCount;
|
|
ULONG64 ReadCount;
|
|
ULONG WasZeroedPage;
|
|
ULONG WasFreePage;
|
|
ULONG Total;
|
|
ULONG WasStandbyPage;
|
|
ULONG WasModifiedPage;
|
|
ULONG WasModifiedNoWritePage;
|
|
ULONG WasBadPage;
|
|
ULONG WasActiveAndValidPage;
|
|
ULONG WasTransitionPage;
|
|
ULONG WasUnknownPage;
|
|
ULONG64 NPPoolStart;
|
|
ULONG64 NPSystemStart;
|
|
ULONG64 Pfn;
|
|
ULONG64 PfnStart;
|
|
PCHAR PfnArray;
|
|
ULONG PfnSize;
|
|
ULONG NumberOfPfnToRead;
|
|
ULONG CompleteSoFar = (ULONG) ~0;
|
|
ULONG64 CacheSize;
|
|
UNREFERENCED_PARAMETER (args);
|
|
UNREFERENCED_PARAMETER (Client);
|
|
|
|
LowPageAddr = GetNtDebuggerData(MmLowestPhysicalPage);
|
|
HighPageAddr = GetNtDebuggerData(MmHighestPhysicalPage);
|
|
PfnDb = GetNtDebuggerData(MmPfnDatabase);
|
|
NPPoolStart = GetNtDebuggerData(MmNonPagedPoolStart);
|
|
NPSystemStart = GetNtDebuggerData(MmNonPagedSystemStart);
|
|
SystemRangeStart = GetNtDebuggerDataValue(MmSystemRangeStart);
|
|
|
|
PfnSize = GetTypeSize("nt!_MMPFN");
|
|
|
|
NumberOfPfnToRead = 300;
|
|
|
|
if ( LowPageAddr &&
|
|
HighPageAddr &&
|
|
PfnDb &&
|
|
NPPoolStart &&
|
|
NPSystemStart ) {
|
|
|
|
if ( !ReadPointer( LowPageAddr, &LowPage) ) {
|
|
dprintf("%08p: Unable to get low physical page\n",LowPageAddr);
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
if ( !ReadPointer( HighPageAddr,&HighPage) ) {
|
|
dprintf("%08p: Unable to get high physical page\n",HighPageAddr);
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
if ( !ReadPointer( PfnDb,&PfnStart) ) {
|
|
dprintf("%08p: Unable to get PFN database address\n",PfnDb);
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
#ifdef IG_GET_CACHE_SIZE
|
|
if (GetDebuggerCacheSize(&CacheSize)) {
|
|
if (CacheSize < (HighPage - LowPage)*PfnSize) {
|
|
dprintf("*** WARNING Cache size too low, !memusage might take long time to run\n"
|
|
" Increase Cache to %#lx kb for better performance.\n",
|
|
(HighPage - LowPage)*PfnSize / 1024);
|
|
}
|
|
}
|
|
#endif
|
|
dprintf(" loading PFN database\n");
|
|
|
|
PfnArray = VirtualAlloc ( NULL,
|
|
(ULONG) ((HighPage-LowPage+1) * PfnSize),
|
|
MEM_RESERVE | MEM_COMMIT,
|
|
PAGE_READWRITE);
|
|
|
|
if (!PfnArray) {
|
|
dprintf("Unable to get allocate memory of %I64ld bytes\n",
|
|
(HighPage+1) * PfnSize);
|
|
} else {
|
|
|
|
for (PageCount = LowPage;
|
|
PageCount <= HighPage;
|
|
PageCount += NumberOfPfnToRead) {
|
|
|
|
//dprintf("getting PFN table block - "
|
|
// "address %lx - count %lu - page %lu\n",
|
|
// Pfn, ReadCount, PageCount);
|
|
|
|
if ( CheckControlC() ) {
|
|
VirtualFree (PfnArray,0,MEM_RELEASE);
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
ReadCount = HighPage - PageCount > NumberOfPfnToRead ?
|
|
NumberOfPfnToRead :
|
|
HighPage - PageCount + 1;
|
|
|
|
ReadCount *= PfnSize;
|
|
|
|
Pfn = (PfnStart + PageCount * PfnSize);
|
|
|
|
if (CompleteSoFar != (ULONG) (((PageCount + LowPage) * 100)/ HighPage)) {
|
|
CompleteSoFar = (ULONG) (((PageCount + LowPage) * 100)/ HighPage);
|
|
dprintf("loading (%d%% complete)\r", CompleteSoFar);
|
|
}
|
|
|
|
// Let KD cache the data - we won't be reading from the array.
|
|
if ( !ReadMemory( Pfn,
|
|
PfnArray + PageCount * PfnSize,
|
|
(ULONG) ReadCount,
|
|
&result) ) {
|
|
dprintf("Unable to get PFN table block - "
|
|
"address %p - count %lu - page %lu\n",
|
|
Pfn, ReadCount, PageCount);
|
|
VirtualFree (PfnArray,0,MEM_RELEASE);
|
|
return E_INVALIDARG;
|
|
}
|
|
}
|
|
dprintf("\n");
|
|
|
|
// Now we have a local copy: let's take a look
|
|
|
|
WasZeroedPage = 0;
|
|
WasFreePage = 0;
|
|
WasStandbyPage = 0;
|
|
WasModifiedPage = 0;
|
|
WasModifiedNoWritePage = 0;
|
|
WasBadPage = 0;
|
|
WasActiveAndValidPage = 0;
|
|
WasTransitionPage = 0;
|
|
WasUnknownPage = 0;
|
|
|
|
CompleteSoFar = 0;
|
|
for (PageCount = LowPage;
|
|
PageCount <= HighPage;
|
|
PageCount++) {
|
|
ULONG PageLocation=0;
|
|
ULONG64 Flink=0, Blink=0;
|
|
|
|
if ( CheckControlC() ) {
|
|
VirtualFree (PfnArray,0,MEM_RELEASE);
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
if (CompleteSoFar < (ULONG) (((PageCount + LowPage) * 100)/ HighPage)) {
|
|
CompleteSoFar = (ULONG) (((PageCount + LowPage) * 100)/ HighPage);
|
|
dprintf("Compiling memory usage data (%d%% Complete).\r", CompleteSoFar);
|
|
}
|
|
|
|
|
|
Pfn = (PfnStart + PageCount * PfnSize);
|
|
|
|
GetFieldValue(Pfn, "nt!_MMPFN", "u3.e1.PageLocation", PageLocation);
|
|
|
|
switch (PageLocation) {
|
|
|
|
case ZeroedPageList:
|
|
GetFieldValue(Pfn, "nt!_MMPFN", "u1.Flink", Flink);
|
|
GetFieldValue(Pfn, "nt!_MMPFN", "u2.Blink", Blink);
|
|
if ((Flink == 0) &&
|
|
(Blink == 0)) {
|
|
WasActiveAndValidPage++;
|
|
} else {
|
|
WasZeroedPage++;
|
|
}
|
|
break;
|
|
|
|
case FreePageList:
|
|
WasFreePage++;
|
|
break;
|
|
|
|
case StandbyPageList:
|
|
WasStandbyPage++;
|
|
break;
|
|
|
|
case ModifiedPageList:
|
|
WasModifiedPage++;
|
|
break;
|
|
|
|
case ModifiedNoWritePageList:
|
|
WasModifiedNoWritePage++;
|
|
break;
|
|
|
|
case BadPageList:
|
|
WasModifiedNoWritePage++;
|
|
break;
|
|
|
|
case ActiveAndValid:
|
|
WasActiveAndValidPage++;
|
|
break;
|
|
|
|
case TransitionPage:
|
|
WasTransitionPage++;
|
|
break;
|
|
|
|
default:
|
|
WasUnknownPage++;
|
|
break;
|
|
}
|
|
}
|
|
dprintf("\n");
|
|
|
|
dprintf( " Zeroed: %6lu (%6lu kb)\n",
|
|
WasZeroedPage, WasZeroedPage * _KB);
|
|
dprintf( " Free: %6lu (%6lu kb)\n",
|
|
WasFreePage, WasFreePage * _KB);
|
|
dprintf( " Standby: %6lu (%6lu kb)\n",
|
|
WasStandbyPage, WasStandbyPage * _KB);
|
|
dprintf( " Modified: %6lu (%6lu kb)\n",
|
|
WasModifiedPage,
|
|
WasModifiedPage * _KB);
|
|
dprintf( " ModifiedNoWrite: %6lu (%6lu kb)\n",
|
|
WasModifiedNoWritePage,WasModifiedNoWritePage * _KB);
|
|
dprintf( " Active/Valid: %6lu (%6lu kb)\n",
|
|
WasActiveAndValidPage, WasActiveAndValidPage * _KB);
|
|
dprintf( " Transition: %6lu (%6lu kb)\n",
|
|
WasTransitionPage, WasTransitionPage * _KB);
|
|
dprintf( " Unknown: %6lu (%6lu kb)\n",
|
|
WasUnknownPage, WasUnknownPage * _KB);
|
|
|
|
Total = WasZeroedPage +
|
|
WasFreePage +
|
|
WasStandbyPage +
|
|
WasModifiedPage +
|
|
WasModifiedNoWritePage +
|
|
WasActiveAndValidPage +
|
|
WasTransitionPage +
|
|
WasUnknownPage +
|
|
WasUnknownPage;
|
|
dprintf( " TOTAL: %6lu (%6lu kb)\n",
|
|
Total, Total * _KB);
|
|
}
|
|
MemoryUsage (PfnStart, LowPage, HighPage, 0);
|
|
VirtualFree (PfnArray,0,MEM_RELEASE);
|
|
}
|
|
return S_OK;
|
|
}
|
|
|
|
|
|
DECLARE_API( lockedpages )
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Displays the driver-locked pages.
|
|
|
|
Arguments:
|
|
|
|
None.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
--*/
|
|
|
|
{
|
|
ULONG64 LockHeader;
|
|
ULONG64 LockTracker;
|
|
ULONG64 NextEntry;
|
|
ULONG GlistOff;
|
|
ULONG64 Count;
|
|
CHAR Buffer[256];
|
|
ULONG64 displacement;
|
|
|
|
UNREFERENCED_PARAMETER (args);
|
|
UNREFERENCED_PARAMETER (Client);
|
|
|
|
LockHeader = GetExpression ("nt!MmLockedPagesHead");
|
|
|
|
if (GetFieldValue(LockHeader,
|
|
"nt!_LOCK_HEADER",
|
|
"Count",
|
|
Count)) {
|
|
|
|
dprintf("%08p: Unable to get lock header data.\n", LockHeader);
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
GetFieldValue(LockHeader,"nt!_LOCK_HEADER","ListHead.Flink", NextEntry);
|
|
if (NextEntry == 0) {
|
|
dprintf("Locked pages tracking not enabled\n");
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
if (NextEntry == LockHeader) {
|
|
dprintf("There are no pages currently locked.\n");
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
dprintf("%I64d locked pages...\n", Count);
|
|
dprintf("Tracker MDL PageCount Caller/CallersCaller\n");
|
|
|
|
|
|
GetFieldOffset("LOCK_TRACKER", "GlobalListEntry", &GlistOff);
|
|
while (NextEntry != LockHeader) {
|
|
|
|
LockTracker = (NextEntry - GlistOff);
|
|
|
|
if (GetFieldValue(LockTracker, "nt!LOCK_TRACKER",
|
|
"GlobalListEntry.Flink", NextEntry)) {
|
|
|
|
dprintf("%08p: Unable to get lock tracker data.\n", LockTracker);
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
InitTypeRead(LockTracker, nt!LOCK_TRACKER);
|
|
dprintf("Tracker %p : MDL @ %p, PageCount = %I64x, Caller = %p %p\n",
|
|
LockTracker,
|
|
ReadField(Mdl),
|
|
ReadField(Count));
|
|
|
|
Buffer[0] = '!';
|
|
GetSymbol (ReadField(CallingAddress),
|
|
(PCHAR)Buffer,
|
|
&displacement);
|
|
|
|
dprintf("%s", Buffer);
|
|
if (displacement) {
|
|
dprintf( "+0x%1p", displacement );
|
|
}
|
|
dprintf("/");
|
|
|
|
Buffer[0] = '!';
|
|
GetSymbol (ReadField(CallersCaller),
|
|
(PCHAR)Buffer,
|
|
&displacement);
|
|
|
|
dprintf("%s", Buffer);
|
|
if (displacement) {
|
|
dprintf( "+0x%1p", displacement );
|
|
}
|
|
|
|
dprintf("\n");
|
|
|
|
if (CheckControlC()) {
|
|
break;
|
|
}
|
|
}
|
|
return S_OK;
|
|
}
|
|
|
|
DECLARE_API( pfnperf )
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Displays the PFN spinlock duration list.
|
|
|
|
Arguments:
|
|
|
|
None.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
--*/
|
|
|
|
{
|
|
ULONG64 PfnDuration;
|
|
ULONG64 PfnEntry;
|
|
ULONG64 displacement;
|
|
ULONG64 AcquiredAddress;
|
|
ULONG64 ReleasedAddress;
|
|
CHAR SymbolBuffer[80];
|
|
PCHAR SymPointer;
|
|
ULONG EntrySize;
|
|
ULONG result;
|
|
ULONG64 ReadCount;
|
|
ULONG64 i;
|
|
PCHAR LocalData;
|
|
PCHAR local;
|
|
ULONG64 NumberOfPfnEntries;
|
|
|
|
UNREFERENCED_PARAMETER (args);
|
|
UNREFERENCED_PARAMETER (Client);
|
|
|
|
PfnDuration = GetExpression ("nt!MiPfnSorted");
|
|
|
|
if (PfnDuration == 0) {
|
|
dprintf("%08p: Unable to get PFN duration data.\n", PfnDuration);
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
PfnEntry = PfnDuration;
|
|
EntrySize = GetTypeSize("nt!_MMPFNTIMINGS");
|
|
|
|
NumberOfPfnEntries = GetUlongValue ("MiMaxPfnTimings");
|
|
|
|
dprintf("Top %ld PFN lock holders sorted by duration\n", NumberOfPfnEntries);
|
|
|
|
LocalData = LocalAlloc(LPTR, (ULONG) (NumberOfPfnEntries * EntrySize));
|
|
|
|
if (!LocalData) {
|
|
dprintf("unable to get allocate %ld bytes of memory\n",
|
|
NumberOfPfnEntries * EntrySize);
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
ReadCount = NumberOfPfnEntries * EntrySize;
|
|
|
|
if ((!ReadMemory(PfnDuration,
|
|
LocalData,
|
|
(ULONG) ReadCount,
|
|
&result)) || (result < (ULONG) ReadCount)) {
|
|
dprintf("unable to get PFN duration table - "
|
|
"address %p - count %I64u\n",
|
|
LocalData, ReadCount);
|
|
}
|
|
else {
|
|
|
|
dprintf("\nDuration LockAcquirer LockReleaser\n");
|
|
|
|
local = LocalData;
|
|
|
|
for (i = 0; i < NumberOfPfnEntries; i += 1) {
|
|
|
|
ULONG64 HoldTime=0, Address = 0;
|
|
|
|
GetFieldValue(PfnEntry, "nt!_MMPFNTIMINGS", "HoldTime", HoldTime);
|
|
GetFieldValue(PfnEntry, "nt!_MMPFNTIMINGS", "AcquiredAddress", AcquiredAddress);
|
|
GetFieldValue(PfnEntry, "nt!_MMPFNTIMINGS", "ReleasedAddress", ReleasedAddress);
|
|
|
|
//
|
|
// Sign extend if necessary.
|
|
//
|
|
|
|
if (!IsPtr64()) {
|
|
AcquiredAddress = (ULONG64)(LONG64)(LONG)AcquiredAddress;
|
|
ReleasedAddress = (ULONG64)(LONG64)(LONG)ReleasedAddress;
|
|
}
|
|
|
|
//
|
|
// Output a '*' if the lock was contended for, '.' if not.
|
|
//
|
|
|
|
dprintf( "%3d%c %I64ld ", (ULONG)i, HoldTime & 0x1 ? '*' : '.', HoldTime );
|
|
|
|
SymbolBuffer[0] = '!';
|
|
GetSymbol(AcquiredAddress, (PCHAR)SymbolBuffer, &displacement);
|
|
SymPointer = SymbolBuffer;
|
|
while (*SymPointer != '!') {
|
|
SymPointer += 1;
|
|
}
|
|
SymPointer += 1;
|
|
dprintf ("%s", SymPointer);
|
|
if (displacement) {
|
|
dprintf( "+0x%x", displacement );
|
|
}
|
|
dprintf( ", ");
|
|
|
|
SymbolBuffer[0] = '!';
|
|
GetSymbol(ReleasedAddress, (PCHAR)SymbolBuffer, &displacement);
|
|
SymPointer = SymbolBuffer;
|
|
while (*SymPointer != '!') {
|
|
SymPointer += 1;
|
|
}
|
|
SymPointer += 1;
|
|
dprintf ("%s", SymPointer);
|
|
if (displacement) {
|
|
dprintf( "+0x%x", displacement );
|
|
}
|
|
|
|
dprintf( "\n");
|
|
|
|
PfnEntry += EntrySize;
|
|
}
|
|
}
|
|
|
|
if (LocalData) {
|
|
LocalFree((void *)LocalData);
|
|
}
|
|
|
|
return S_OK;
|
|
}
|
|
|
|
|
|
DECLARE_API( pfn )
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Displays the corresponding PDE and PTE.
|
|
|
|
Arguments:
|
|
|
|
arg - Supplies the Page frame number in hex.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
--*/
|
|
|
|
{
|
|
ULONG64 Address;
|
|
ULONG64 PfnDb;
|
|
ULONG64 Pfn;
|
|
ULONG64 PfnStart;
|
|
ULONG Flags;
|
|
ULONG PfnSize;
|
|
|
|
PfnSize = GetTypeSize("nt!_MMPFN");
|
|
|
|
if (!PfnSize) {
|
|
dprintf("unable to _MMPFN type.\n");
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
PfnDb = GetNtDebuggerData( MmPfnDatabase );
|
|
|
|
if (!PfnDb) {
|
|
dprintf("unable to get PFN0 database address\n");
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
PfnStart = 0;
|
|
if (!ReadPointer(PfnDb,&PfnStart)) {
|
|
dprintf("unable to get PFN database address %p\n", PfnDb);
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
Address = 0;
|
|
Flags = 0;
|
|
|
|
|
|
if (GetExpressionEx(args, &Address, &args)) {
|
|
Flags = (ULONG) GetExpression(args);
|
|
}
|
|
|
|
if (Flags != 0) {
|
|
|
|
if (!TargetIsDump) {
|
|
ULONG64 CacheSize;
|
|
|
|
Ioctl(IG_GET_CACHE_SIZE, &CacheSize, sizeof(CacheSize));
|
|
|
|
if (TargetMachine == IMAGE_FILE_MACHINE_IA64) {
|
|
if (CacheSize < 0x10000000) {
|
|
dprintf("CacheSize too low - increasing to 10M\n");
|
|
ExecuteCommand(Client, ".cache 10000");
|
|
}
|
|
} else if (CacheSize < 0x1000000) {
|
|
dprintf("CacheSize too low - increasing to 1M\n");
|
|
ExecuteCommand(Client, ".cache 1000");
|
|
}
|
|
}
|
|
DumpWholePfn ( Address, Flags);
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
if (Address >= PfnStart) {
|
|
//
|
|
// Ensure any passed in address is offsetted correctly.
|
|
//
|
|
Address = (Address - PfnStart) / PfnSize;
|
|
}
|
|
|
|
Pfn = (PfnStart + Address * PfnSize);
|
|
|
|
PrintPfn64(Pfn);
|
|
return S_OK;
|
|
}
|
|
|
|
|
|
VOID
|
|
DumpTerminalServerMemory (
|
|
VOID
|
|
)
|
|
{
|
|
ULONG64 Next;
|
|
ULONG64 SessionListPointer;
|
|
ULONG64 SessionData;
|
|
ULONG SessionId;
|
|
ULONG SessionWsListLinksOffset;
|
|
ULONG64 NonPagedPoolBytes;
|
|
ULONG64 PagedPoolBytes;
|
|
ULONG64 CommittedPages;
|
|
ULONG Failures;
|
|
ULONG TotalFailures;
|
|
ULONG64 SessionPoolSize;
|
|
ULONG64 SessionViewSize;
|
|
|
|
dprintf("\n\tTerminal Server Memory Usage By Session:\n\n");
|
|
|
|
// Get the offset of ActiveProcessLinks in _EPROCESS
|
|
if (GetFieldOffset("nt!_MM_SESSION_SPACE", "WsListEntry", &SessionWsListLinksOffset)) {
|
|
return;
|
|
}
|
|
|
|
SessionListPointer = GetExpression ("nt!MiSessionWsList");
|
|
|
|
if (!SessionListPointer) {
|
|
dprintf("Unable to get value of SessionListPointer\n");
|
|
return;
|
|
}
|
|
|
|
if (GetFieldValue( SessionListPointer, "nt!_LIST_ENTRY", "Flink", Next )) {
|
|
dprintf("Unable to read _LIST_ENTRY @ %p\n", SessionListPointer);
|
|
return;
|
|
}
|
|
|
|
SessionPoolSize = GetUlongValue ("MmSessionPoolSize");
|
|
SessionViewSize = GetUlongValue ("MmSessionViewSize");
|
|
|
|
dprintf("\tSession Paged Pool Maximum is %ldK\n", SessionPoolSize / 1024);
|
|
dprintf("\tSession View Space Maximum is %ldK\n", SessionViewSize / 1024);
|
|
|
|
while(Next != SessionListPointer) {
|
|
|
|
SessionData = Next - SessionWsListLinksOffset;
|
|
|
|
if (GetFieldValue( SessionData, "nt!_MM_SESSION_SPACE", "SessionId", SessionId )) {
|
|
dprintf("Unable to read _MM_SESSION_SPACE at %p\n",SessionData);
|
|
return;
|
|
}
|
|
|
|
TotalFailures = 0;
|
|
|
|
dprintf("\n\tSession ID %x @ %p:\n",SessionId, SessionData);
|
|
|
|
GetFieldValue( SessionData, "nt!_MM_SESSION_SPACE", "NonPagedPoolBytes",
|
|
NonPagedPoolBytes );
|
|
|
|
GetFieldValue( SessionData, "nt!_MM_SESSION_SPACE", "PagedPoolBytes",
|
|
PagedPoolBytes );
|
|
|
|
GetFieldValue( SessionData, "nt!_MM_SESSION_SPACE", "CommittedPages",
|
|
CommittedPages );
|
|
|
|
GetFieldValue( SessionData, "nt!_MM_SESSION_SPACE", "SessionPoolAllocationFailures[0]",
|
|
Failures);
|
|
TotalFailures += Failures;
|
|
|
|
GetFieldValue( SessionData, "nt!_MM_SESSION_SPACE", "SessionPoolAllocationFailures[1]",
|
|
Failures);
|
|
TotalFailures += Failures;
|
|
|
|
GetFieldValue( SessionData, "nt!_MM_SESSION_SPACE", "SessionPoolAllocationFailures[2]",
|
|
Failures);
|
|
TotalFailures += Failures;
|
|
|
|
GetFieldValue( SessionData, "nt!_MM_SESSION_SPACE", "SessionPoolAllocationFailures[3]",
|
|
Failures);
|
|
TotalFailures += Failures;
|
|
|
|
dprintf("\tNonpaged Pool Usage: %8I64ldK\n",NonPagedPoolBytes / 1024);
|
|
dprintf("\tPaged Pool Usage: %8I64ldK\n",PagedPoolBytes / 1024);
|
|
|
|
if (TotalFailures != 0) {
|
|
dprintf("\n\t*** %ld Pool Allocation Failures ***\n\n",TotalFailures);
|
|
}
|
|
|
|
dprintf("\tCommit Usage: %8I64ldK\n",CommittedPages * _KB);
|
|
|
|
GetFieldValue(SessionData, "nt!_MM_SESSION_SPACE", "WsListEntry.Flink", Next);
|
|
|
|
if (CheckControlC()) {
|
|
return;
|
|
}
|
|
}
|
|
|
|
return;
|
|
}
|
|
|
|
#if (_MSC_VER < 1200) && defined(_M_IX86)
|
|
#pragma optimize("g", off)
|
|
#endif
|
|
DECLARE_API( vm )
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Displays physical memory usage by driver.
|
|
|
|
Arguments:
|
|
|
|
arg - Flags : 0 (default) == systemwide vm & per-process output.
|
|
1 == just systemwide vm counts, no per-process output.
|
|
2 == systemwide vm, per-process & Mm thread output.
|
|
3 == systemwide vm & Mm thread display, no per-process output.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
--*/
|
|
|
|
{
|
|
ULONG Flags;
|
|
ULONG Index;
|
|
ULONG64 MemorySize;
|
|
ULONG64 CommitLimit;
|
|
ULONG64 CommitTotal;
|
|
ULONG64 SharedCommit;
|
|
ULONG64 SpecialPoolPages;
|
|
ULONG64 ProcessCommit;
|
|
ULONG64 PagedPoolCommit;
|
|
ULONG64 DriverCommit;
|
|
ULONG64 ZeroPages;
|
|
ULONG64 FreePages;
|
|
ULONG64 StandbyPages;
|
|
ULONG64 ModifiedPages;
|
|
ULONG64 ModifiedNoWrite;
|
|
ULONG64 NumberOfPagedPools;
|
|
ULONG64 NumberOfPagingFiles;
|
|
ULONG64 AvailablePages;
|
|
ULONG64 LockPagesCount;
|
|
ULONG64 SpecialPagesNonPaged;
|
|
ULONG64 SpecialPagesNonPagedMaximum;
|
|
ULONG64 FreePtesPointer;
|
|
ULONG64 FreeNonPagedPtes;
|
|
ULONG64 ResidentAvailablePages;
|
|
ULONG64 PoolLoc;
|
|
ULONG64 PoolLocBase;
|
|
ULONG result;
|
|
ULONG TotalPages;
|
|
ULONG ExtendedCommit;
|
|
ULONG64 TotalProcessCommit;
|
|
PPROCESS_COMMIT_USAGE ProcessCommitUsage;
|
|
ULONG i;
|
|
ULONG NumberOfProcesses;
|
|
ULONG64 PagedPoolBytesMax;
|
|
ULONG64 PagedPoolBytes;
|
|
ULONG64 NonPagedPoolBytesMax;
|
|
ULONG64 NonPagedPoolBytes;
|
|
ULONG64 PageFileBase;
|
|
ULONG64 PageFilePointer;
|
|
ULONG PageFileFullExtendPages;
|
|
ULONG PageFileFullExtendCount;
|
|
PUCHAR tempbuffer;
|
|
UNICODE_STRING unicodeString;
|
|
ULONG64 PagedPoolInfoPointer;
|
|
ULONG64 FreeSystemPtes;
|
|
UCHAR PagedPoolType[] = "nt!_MM_PAGED_POOL_INFO";
|
|
ULONG64 AllocatedPagedPool=0;
|
|
ULONG Desc_TotalPages=0, TotalBigPages=0, Desc_size;
|
|
ULONG PtrSize = DBG_PTR_SIZE;
|
|
ULONG NumberOfNonPagedPools;
|
|
ULONG64 ExpNumberOfNonPagedPools;
|
|
|
|
Flags = 0;
|
|
Flags = (ULONG) GetExpression(args);
|
|
|
|
dprintf("\n*** Virtual Memory Usage ***\n");
|
|
MemorySize = GetNtDebuggerDataValue(MmNumberOfPhysicalPages);
|
|
dprintf ("\tPhysical Memory: %8I64ld (%8I64ld Kb)\n",MemorySize,_KB*MemorySize);
|
|
NumberOfPagingFiles = GetNtDebuggerDataValue(MmNumberOfPagingFiles);
|
|
PageFilePointer = GetExpression ("nt!MmPagingFile");
|
|
if (NumberOfPagingFiles == 0) {
|
|
dprintf("\n************ NO PAGING FILE *********************\n\n");
|
|
} else {
|
|
for (i = 0; i < NumberOfPagingFiles; i++) {
|
|
ULONG64 PageFileName_Buffer=0;
|
|
|
|
if (!ReadPointer(PageFilePointer, &PageFileBase)) {
|
|
|
|
dprintf("%08p: Unable to get page file\n",PageFilePointer);
|
|
break;
|
|
}
|
|
|
|
if (GetFieldValue(PageFileBase,
|
|
"nt!_MMPAGING_FILE",
|
|
"PageFileName.Buffer",
|
|
PageFileName_Buffer)) {
|
|
|
|
dprintf("%08p: Unable to get page file\n",PageFilePointer);
|
|
break;
|
|
}
|
|
|
|
InitTypeRead(PageFileBase, nt!_MMPAGING_FILE);
|
|
|
|
if (PageFileName_Buffer == 0) {
|
|
dprintf("\tNo Name for Paging File\n\n");
|
|
} else {
|
|
|
|
unicodeString.Length = (USHORT) ReadField(PageFileName.Length);
|
|
|
|
tempbuffer = LocalAlloc(LPTR, unicodeString.Length);
|
|
|
|
unicodeString.Buffer = (PWSTR)tempbuffer;
|
|
unicodeString.MaximumLength = unicodeString.Length;
|
|
|
|
if (!ReadMemory ( PageFileName_Buffer,
|
|
tempbuffer,
|
|
unicodeString.Length,
|
|
&result)) {
|
|
dprintf("\tPaging File Name paged out\n");
|
|
} else {
|
|
dprintf("\tPage File: %wZ\n", &unicodeString);
|
|
}
|
|
|
|
LocalFree(tempbuffer);
|
|
|
|
}
|
|
|
|
dprintf("\t Current: %9I64ldKb Free Space: %9I64ldKb\n",
|
|
ReadField(Size)*_KB,
|
|
ReadField(FreeSpace)*_KB);
|
|
dprintf("\t Minimum: %9I64ldKb Maximum: %9I64ldKb\n",
|
|
ReadField(MinimumSize)*_KB,
|
|
ReadField(MaximumSize)*_KB);
|
|
PageFilePointer += PtrSize;
|
|
}
|
|
}
|
|
|
|
PagedPoolInfoPointer = GetExpression ("nt!MmPagedPoolInfo");
|
|
|
|
if (GetFieldValue(PagedPoolInfoPointer,
|
|
PagedPoolType,
|
|
"AllocatedPagedPool",
|
|
AllocatedPagedPool)) {
|
|
|
|
dprintf("%08p: Unable to get paged pool info %p\n",PagedPoolInfoPointer);
|
|
}
|
|
|
|
PagedPoolBytesMax = GetNtDebuggerDataValue(MmSizeOfPagedPoolInBytes);
|
|
PagedPoolBytes = AllocatedPagedPool;
|
|
PagedPoolBytes *= PageSize;
|
|
NonPagedPoolBytesMax = GetNtDebuggerDataValue(MmMaximumNonPagedPoolInBytes);
|
|
NonPagedPoolBytes = GetUlongValue ("MmAllocatedNonPagedPool");
|
|
NonPagedPoolBytes *= PageSize;
|
|
CommitLimit = GetNtDebuggerDataValue(MmTotalCommitLimit);
|
|
CommitTotal = GetNtDebuggerDataValue(MmTotalCommittedPages);
|
|
SharedCommit = GetNtDebuggerDataValue(MmSharedCommit);
|
|
DriverCommit = GetNtDebuggerDataValue(MmDriverCommit);
|
|
ProcessCommit = GetNtDebuggerDataValue(MmProcessCommit);
|
|
PagedPoolCommit = GetNtDebuggerDataValue(MmPagedPoolCommit);
|
|
ZeroPages = GetNtDebuggerDataValue(MmZeroedPageListHead);
|
|
FreePages = GetNtDebuggerDataValue(MmFreePageListHead);
|
|
StandbyPages = GetNtDebuggerDataValue(MmStandbyPageListHead);
|
|
ModifiedPages = GetNtDebuggerDataValue(MmModifiedPageListHead);
|
|
ModifiedNoWrite = GetNtDebuggerDataValue(MmModifiedNoWritePageListHead);
|
|
AvailablePages = GetNtDebuggerDataValue(MmAvailablePages);
|
|
ResidentAvailablePages = GetNtDebuggerDataValue(MmResidentAvailablePages);
|
|
|
|
if (BuildNo < 2257) {
|
|
ExtendedCommit = GetUlongValue("MmExtendedCommit");
|
|
PageFileFullExtendPages = GetUlongValue("MmPageFileFullExtendPages");
|
|
PageFileFullExtendCount = GetUlongValue("MmPageFileFullExtendCount");
|
|
}
|
|
FreeSystemPtes = GetUlongValue("MmTotalFreeSystemPtes");
|
|
LockPagesCount = GetUlongValue("MmSystemLockPagesCount");
|
|
SpecialPagesNonPaged = GetUlongValue("MiSpecialPagesNonPaged");
|
|
SpecialPagesNonPagedMaximum = GetUlongValue("MiSpecialPagesNonPagedMaximum");
|
|
|
|
FreePtesPointer = GetExpression ("nt!MmTotalFreeSystemPtes");
|
|
|
|
FreePtesPointer += sizeof(ULONG);
|
|
FreeNonPagedPtes = 0;
|
|
if (!ReadMemory (FreePtesPointer, &FreeNonPagedPtes, sizeof(ULONG), &result)) {
|
|
dprintf("\tError reading free nonpaged PTEs %p\n", FreePtesPointer);
|
|
}
|
|
|
|
SpecialPoolPages = GetUlongValue("nt!MmSpecialPagesInUse");
|
|
|
|
dprintf("\tAvailable Pages: %8I64ld (%8I64ld Kb)\n",AvailablePages, AvailablePages*_KB);
|
|
dprintf("\tResAvail Pages: %8I64ld (%8I64ld Kb)\n",ResidentAvailablePages, ResidentAvailablePages*_KB);
|
|
|
|
if ((LONG64) (ResidentAvailablePages - LockPagesCount) < 100) {
|
|
|
|
dprintf("\n\t********** Running out of physical memory **********\n\n");
|
|
}
|
|
dprintf("\tLocked IO Pages: %8I64ld (%8I64ld Kb)\n",LockPagesCount,_KB*LockPagesCount);
|
|
dprintf("\tFree System PTEs: %8I64ld (%8I64ld Kb)\n",FreeSystemPtes,_KB*FreeSystemPtes);
|
|
dprintf("\tFree NP PTEs: %8I64ld (%8I64ld Kb)\n",FreeNonPagedPtes,_KB*FreeNonPagedPtes);
|
|
dprintf("\tFree Special NP: %8I64ld (%8I64ld Kb)\n",
|
|
(SpecialPagesNonPagedMaximum - SpecialPagesNonPaged),
|
|
_KB*(SpecialPagesNonPagedMaximum - SpecialPagesNonPaged));
|
|
|
|
dprintf("\tModified Pages: %8I64ld (%8I64ld Kb)\n",ModifiedPages,ModifiedPages*_KB);
|
|
if ((AvailablePages < 50) && (ModifiedPages > 200)) {
|
|
dprintf("\t********** High Number Of Modified Pages ********\n");
|
|
}
|
|
|
|
if (ModifiedNoWrite > ((MemorySize / 100) * 3)) {
|
|
dprintf("\t********** High Number Of Modified No Write Pages ********\n");
|
|
dprintf("\tModified No Write Pages: %I64ld (%8I64ld Kb)\n",
|
|
ModifiedNoWrite,_KB*ModifiedNoWrite);
|
|
}
|
|
|
|
//
|
|
// Dump all the nonpaged pools.
|
|
//
|
|
|
|
PoolLoc = GetNtDebuggerData(NonPagedPoolDescriptor );
|
|
Desc_TotalPages = 0; TotalBigPages=0;
|
|
if ( !PoolLoc ||
|
|
GetFieldValue(PoolLoc,
|
|
"nt!_POOL_DESCRIPTOR",
|
|
"TotalPages",
|
|
Desc_TotalPages)) {
|
|
|
|
dprintf("%08p: Unable to get pool descriptor\n",PoolLoc);
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
Desc_size = GetTypeSize("nt!_POOL_DESCRIPTOR");
|
|
|
|
if (ExpNumberOfNonPagedPools = GetExpression("nt!ExpNumberOfNonPagedPools")) {
|
|
NumberOfNonPagedPools = GetUlongFromAddress (ExpNumberOfNonPagedPools);
|
|
} else {
|
|
NumberOfNonPagedPools = 0;
|
|
}
|
|
|
|
if (NumberOfNonPagedPools > 1) {
|
|
|
|
TotalPages = 0;
|
|
|
|
PoolLocBase = GetExpression ("nt!ExpNonPagedPoolDescriptor");
|
|
|
|
if (PoolLocBase != 0) {
|
|
|
|
for (Index = 0; Index < NumberOfNonPagedPools; Index += 1) {
|
|
|
|
if (!ReadPointer(PoolLocBase, &PoolLoc)) {
|
|
|
|
dprintf("%08p: Unable to get nonpaged pool info\n",PoolLocBase);
|
|
break;
|
|
}
|
|
|
|
if (GetFieldValue(PoolLoc,
|
|
"nt!_POOL_DESCRIPTOR",
|
|
"TotalPages",
|
|
Desc_TotalPages)) {
|
|
|
|
dprintf("%08p: Unable to get pool descriptor\n",PoolLoc);
|
|
return E_INVALIDARG;
|
|
}
|
|
GetFieldValue(PoolLoc,"_POOL_DESCRIPTOR","TotalBigPages",TotalBigPages);
|
|
|
|
dprintf("\tNonPagedPool %1ld Used: %5ld (%8ld Kb)\n",
|
|
Index,
|
|
Desc_TotalPages + TotalBigPages,
|
|
_KB*(Desc_TotalPages + TotalBigPages));
|
|
|
|
TotalPages += Desc_TotalPages + TotalBigPages;
|
|
PoolLocBase += PtrSize;
|
|
}
|
|
}
|
|
}
|
|
|
|
GetFieldValue(PoolLoc,"nt!_POOL_DESCRIPTOR","TotalBigPages",TotalBigPages);
|
|
|
|
if (NumberOfNonPagedPools > 1) {
|
|
dprintf("\tNonPagedPool Usage: %5ld (%8ld Kb)\n", TotalPages,_KB*TotalPages);
|
|
}
|
|
else {
|
|
dprintf("\tNonPagedPool Usage: %5ld (%8ld Kb)\n", Desc_TotalPages + TotalBigPages,
|
|
_KB*(Desc_TotalPages + TotalBigPages));
|
|
}
|
|
|
|
dprintf("\tNonPagedPool Max: %5I64ld (%8I64ld Kb)\n", NonPagedPoolBytesMax/PageSize,_KB*(NonPagedPoolBytesMax/PageSize));
|
|
|
|
if ((Desc_TotalPages + TotalBigPages) > 4 * ((NonPagedPoolBytesMax / PageSize) / 5)) {
|
|
dprintf("\t********** Excessive NonPaged Pool Usage *****\n");
|
|
}
|
|
|
|
//
|
|
// Dump all the paged pools.
|
|
//
|
|
|
|
NumberOfPagedPools = GetNtDebuggerDataValue(ExpNumberOfPagedPools);
|
|
|
|
TotalPages = 0;
|
|
|
|
PoolLocBase = GetExpression ("nt!ExpPagedPoolDescriptor");
|
|
|
|
if ((PoolLocBase != 0) && (NumberOfPagedPools != 0)) {
|
|
|
|
for (Index = 0; (Index < (NumberOfPagedPools + 1)) ; Index += 1) {
|
|
|
|
if (Index && (BuildNo <= 2464)) {
|
|
PoolLoc += Desc_size;
|
|
} else {
|
|
if (!ReadPointer(PoolLocBase, &PoolLoc)) {
|
|
|
|
dprintf("%08p: Unable to get paged pool info\n",PoolLocBase);
|
|
break;
|
|
}
|
|
|
|
}
|
|
|
|
if (GetFieldValue(PoolLoc,
|
|
"nt!_POOL_DESCRIPTOR",
|
|
"TotalPages",
|
|
Desc_TotalPages)) {
|
|
|
|
dprintf("%08p: Unable to get pool descriptor, PagedPool usage may be wrong\n",PoolLoc);
|
|
break;
|
|
}
|
|
GetFieldValue(PoolLoc,"nt!_POOL_DESCRIPTOR","TotalBigPages",TotalBigPages);
|
|
|
|
dprintf("\tPagedPool %1ld Usage: %5ld (%8ld Kb)\n",
|
|
Index,
|
|
Desc_TotalPages + TotalBigPages,
|
|
_KB*(Desc_TotalPages + TotalBigPages));
|
|
|
|
TotalPages += Desc_TotalPages + TotalBigPages;
|
|
PoolLocBase += PtrSize;
|
|
|
|
}
|
|
}
|
|
|
|
if (PagedPoolBytes > 95 * (PagedPoolBytesMax/ 100)) {
|
|
dprintf("\t********** Excessive Paged Pool Usage *****\n");
|
|
}
|
|
|
|
dprintf("\tPagedPool Usage: %5ld (%8ld Kb)\n", TotalPages,_KB*TotalPages);
|
|
dprintf("\tPagedPool Maximum: %5I64ld (%8I64ld Kb)\n", PagedPoolBytesMax/PageSize,_KB*(PagedPoolBytesMax/PageSize));
|
|
dprintf("\tShared Commit: %8I64ld (%8I64ld Kb)\n",SharedCommit,_KB*SharedCommit );
|
|
dprintf("\tSpecial Pool: %8I64ld (%8I64ld Kb)\n",SpecialPoolPages,_KB*SpecialPoolPages );
|
|
dprintf("\tShared Process: %8I64ld (%8I64ld Kb)\n",ProcessCommit,_KB*ProcessCommit );
|
|
|
|
dprintf("\tPagedPool Commit: %8I64ld (%8I64ld Kb)\n",PagedPoolCommit,_KB*PagedPoolCommit);
|
|
dprintf("\tDriver Commit: %8I64ld (%8I64ld Kb)\n",DriverCommit, _KB*DriverCommit );
|
|
dprintf("\tCommitted pages: %8I64ld (%8I64ld Kb)\n",CommitTotal, _KB*CommitTotal );
|
|
dprintf("\tCommit limit: %8I64ld (%8I64ld Kb)\n",CommitLimit, _KB*CommitLimit );
|
|
if ((CommitTotal + 100) > CommitLimit) {
|
|
dprintf("\n\t********** Number of committed pages is near limit ********\n");
|
|
}
|
|
if (BuildNo < 2257) {
|
|
if (ExtendedCommit != 0) {
|
|
dprintf("\n\t********** Commit has been extended with VM popup ********\n");
|
|
dprintf("\tExtended by: %8ld (%8ld Kb)\n", ExtendedCommit,_KB*ExtendedCommit);
|
|
}
|
|
|
|
if (PageFileFullExtendCount) {
|
|
if (PageFileFullExtendCount == 1) {
|
|
dprintf("\n\t****** ALL PAGING FILE BECAME FULL ONCE - COMMITMENT ADJUSTED ****\n", PageFileFullExtendCount);
|
|
}
|
|
else {
|
|
dprintf("\n\t****** ALL PAGING FILE BECAME FULL (%u times) - COMMITMENT ADJUSTED ****\n", PageFileFullExtendCount);
|
|
}
|
|
dprintf("\tCurrent adjust: %8ld (%8ld Kb)\n",
|
|
PageFileFullExtendPages,
|
|
_KB*PageFileFullExtendPages);
|
|
}
|
|
}
|
|
dprintf("\n");
|
|
|
|
if ((Flags & 0x1) == 0) {
|
|
|
|
ProcessCommitUsage = GetProcessCommit( &TotalProcessCommit, &NumberOfProcesses );
|
|
if (ProcessCommitUsage == NULL)
|
|
{
|
|
dprintf("\nProcessCommitUsage could not be calculated\n");
|
|
}
|
|
else
|
|
{
|
|
if (TotalProcessCommit != 0) {
|
|
dprintf("\tTotal Private: %8I64ld (%8I64ld Kb)\n",
|
|
TotalProcessCommit,_KB*TotalProcessCommit);
|
|
}
|
|
|
|
for (i=0; i<NumberOfProcesses; i++) {
|
|
dprintf( " %04I64lx %-15s %6I64d (%8I64ld Kb)\n",
|
|
ProcessCommitUsage[i].ClientId,
|
|
ProcessCommitUsage[i].ImageFileName,
|
|
ProcessCommitUsage[i].CommitCharge,
|
|
_KB*(ProcessCommitUsage[i].CommitCharge)
|
|
);
|
|
}
|
|
HeapFree(GetProcessHeap(), 0, ProcessCommitUsage);
|
|
}
|
|
}
|
|
|
|
if (Flags & 0x2) {
|
|
if (Client &&
|
|
(ExtQuery(Client) == S_OK)) {
|
|
|
|
dprintf("\n\tMemory Management Thread Stacks:\n");
|
|
DumpMmThreads ();
|
|
|
|
ExtRelease();
|
|
}
|
|
}
|
|
|
|
if (Flags & 0x4) {
|
|
if (Client &&
|
|
(ExtQuery(Client) == S_OK)) {
|
|
|
|
DumpTerminalServerMemory ();
|
|
|
|
ExtRelease();
|
|
}
|
|
}
|
|
|
|
return S_OK;
|
|
}
|
|
|
|
#if (_MSC_VER < 1200) && defined(_M_IX86)
|
|
#pragma optimize("", on)
|
|
#endif
|
|
|
|
VOID
|
|
DumpWholePfn(
|
|
IN ULONG64 Address,
|
|
IN ULONG Flags
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Dumps the PFN database
|
|
|
|
Arguments:
|
|
|
|
Address - address to dump at
|
|
Flags -
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
--*/
|
|
|
|
{
|
|
ULONG result;
|
|
ULONG64 HighPage;
|
|
ULONG64 LowPage;
|
|
ULONG64 PageCount;
|
|
ULONG64 ReadCount;
|
|
ULONG64 i;
|
|
ULONG64 Pfn;
|
|
ULONG64 PfnStart;
|
|
PUCHAR PfnArray;
|
|
PUCHAR PfnArrayPointer;
|
|
ULONG64 VirtualAddress;
|
|
ULONG MatchLocation;
|
|
BOOLEAN foundlink;
|
|
BOOLEAN RandomAccessRequired;
|
|
ULONG PfnSize;
|
|
ULONG NumberOfPfnToRead;
|
|
ULONG sz;
|
|
MMPFNENTRY u3_e1;
|
|
CHAR InPageError;
|
|
|
|
LowPage = GetNtDebuggerDataValue(MmLowestPhysicalPage);
|
|
HighPage = GetNtDebuggerDataValue(MmHighestPhysicalPage);
|
|
PfnStart = GetNtDebuggerDataPtrValue(MmPfnDatabase);
|
|
|
|
PfnSize = GetTypeSize("nt!_MMPFN");
|
|
|
|
//
|
|
// Read sufficient pages such that htere isn't lot of wait
|
|
// before first page dump.
|
|
//
|
|
|
|
NumberOfPfnToRead = 2000;
|
|
|
|
PfnArray = NULL;
|
|
|
|
if (Flags == 7) {
|
|
RandomAccessRequired = TRUE;
|
|
}
|
|
else {
|
|
RandomAccessRequired = FALSE;
|
|
}
|
|
|
|
if (RandomAccessRequired == FALSE) {
|
|
dprintf("\n Page Flink Blk/Shr Ref V PTE Address SavedPTE Frame State\n");
|
|
}
|
|
|
|
//
|
|
// If asked to dump the whole database or we're going to need the ability
|
|
// to look up random frames, then read in the whole database now.
|
|
//
|
|
|
|
if (Address == 0 || RandomAccessRequired == TRUE) {
|
|
|
|
PfnArray = LocalAlloc(LPTR, (ULONG) (HighPage+1) * PfnSize);
|
|
if (!PfnArray) {
|
|
dprintf("unable to get allocate %ld bytes of memory\n",
|
|
(HighPage+1) * PfnSize);
|
|
return;
|
|
}
|
|
|
|
for (PageCount = LowPage;
|
|
PageCount <= HighPage;
|
|
PageCount += NumberOfPfnToRead) {
|
|
|
|
if (CheckControlC()) {
|
|
goto alldone;
|
|
}
|
|
|
|
ReadCount = HighPage - PageCount > NumberOfPfnToRead ?
|
|
NumberOfPfnToRead :
|
|
HighPage - PageCount + 1;
|
|
|
|
ReadCount *= PfnSize;
|
|
|
|
Pfn = (PfnStart + PageCount * PfnSize);
|
|
|
|
PfnArrayPointer = (PUCHAR)(PfnArray + (ULONG) PageCount * PfnSize);
|
|
|
|
//
|
|
// KD caches the Pfns
|
|
//
|
|
if ((!ReadMemory(Pfn,
|
|
PfnArrayPointer,
|
|
(ULONG) ReadCount,
|
|
&result)) || (result < (ULONG) ReadCount)) {
|
|
dprintf("unable to get PFN table block - "
|
|
"address %p - count %I64u - page %I64lu\n",
|
|
Pfn, ReadCount, PageCount);
|
|
goto alldone;
|
|
}
|
|
for (i = PageCount;
|
|
(i < PageCount + NumberOfPfnToRead) && (i < HighPage);
|
|
i += 1, Pfn = (Pfn + PfnSize)) {
|
|
ULONG u3_e2_ReferenceCount=0;
|
|
ULONG64 u1_Flink=0, u2_Blink=0, PteAddress=0, OriginalPte=0, PteFrame=0;
|
|
|
|
if (RandomAccessRequired == TRUE) {
|
|
if ((i % 256 ) == 0) {
|
|
dprintf("."); // every 256 pages, print a dot
|
|
}
|
|
}
|
|
else {
|
|
GetFieldValue(Pfn, "nt!_MMPFN", "u1.Flink", u1_Flink);
|
|
GetFieldValue(Pfn, "nt!_MMPFN", "u2.Blink", u2_Blink);
|
|
GetFieldValue(Pfn, "nt!_MMPFN", "PteAddress",PteAddress);
|
|
GetFieldValue(Pfn, "nt!_MMPFN", "OriginalPte",OriginalPte);
|
|
GetFieldValue(Pfn, "nt!_MMPFN", "u3.e2.ReferenceCount", u3_e2_ReferenceCount);
|
|
GetFieldValue(Pfn, "nt!_MMPFN", "u3.e1", u3_e1);
|
|
|
|
if (GetFieldValue(Pfn, "nt!_MMPFN", "u4.PteFrame", PteFrame) == FIELDS_DID_NOT_MATCH) {
|
|
GetFieldValue(Pfn, "nt!_MMPFN", "u3.e1.InPageError", InPageError);
|
|
GetFieldValue(Pfn, "nt!_MMPFN", "PteFrame", PteFrame);
|
|
} else {
|
|
GetFieldValue(Pfn, "nt!_MMPFN", "u4.InPageError", InPageError);
|
|
}
|
|
|
|
if (u3_e1.PrototypePte == 0) {
|
|
VirtualAddress = DbgGetVirtualAddressMappedByPte(PteAddress);
|
|
} else {
|
|
VirtualAddress = 0;
|
|
}
|
|
|
|
dprintf("%5I64lx %8p %8p%6x %8p %8p ",
|
|
i,
|
|
u1_Flink,
|
|
u2_Blink,
|
|
u3_e2_ReferenceCount,
|
|
PteAddress,
|
|
VirtualAddress);
|
|
|
|
dprintf("%8p ", OriginalPte);
|
|
|
|
dprintf("%6I64lx ", PteFrame);
|
|
|
|
dprintf("%s %c%c%c%c%c%c\n",
|
|
PageLocationList[u3_e1.PageLocation],
|
|
u3_e1.Modified ? 'M':' ',
|
|
u3_e1.PrototypePte ? 'P':' ',
|
|
u3_e1.ReadInProgress ? 'R':' ',
|
|
u3_e1.WriteInProgress ? 'W':' ',
|
|
InPageError ? 'E':' ',
|
|
u3_e1.ParityError ? 'X':' '
|
|
);
|
|
}
|
|
|
|
if (CheckControlC()) {
|
|
goto alldone;
|
|
}
|
|
}
|
|
}
|
|
|
|
if (RandomAccessRequired == TRUE) {
|
|
dprintf("\n");
|
|
}
|
|
else {
|
|
goto alldone;
|
|
}
|
|
}
|
|
|
|
dprintf("\n Page Flink Blk/Shr Ref V PTE Address SavedPTE Frame State\n");
|
|
|
|
Pfn = (PfnStart + Address * PfnSize);
|
|
|
|
if (GetFieldValue(Pfn, "nt!_MMPFN", "u3.e1", u3_e1)) {
|
|
dprintf("unable to get PFN element\n");
|
|
goto alldone;
|
|
}
|
|
MatchLocation = u3_e1.PageLocation;
|
|
|
|
do {
|
|
ULONG u3_e2_ReferenceCount=0;
|
|
ULONG64 u1_Flink=0, u2_Blink=0, PteAddress=0, OriginalPte=0, PteFrame=0;
|
|
|
|
if (CheckControlC()) {
|
|
goto alldone;
|
|
}
|
|
|
|
Pfn = (PfnStart + Address * PfnSize);
|
|
|
|
sz = sizeof (u3_e1);
|
|
GetFieldValue(Pfn, "nt!_MMPFN", "u3.e1", u3_e1);
|
|
|
|
if (u3_e1.PrototypePte == 0) {
|
|
VirtualAddress = DbgGetVirtualAddressMappedByPte ( PteAddress);
|
|
} else {
|
|
VirtualAddress = 0;
|
|
}
|
|
if (u3_e1.PageLocation == MatchLocation) {
|
|
GetFieldValue(Pfn, "nt!_MMPFN", "u1.Flink", u1_Flink);
|
|
GetFieldValue(Pfn, "nt!_MMPFN", "u2.Blink", u2_Blink);
|
|
GetFieldValue(Pfn, "nt!_MMPFN", "PteAddress", PteAddress);
|
|
GetFieldValue(Pfn, "nt!_MMPFN", "OriginalPte",OriginalPte);
|
|
GetFieldValue(Pfn, "nt!_MMPFN", "u3.e2.ReferenceCount", u3_e2_ReferenceCount);
|
|
if(GetFieldValue(Pfn, "nt!_MMPFN", "u4.PteFrame", PteFrame) == FIELDS_DID_NOT_MATCH) {
|
|
GetFieldValue(Pfn, "nt!_MMPFN", "u3.e1.InPageError", InPageError);
|
|
GetFieldValue(Pfn, "nt!_MMPFN", "PteFrame", PteFrame);
|
|
} else {
|
|
GetFieldValue(Pfn, "nt!_MMPFN", "u4.InPageError", InPageError);
|
|
}
|
|
|
|
|
|
dprintf("%5I64lx %8p %8p%6x %8p %8p ",
|
|
Address,
|
|
u1_Flink,
|
|
u2_Blink,
|
|
u3_e2_ReferenceCount,
|
|
PteAddress,
|
|
VirtualAddress);
|
|
|
|
dprintf("%8p ", OriginalPte);
|
|
|
|
dprintf("%6I64lx ", PteFrame);
|
|
|
|
dprintf("%s %c%c%c%c%c%c\n",
|
|
PageLocationList[u3_e1.PageLocation],
|
|
u3_e1.Modified ? 'M':' ',
|
|
u3_e1.PrototypePte ? 'P':' ',
|
|
u3_e1.ReadInProgress ? 'R':' ',
|
|
u3_e1.WriteInProgress ? 'W':' ',
|
|
InPageError ? 'E':' ',
|
|
u3_e1.ParityError ? 'X':' '
|
|
);
|
|
|
|
}
|
|
|
|
if (MatchLocation > 5) {
|
|
Address += 1;
|
|
} else {
|
|
ULONG64 OriginalPte_u_Long=0;
|
|
sz = sizeof (OriginalPte_u_Long);
|
|
if (Flags == 7) {
|
|
ULONG64 P;
|
|
//
|
|
// Search the whole database for an OriginalPte field that
|
|
// points to this PFN - we must do this because this chain
|
|
// is singly (not doubly) linked.
|
|
//
|
|
foundlink = FALSE;
|
|
P = PfnStart;
|
|
for (i = 0; i <= HighPage; i += 1, P += PfnSize) {
|
|
GetFieldValue(P, "nt!_MMPFN", "OriginalPte.u.Long", OriginalPte_u_Long);
|
|
if (OriginalPte_u_Long == Address) {
|
|
Address = i;
|
|
foundlink = TRUE;
|
|
break;
|
|
}
|
|
}
|
|
if (foundlink == FALSE) {
|
|
dprintf("No OriginalPte chain found for %lx\n", Address);
|
|
break;
|
|
}
|
|
} else if (Flags == 5) {
|
|
GetFieldValue(Pfn, "nt!_MMPFN", "OriginalPte.u.Long", OriginalPte_u_Long);
|
|
Address = OriginalPte_u_Long;
|
|
} else if (Flags == 3) {
|
|
Address = u2_Blink;
|
|
} else {
|
|
Address = u1_Flink;
|
|
}
|
|
}
|
|
|
|
if (CheckControlC()) {
|
|
goto alldone;
|
|
}
|
|
} while (Address < HighPage);
|
|
|
|
alldone:
|
|
|
|
if (PfnArray) {
|
|
LocalFree((void *)PfnArray);
|
|
}
|
|
}
|
|
|
|
VOID
|
|
PrintPfn64 (
|
|
IN ULONG64 PfnAddress
|
|
)
|
|
{
|
|
MMPFNENTRY u3_e1;
|
|
ULONG64 PfnDb, PfnStart;
|
|
ULONG PfnSize;
|
|
ULONG CacheAttribute;
|
|
CHAR InPageError, VerifierAllocation;
|
|
|
|
if ((PfnSize = GetTypeSize("nt!_MMPFN")) == 0) {
|
|
dprintf("Type _MMPFN not found.\n");
|
|
return;
|
|
}
|
|
|
|
|
|
PfnDb = GetNtDebuggerData(MmPfnDatabase);
|
|
if (!ReadPointer(PfnDb, &PfnStart)) {
|
|
dprintf("%08P: Unable to get PFN database start\n",PfnDb);
|
|
return;
|
|
}
|
|
|
|
if (!IsPtr64()) {
|
|
PfnAddress = (ULONG64) (LONG64) (LONG) PfnAddress;
|
|
}
|
|
|
|
dprintf(" PFN %08P at address %08P\n",
|
|
(PfnAddress - PfnStart) / PfnSize,
|
|
PfnAddress);
|
|
|
|
InitTypeRead(PfnAddress, nt!_MMPFN);
|
|
|
|
dprintf(" flink %08P", ReadField(u1.Flink));
|
|
dprintf(" blink / share count %08P", ReadField(u2.Blink));
|
|
dprintf(" pteaddress %08P\n", ReadField(PteAddress));
|
|
|
|
GetFieldValue(PfnAddress, "nt!_MMPFN", "u3.e1", u3_e1);
|
|
|
|
switch (TargetMachine) {
|
|
case IMAGE_FILE_MACHINE_IA64:
|
|
case IMAGE_FILE_MACHINE_AMD64:
|
|
dprintf(" reference count %04hX used entry count %04hX %s color %01hX\n",
|
|
(ULONG) ReadField(u3.e2.ReferenceCount),
|
|
(ULONG) ReadField(UsedPageTableEntries),
|
|
PageAttribute[u3_e1.CacheAttribute],
|
|
u3_e1.PageColor);
|
|
break;
|
|
default:
|
|
dprintf(" reference count %04hX %s color %01hX\n",
|
|
(ULONG) ReadField(u3.e2.ReferenceCount),
|
|
PageAttribute[u3_e1.CacheAttribute],
|
|
u3_e1.PageColor);
|
|
break;
|
|
}
|
|
|
|
dprintf(" restore pte %08I64X ", ReadField(OriginalPte));
|
|
|
|
if (BuildNo < 2440) {
|
|
dprintf("containing page %06P ", ReadField(PteFrame));
|
|
InPageError = (CHAR) ReadField(u3.e1.InPageError);
|
|
VerifierAllocation = (CHAR) ReadField(u3.e1.VerifierAllocation);
|
|
} else {
|
|
dprintf("containing page %06P ", ReadField(u4.PteFrame));
|
|
InPageError = (CHAR) ReadField(u4.InPageError);
|
|
VerifierAllocation = (CHAR) ReadField(u4.VerifierAllocation);
|
|
}
|
|
|
|
dprintf("%s %c%c%c%c%c%c\n",
|
|
PageLocationList[u3_e1.PageLocation],
|
|
u3_e1.Modified ? 'M':' ',
|
|
u3_e1.PrototypePte ? 'P':' ',
|
|
u3_e1.ReadInProgress ? 'R':' ',
|
|
u3_e1.WriteInProgress ? 'W':' ',
|
|
InPageError ? 'E':' ',
|
|
u3_e1.ParityError ? 'X':' ',
|
|
u3_e1.RemovalRequested ? 'Y':' ',
|
|
VerifierAllocation ? 'V':' '
|
|
);
|
|
|
|
dprintf(" %s %s %s %s %s %s\n",
|
|
u3_e1.Modified ? "Modified":" ",
|
|
u3_e1.PrototypePte ? "Shared":" ",
|
|
u3_e1.ReadInProgress ? "ReadInProgress":" ",
|
|
u3_e1.WriteInProgress ? "WriteInProgress":" ",
|
|
InPageError ? "InPageError":" ",
|
|
u3_e1.ParityError ? "ParityError":" ",
|
|
u3_e1.RemovalRequested ? "RemovalRequested":" ",
|
|
VerifierAllocation ? "VerifierAllocation":" ");
|
|
|
|
return;
|
|
}
|
|
|
|
|
|
|
|
VOID
|
|
MemoryUsage (
|
|
IN ULONG64 PfnStart,
|
|
IN ULONG64 LowPage,
|
|
IN ULONG64 HighPage,
|
|
IN ULONG IgnoreInvalidFrames
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine (debugging only) dumps the current memory usage by
|
|
walking the PFN database.
|
|
|
|
Arguments:
|
|
|
|
None.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
--*/
|
|
|
|
{
|
|
ULONG PfnSize;
|
|
ULONG64 LastPfn;
|
|
ULONG64 Pfn1;
|
|
ULONG64 Pfn2;
|
|
ULONG64 Subsection1;
|
|
UNICODE_STRING NameString;
|
|
PPFN_INFO Info;
|
|
PPFN_INFO Info1;
|
|
PPFN_INFO InfoStart;
|
|
PPFN_INFO InfoEnd;
|
|
ULONG InfoSize;
|
|
PFN_INFO ProcessPfns;
|
|
PFN_INFO PagedPoolBlock;
|
|
PPFN_INFO LastProcessInfo = &ProcessPfns;
|
|
ULONG64 Master;
|
|
ULONG64 ControlArea1;
|
|
BOOLEAN Found;
|
|
ULONG result;
|
|
ULONG i;
|
|
ULONG64 PagedPoolStart;
|
|
ULONG64 VirtualAddress;
|
|
ULONG64 MmNonPagedPoolEnd;
|
|
ULONG64 PteFrame;
|
|
ULONG OriginalPteOffset;
|
|
ULONG PercentComplete=0;
|
|
PKERN_MAP pKernelMap;
|
|
|
|
// Get the offset of OriginalPte in MMPFN
|
|
if (GetFieldOffset("nt!_MMPFN", "OriginalPte", &OriginalPteOffset)) {
|
|
dprintf("Cannot find _MMPFN type");
|
|
return ;
|
|
}
|
|
|
|
ProcessPfns.Next = NULL;
|
|
MmNonPagedPoolEnd = GetNtDebuggerDataPtrValue(MmNonPagedPoolEnd);
|
|
|
|
NameString.MaximumLength = sizeof(WCHAR) * 1000;
|
|
NameString.Buffer = calloc(1, NameString.MaximumLength);
|
|
|
|
if (!NameString.Buffer) {
|
|
return;
|
|
}
|
|
|
|
PagedPoolStart = GetNtDebuggerDataPtrValue(MmPagedPoolStart);
|
|
pKernelMap = calloc(1, sizeof(*pKernelMap));
|
|
if (!pKernelMap) {
|
|
free(NameString.Buffer);
|
|
return;
|
|
}
|
|
|
|
dprintf (" Building kernel map\n");
|
|
|
|
if (BuildKernelMap (pKernelMap) == FALSE) {
|
|
free(pKernelMap);
|
|
free(NameString.Buffer);
|
|
return;
|
|
}
|
|
|
|
dprintf (" Finished building kernel map\n");
|
|
|
|
RtlZeroMemory (&PagedPoolBlock, sizeof (PFN_INFO));
|
|
|
|
PfnSize = GetTypeSize("nt!_MMPFN");
|
|
|
|
LastPfn = (PfnStart + HighPage * PfnSize);
|
|
|
|
if (MmSubsectionBase == 0) {
|
|
MmSubsectionBase = GetNtDebuggerDataValue(MmSubsectionBase);
|
|
}
|
|
|
|
//
|
|
// Allocate a chunk of memory to hold PFN information. This is resized
|
|
// if it is later determined that the current size is not large enough.
|
|
//
|
|
|
|
InfoSize = USAGE_ALLOC_SIZE;
|
|
|
|
restart:
|
|
|
|
InfoStart = VirtualAlloc (NULL,
|
|
InfoSize,
|
|
MEM_COMMIT,
|
|
PAGE_READWRITE);
|
|
|
|
if (InfoStart == NULL) {
|
|
dprintf ("heap allocation for %d bytes failed\n", InfoSize);
|
|
free(pKernelMap);
|
|
free(NameString.Buffer);
|
|
return;
|
|
}
|
|
|
|
InfoEnd = InfoStart;
|
|
|
|
Pfn1 = (PfnStart + LowPage * PfnSize);
|
|
|
|
while (Pfn1 < LastPfn) {
|
|
ULONG PageLocation=0, PrototypePte=0, ReferenceCount=0;
|
|
ULONG Comp;
|
|
ULONG64 ShareCount=0, PteFrame1=0, PteAddress;
|
|
|
|
Comp = ((ULONG) (Pfn1 - (PfnStart + LowPage * PfnSize)))*100 /
|
|
((ULONG) (LastPfn -(PfnStart + LowPage * PfnSize)));
|
|
if (Comp > PercentComplete) {
|
|
PercentComplete = Comp;
|
|
dprintf("Scanning PFN database - (%02d%% complete) \r", PercentComplete);
|
|
}
|
|
|
|
if (CheckControlC()) {
|
|
VirtualFree (InfoStart,0,MEM_RELEASE);
|
|
free(pKernelMap);
|
|
free(NameString.Buffer);
|
|
return;
|
|
}
|
|
|
|
GetFieldValue(Pfn1, "nt!_MMPFN", "u3.e1.PageLocation", PageLocation);
|
|
|
|
if ((PageLocation != FreePageList) &&
|
|
(PageLocation != ZeroedPageList) &&
|
|
(PageLocation != BadPageList)) {
|
|
|
|
GetFieldValue(Pfn1, "nt!_MMPFN", "u3.e1.PrototypePte", PrototypePte);
|
|
GetFieldValue(Pfn1, "nt!_MMPFN", "u3.e2.ReferenceCount", ReferenceCount);
|
|
GetFieldValue(Pfn1, "nt!_MMPFN", "u2.ShareCount", ShareCount);
|
|
GetFieldValue(Pfn1, "nt!_MMPFN", "PteAddress", PteAddress);
|
|
|
|
if (GetFieldValue(Pfn1, "nt!_MMPFN", "u4.PteFrame", PteFrame1) == FIELDS_DID_NOT_MATCH) {
|
|
GetFieldValue(Pfn1, "nt!_MMPFN", "PteFrame", PteFrame1);
|
|
}
|
|
|
|
Subsection1 = 0;
|
|
if (PrototypePte) {
|
|
Subsection1 = DbgGetSubsectionAddress (Pfn1 + OriginalPteOffset);
|
|
}
|
|
|
|
if ((Subsection1) && (Subsection1 < 0xffffffffffbff000UI64)) {
|
|
Master = Subsection1;
|
|
} else {
|
|
|
|
PteFrame = PteFrame1;
|
|
if (IgnoreInvalidFrames) {
|
|
Master = PteFrame;
|
|
} else {
|
|
// dprintf("Pteaddr %p, PagedPoolStart %I64x ", PteAddress, PagedPoolStart);
|
|
|
|
if (PteAddress > PagedPoolStart) {
|
|
Master = PteFrame;
|
|
} else {
|
|
Master=0;
|
|
|
|
Pfn2 = PfnStart + PteFrame*PfnSize;
|
|
|
|
if (GetFieldValue(Pfn2, "nt!_MMPFN", "PteFrame", Master) == FIELDS_DID_NOT_MATCH) {
|
|
GetFieldValue(Pfn2, "nt!_MMPFN", "u4.PteFrame", Master);
|
|
}
|
|
// Master = MI_PFN_PTE FRAME(Pfn2);
|
|
|
|
if ((Master == 0) || (Master > HighPage)) {
|
|
dprintf("Invalid PTE frame\n");
|
|
// PrintPfn((PVOID)(((PCHAR)Pfn1-(PCHAR)PfnStart)/PfnSize),Pfn1);
|
|
PrintPfn64(Pfn1);
|
|
PrintPfn64(Pfn2);
|
|
dprintf(" subsection address: %p\n",Subsection1);
|
|
goto NextPfn;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
//
|
|
// Tally any pages which are not protos and have a valid PTE
|
|
// address field.
|
|
//
|
|
|
|
if ((PteAddress < PagedPoolStart) && (PteAddress >= DbgGetPteAddress(SystemRangeStart) )) {
|
|
|
|
for (i=0; i<pKernelMap->Count; i++) {
|
|
|
|
VirtualAddress = DbgGetVirtualAddressMappedByPte (PteAddress);
|
|
if ((VirtualAddress >= pKernelMap->Item[i].StartVa) &&
|
|
(VirtualAddress < pKernelMap->Item[i].EndVa)) {
|
|
|
|
if ((PageLocation == ModifiedPageList) ||
|
|
(PageLocation == ModifiedNoWritePageList)) {
|
|
pKernelMap->Item[i].ModifiedCount += _KB;
|
|
if (ReferenceCount > 0) {
|
|
pKernelMap->Item[i].LockedCount += _KB;
|
|
}
|
|
} else if ((PageLocation == StandbyPageList) ||
|
|
(PageLocation == TransitionPage)) {
|
|
|
|
pKernelMap->Item[i].StandbyCount += _KB;
|
|
if (ReferenceCount > 0) {
|
|
pKernelMap->Item[i].LockedCount += _KB;
|
|
}
|
|
} else {
|
|
pKernelMap->Item[i].ValidCount += _KB;
|
|
if (ShareCount > 1) {
|
|
pKernelMap->Item[i].SharedCount += _KB;
|
|
if (ReferenceCount > 1) {
|
|
pKernelMap->Item[i].LockedCount += _KB;
|
|
}
|
|
}
|
|
}
|
|
goto NextPfn;
|
|
}
|
|
}
|
|
}
|
|
|
|
if (PteAddress >= 0xFFFFFFFFF0000000UI64) {
|
|
|
|
//
|
|
// This is paged pool, put it in the paged pool cell.
|
|
//
|
|
|
|
Info = &PagedPoolBlock;
|
|
Found = TRUE;
|
|
|
|
} else {
|
|
|
|
//
|
|
// See if there is already a master info block.
|
|
//
|
|
|
|
Info = InfoStart;
|
|
Found = FALSE;
|
|
while (Info < InfoEnd) {
|
|
if (Info->Master == Master) {
|
|
Found = TRUE;
|
|
break;
|
|
}
|
|
Info += 1;
|
|
}
|
|
}
|
|
if (!Found) {
|
|
|
|
Info = InfoEnd;
|
|
InfoEnd += 1;
|
|
if ((PUCHAR)Info >= ((PUCHAR)InfoStart + InfoSize) - sizeof(PFN_INFO)) {
|
|
//
|
|
// Don't bother copying the old array - free it instead to
|
|
// improve our chances of getting a bigger contiguous chunk.
|
|
//
|
|
|
|
VirtualFree (InfoStart,0,MEM_RELEASE);
|
|
|
|
InfoSize += USAGE_ALLOC_SIZE;
|
|
|
|
goto restart;
|
|
}
|
|
RtlZeroMemory (Info, sizeof (PFN_INFO));
|
|
|
|
Info->Master = Master;
|
|
GetFieldValue(Pfn1, "nt!_MMPFN", "OriginalPte.u.Long", Info->OriginalPte);
|
|
}
|
|
|
|
// dprintf("Pfn1 %p, PageLoc %x, Master %I64x\n", Pfn1, PageLocation, Master);
|
|
|
|
if ((PageLocation == ModifiedPageList) ||
|
|
(PageLocation == ModifiedNoWritePageList)) {
|
|
Info->ModifiedCount += _KB;
|
|
if (ReferenceCount > 0) {
|
|
Info->LockedCount += _KB;
|
|
}
|
|
} else if ((PageLocation == StandbyPageList) ||
|
|
(PageLocation == TransitionPage)) {
|
|
|
|
Info->StandbyCount += _KB;
|
|
if (ReferenceCount > 0) {
|
|
Info->LockedCount += _KB;
|
|
}
|
|
} else {
|
|
|
|
Info->ValidCount += _KB;
|
|
if (ShareCount > 1) {
|
|
Info->SharedCount += _KB;
|
|
if (ReferenceCount > 1) {
|
|
Info->LockedCount += _KB;
|
|
}
|
|
}
|
|
}
|
|
if ((PteAddress >= DbgGetPdeAddress (0x0)) &&
|
|
(PteAddress <= DbgGetPdeAddress (0xFFFFFFFFFFFFFFFF))) {
|
|
Info->PageTableCount += _KB;
|
|
}
|
|
}
|
|
NextPfn:
|
|
Pfn1 = (Pfn1 + PfnSize);
|
|
}
|
|
|
|
//
|
|
// dump the results.
|
|
//
|
|
|
|
#if 0
|
|
dprintf("Physical Page Summary:\n");
|
|
dprintf(" - number of physical pages: %ld\n",
|
|
MmNumberOfPhysicalPages);
|
|
dprintf(" - Zeroed Pages %ld\n", MmZeroedPageListHead.Total);
|
|
dprintf(" - Free Pages %ld\n", MmFreePageListHead.Total);
|
|
dprintf(" - Standby Pages %ld\n", MmStandbyPageListHead.Total);
|
|
dprintf(" - Modfified Pages %ld\n", MmModifiedPageListHead.Total);
|
|
dprintf(" - Modfified NoWrite Pages %ld\n", MmModifiedNoWritePageListHead.Total);
|
|
dprintf(" - Bad Pages %ld\n", MmBadPageListHead.Total);
|
|
#endif //0
|
|
|
|
dprintf("\n\n Usage Summary (in Kb):\n");
|
|
|
|
Info = InfoStart;
|
|
while (Info < InfoEnd) {
|
|
if (CheckControlC()) {
|
|
VirtualFree (InfoStart,0,MEM_RELEASE);
|
|
free(pKernelMap);
|
|
free(NameString.Buffer);
|
|
return;
|
|
}
|
|
|
|
if (Info->Master > 0x200000) {
|
|
|
|
//
|
|
// Get the control area from the subsection.
|
|
//
|
|
|
|
if (GetFieldValue(Info->Master,
|
|
"nt!_SUBSECTION",
|
|
"ControlArea",
|
|
ControlArea1)) {
|
|
dprintf("unable to get subsection va %p %lx\n",Info->Master,Info->OriginalPte);
|
|
}
|
|
|
|
// ControlArea1 = Subsection.ControlArea;
|
|
Info->Master = ControlArea1;
|
|
|
|
//
|
|
// Loop through the array so far for matching control areas
|
|
//
|
|
|
|
Info1 = InfoStart;
|
|
while (Info1 < Info) {
|
|
if (Info1->Master == ControlArea1) {
|
|
//
|
|
// Found a match, collapse these values.
|
|
//
|
|
Info1->ValidCount += Info->ValidCount;
|
|
Info1->StandbyCount += Info->StandbyCount;
|
|
Info1->ModifiedCount += Info->ModifiedCount;
|
|
Info1->SharedCount += Info->SharedCount;
|
|
Info1->LockedCount += Info->LockedCount;
|
|
Info1->PageTableCount += Info->PageTableCount;
|
|
Info->Master = 0;
|
|
break;
|
|
}
|
|
Info1++;
|
|
}
|
|
} else {
|
|
LastProcessInfo->Next = Info;
|
|
LastProcessInfo = Info;
|
|
}
|
|
Info++;
|
|
}
|
|
|
|
Info = InfoStart;
|
|
dprintf("Control Valid Standby Dirty Shared Locked PageTables name\n");
|
|
while (Info < InfoEnd) {
|
|
ULONG64 FilePointer;
|
|
|
|
if (CheckControlC()) {
|
|
VirtualFree (InfoStart,0,MEM_RELEASE);
|
|
free(pKernelMap);
|
|
free(NameString.Buffer);
|
|
return;
|
|
}
|
|
|
|
if (Info->Master > 0x200000) {
|
|
|
|
//
|
|
// Get the control area.
|
|
//
|
|
|
|
if (GetFieldValue(Info->Master,
|
|
"nt!_CONTROL_AREA",
|
|
"FilePointer",
|
|
FilePointer)) {
|
|
|
|
dprintf("%8p %5ld %5ld %5ld %5ld %5ld %5ld Bad Control Area\n",
|
|
Info->Master,
|
|
Info->ValidCount,
|
|
Info->StandbyCount,
|
|
Info->ModifiedCount,
|
|
Info->SharedCount,
|
|
Info->LockedCount,
|
|
Info->PageTableCount
|
|
);
|
|
|
|
} else if (FilePointer == 0) {
|
|
|
|
dprintf("%8p %5ld %5ld %5ld %5ld %5ld %5ld Page File Section\n",
|
|
Info->Master,
|
|
Info->ValidCount,
|
|
Info->StandbyCount,
|
|
Info->ModifiedCount,
|
|
Info->SharedCount,
|
|
Info->LockedCount,
|
|
Info->PageTableCount
|
|
);
|
|
|
|
} else {
|
|
ULONG64 NameBuffer;
|
|
|
|
//
|
|
// Get the file pointer.
|
|
//
|
|
|
|
if (GetFieldValue(FilePointer,
|
|
"nt!_FILE_OBJECT",
|
|
"FileName.Length",
|
|
NameString.Length)) {
|
|
dprintf("unable to get subsection %p\n",FilePointer);
|
|
}
|
|
|
|
if (NameString.Length != 0) {
|
|
|
|
//
|
|
// Get the name string.
|
|
//
|
|
|
|
if (NameString.Length > NameString.MaximumLength) {
|
|
NameString.Length = NameString.MaximumLength-1;
|
|
}
|
|
|
|
GetFieldValue(FilePointer,
|
|
"nt!_FILE_OBJECT",
|
|
"FileName.Buffer",
|
|
NameBuffer);
|
|
|
|
if ((!ReadMemory(NameBuffer,
|
|
NameString.Buffer,
|
|
NameString.Length,
|
|
&result)) || (result < NameString.Length)) {
|
|
dprintf("%8p %5ld %5ld %5ld %5ld %5ld %5ld Name Not Available\n",
|
|
Info->Master,
|
|
Info->ValidCount,
|
|
Info->StandbyCount,
|
|
Info->ModifiedCount,
|
|
Info->SharedCount,
|
|
Info->LockedCount,
|
|
Info->PageTableCount
|
|
);
|
|
} else {
|
|
|
|
{
|
|
|
|
WCHAR FileName[MAX_PATH];
|
|
WCHAR FullFileName[MAX_PATH];
|
|
WCHAR *FilePart;
|
|
|
|
ZeroMemory(FileName,sizeof(FileName));
|
|
if (NameString.Length > sizeof(FileName)) {
|
|
wcscpy(FileName, L"File name length too big - possibly corrupted");
|
|
} else {
|
|
CopyMemory(FileName,NameString.Buffer,NameString.Length);
|
|
}
|
|
GetFullPathNameW(
|
|
FileName,
|
|
MAX_PATH,
|
|
FullFileName,
|
|
&FilePart
|
|
);
|
|
|
|
dprintf("%8p %5ld %5ld %5ld %5ld %5ld %5ld mapped_file( %ws )\n",
|
|
Info->Master,
|
|
Info->ValidCount,
|
|
Info->StandbyCount,
|
|
Info->ModifiedCount,
|
|
Info->SharedCount,
|
|
Info->LockedCount,
|
|
Info->PageTableCount,
|
|
FilePart);
|
|
}
|
|
}
|
|
} else {
|
|
dprintf("%8p %5ld %5ld %5ld %5ld %5ld %5ld No Name for File\n",
|
|
Info->Master,
|
|
Info->ValidCount,
|
|
Info->StandbyCount,
|
|
Info->ModifiedCount,
|
|
Info->SharedCount,
|
|
Info->LockedCount,
|
|
Info->PageTableCount
|
|
);
|
|
}
|
|
}
|
|
|
|
}
|
|
Info += 1;
|
|
}
|
|
|
|
Info = &PagedPoolBlock;
|
|
if ((Info->ValidCount != 0) ||
|
|
(Info->StandbyCount != 0) ||
|
|
(Info->ModifiedCount != 0)) {
|
|
|
|
dprintf("00000000 %4ld %5ld %5ld %5ld %5ld %5ld PagedPool\n",
|
|
Info->ValidCount,
|
|
Info->StandbyCount,
|
|
Info->ModifiedCount,
|
|
Info->SharedCount,
|
|
Info->LockedCount,
|
|
Info->PageTableCount
|
|
);
|
|
}
|
|
|
|
//
|
|
// dump the process information.
|
|
//
|
|
|
|
BuildDirbaseList();
|
|
Info = ProcessPfns.Next;
|
|
while (Info != NULL) {
|
|
if (Info->Master != 0) {
|
|
PUCHAR ImageName;
|
|
|
|
ImageName = DirbaseToImage(Info->Master);
|
|
|
|
if ( ImageName ) {
|
|
dprintf("-------- %4ld %5ld %5ld ----- ----- %5ld process ( %s )\n",
|
|
Info->ValidCount,
|
|
Info->StandbyCount,
|
|
Info->ModifiedCount,
|
|
Info->PageTableCount,
|
|
ImageName
|
|
);
|
|
}
|
|
else {
|
|
dprintf("-------- %4ld %5ld %5ld ----- ----- %5ld pagefile section (%lx)\n",
|
|
Info->ValidCount,
|
|
Info->StandbyCount,
|
|
Info->ModifiedCount,
|
|
Info->PageTableCount,
|
|
Info->Master
|
|
);
|
|
}
|
|
|
|
}
|
|
Info = Info->Next;
|
|
}
|
|
|
|
if (!IgnoreInvalidFrames) {
|
|
for (i=0;i<pKernelMap->Count ;i++) {
|
|
dprintf("-------- %4ld %5ld %5ld ----- %5ld ----- driver ( %ws )\n",
|
|
pKernelMap->Item[i].ValidCount,
|
|
pKernelMap->Item[i].StandbyCount,
|
|
pKernelMap->Item[i].ModifiedCount,
|
|
pKernelMap->Item[i].LockedCount,
|
|
pKernelMap->Item[i].Name
|
|
);
|
|
}
|
|
}
|
|
|
|
VirtualFree (InfoStart,0,MEM_RELEASE);
|
|
free(pKernelMap);
|
|
free(NameString.Buffer);
|
|
|
|
return;
|
|
}
|
|
|
|
NTSTATUS
|
|
BuildDirbaseList (
|
|
VOID
|
|
)
|
|
{
|
|
ULONG64 Next;
|
|
ULONG64 ProcessHead;
|
|
ULONG64 Process;
|
|
NTSTATUS status=0;
|
|
ULONG ActiveProcessLinksOffset, DirectoryTableBaseOffset;
|
|
FIELD_INFO offField[] = {
|
|
{"ActiveProcessLinks", NULL, 0, DBG_DUMP_FIELD_RETURN_ADDRESS, 0, NULL},
|
|
{"Pcb.DirectoryTableBase", NULL, 0, DBG_DUMP_FIELD_RETURN_ADDRESS, 0, NULL}
|
|
};
|
|
SYM_DUMP_PARAM TypeSym ={
|
|
sizeof (SYM_DUMP_PARAM), "_EPROCESS", DBG_DUMP_NO_PRINT, 0,
|
|
NULL, NULL, NULL, 2, &offField[0]
|
|
};
|
|
|
|
// Get the offset of ActiveProcessLinks in EPROCESS
|
|
if (Ioctl(IG_DUMP_SYMBOL_INFO, &TypeSym, TypeSym.size)) {
|
|
return FALSE;
|
|
}
|
|
|
|
ActiveProcessLinksOffset = (ULONG) offField[0].address;
|
|
DirectoryTableBaseOffset = (ULONG) offField[1].address;
|
|
MaxDirbase = 0;
|
|
|
|
ProcessHead = GetNtDebuggerData(PsActiveProcessHead );
|
|
if (!ProcessHead) {
|
|
return STATUS_OBJECT_NAME_NOT_FOUND;
|
|
}
|
|
|
|
if (GetFieldValue(ProcessHead, "nt!_LIST_ENTRY", "Flink", Next)) {
|
|
return STATUS_OBJECT_NAME_NOT_FOUND;
|
|
}
|
|
|
|
//Next = List.Flink;
|
|
if (Next == 0) {
|
|
dprintf("PsActiveProcessHead is NULL!\n");
|
|
return STATUS_INVALID_PARAMETER;
|
|
}
|
|
|
|
while(Next != ProcessHead) {
|
|
ULONG64 PageFrameNumber=0;
|
|
|
|
Process = Next - ActiveProcessLinksOffset;
|
|
|
|
if (GetFieldValue(Process,
|
|
"nt!_EPROCESS",
|
|
"ImageFileName",
|
|
Names[MaxDirbase])) {
|
|
dprintf("Unable to read _EPROCESS at %p\n",Process);
|
|
MaxDirbase = 0;
|
|
return status;
|
|
}
|
|
|
|
if ( (Names[ MaxDirbase ])[0] == '\0' ) {
|
|
strcpy((PCHAR)&Names[MaxDirbase][0],(PCHAR)"SystemProcess");
|
|
}
|
|
|
|
GetFieldValue(Process,"_EPROCESS","ImageFileName",Names[MaxDirbase]);
|
|
|
|
GetFieldValue(Process + DirectoryTableBaseOffset, "nt!HARDWARE_PTE", "PageFrameNumber", PageFrameNumber);
|
|
|
|
DirBases[MaxDirbase++] = PageFrameNumber;
|
|
|
|
GetFieldValue(Process, "_EPROCESS", "ActiveProcessLinks.Flink", Next);
|
|
|
|
if (CheckControlC()) {
|
|
MaxDirbase = 0;
|
|
return STATUS_INVALID_PARAMETER;
|
|
}
|
|
}
|
|
return STATUS_INVALID_PARAMETER;
|
|
}
|
|
|
|
PUCHAR
|
|
DirbaseToImage(
|
|
IN ULONG64 DirBase
|
|
)
|
|
{
|
|
ULONG i;
|
|
|
|
for(i=0;i<MaxDirbase;i++) {
|
|
if ( DirBases[i] == DirBase ) {
|
|
return &Names[i][0];
|
|
}
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
LOGICAL
|
|
BuildKernelMap (
|
|
OUT PKERN_MAP KernelMap
|
|
)
|
|
|
|
{
|
|
ULONG64 Next;
|
|
ULONG64 ListHead;
|
|
NTSTATUS Status = 0;
|
|
ULONG Result;
|
|
ULONG64 DataTable;
|
|
ULONG i = 0;
|
|
ULONG64 Flink;
|
|
ULONG InLoadOrderLinksOffset;
|
|
FIELD_INFO offField = {"InLoadOrderLinks", NULL, 0, DBG_DUMP_FIELD_RETURN_ADDRESS, 0, NULL};
|
|
SYM_DUMP_PARAM TypeSym ={
|
|
sizeof (SYM_DUMP_PARAM), "nt!_LDR_DATA_TABLE_ENTRY", DBG_DUMP_NO_PRINT, 0,
|
|
NULL, NULL, NULL, 1, &offField
|
|
};
|
|
|
|
// Get the offset of InLoadOrderLinks in LDR_DATA_TABLE_ENTRY
|
|
if (Ioctl(IG_DUMP_SYMBOL_INFO, &TypeSym, TypeSym.size)) {
|
|
return FALSE;
|
|
}
|
|
|
|
InLoadOrderLinksOffset = (ULONG) offField.address;
|
|
|
|
ListHead = GetNtDebuggerData(PsLoadedModuleList );
|
|
|
|
if (!ListHead) {
|
|
dprintf("Couldn't get offset of PsLoadedModuleListHead\n");
|
|
return FALSE;
|
|
}
|
|
|
|
if (GetFieldValue(ListHead, "nt!_LIST_ENTRY", "Flink", Flink)) {
|
|
dprintf("Unable to get value of PsLoadedModuleListHead\n");
|
|
return FALSE;
|
|
}
|
|
|
|
Next = Flink;
|
|
if (Next == 0) {
|
|
dprintf("PsLoadedModuleList is NULL!\n");
|
|
return FALSE;
|
|
}
|
|
|
|
while (Next != ListHead) {
|
|
ULONG64 BaseDllNameBuffer, DllBase;
|
|
ULONG BaseDllNameLength=0, SizeOfImage;
|
|
|
|
if (CheckControlC()) {
|
|
return FALSE;
|
|
}
|
|
DataTable = (Next - InLoadOrderLinksOffset);
|
|
|
|
if (GetFieldValue(DataTable,
|
|
"nt!_LDR_DATA_TABLE_ENTRY",
|
|
"BaseDllName.Buffer",
|
|
BaseDllNameBuffer)) {
|
|
dprintf("Unable to read LDR_DATA_TABLE_ENTRY at %08p\n",
|
|
DataTable);
|
|
return FALSE;
|
|
}
|
|
GetFieldValue(DataTable, "nt!_LDR_DATA_TABLE_ENTRY","BaseDllName.Length",BaseDllNameLength);
|
|
GetFieldValue(DataTable, "nt!_LDR_DATA_TABLE_ENTRY","DllBase",DllBase);
|
|
GetFieldValue(DataTable, "nt!_LDR_DATA_TABLE_ENTRY","SizeOfImage",SizeOfImage);
|
|
|
|
//
|
|
// Get the base DLL name.
|
|
//
|
|
|
|
if ((!ReadMemory(BaseDllNameBuffer,
|
|
&KernelMap->Item[i].Name[0],
|
|
BaseDllNameLength,
|
|
&Result)) || (Result < BaseDllNameLength)) {
|
|
dprintf("Unable to read name string at %08p - status %08lx\n",
|
|
DataTable,
|
|
Status);
|
|
return FALSE;
|
|
}
|
|
|
|
KernelMap->Item[i].Name[BaseDllNameLength/2] = L'\0';
|
|
KernelMap->Item[i].StartVa = DllBase;
|
|
KernelMap->Item[i].EndVa = KernelMap->Item[i].StartVa +
|
|
(ULONG)SizeOfImage;
|
|
i += 1;
|
|
|
|
GetFieldValue(DataTable, "nt!_LDR_DATA_TABLE_ENTRY","InLoadOrderLinks.Flink", Next);
|
|
}
|
|
|
|
KernelMap->Item[i].StartVa = GetNtDebuggerDataPtrValue(MmPagedPoolStart);
|
|
KernelMap->Item[i].EndVa = GetNtDebuggerDataPtrValue(MmPagedPoolEnd);
|
|
wcscpy (&KernelMap->Item[i].Name[0], (PUSHORT) &L"Paged Pool");
|
|
i+= 1;
|
|
|
|
#if 0
|
|
KernelMap->Item[i].StartVa = DbgGetPteAddress (0xffffffff80000000UI64);
|
|
KernelMap->Item[i].EndVa = DbgGetPteAddress (0xffffffffffffffffUI64);
|
|
wcscpy (&KernelMap->Item[i].Name[0], (PUSHORT) &L"System Page Tables");
|
|
i+= 1;
|
|
|
|
KernelMap->Item[i].StartVa = DbgGetPdeAddress (0x80000000);
|
|
KernelMap->Item[i].EndVa = DbgGetPdeAddress (0xffffffff);
|
|
wcscpy (&KernelMap->Item[i].Name[0], (PUSHORT) &L"System Page Tables");
|
|
i+= 1;
|
|
#endif 0
|
|
|
|
// LWFIX: Both PTEs and nonpaged pool can be in multiple virtually discontiguous
|
|
// areas. Fix this.
|
|
|
|
KernelMap->Item[i].StartVa = DbgGetVirtualAddressMappedByPte (
|
|
GetNtDebuggerDataValue(MmSystemPtesStart));
|
|
KernelMap->Item[i].EndVa = DbgGetVirtualAddressMappedByPte (
|
|
GetNtDebuggerDataValue(MmSystemPtesEnd)) + 1;
|
|
wcscpy (&KernelMap->Item[i].Name[0], (PUSHORT) &L"Kernel Stacks");
|
|
i+= 1;
|
|
|
|
KernelMap->Item[i].StartVa = GetNtDebuggerDataValue(MmNonPagedPoolStart);
|
|
KernelMap->Item[i].EndVa = GetNtDebuggerDataValue(MmNonPagedPoolEnd);
|
|
wcscpy (&KernelMap->Item[i].Name[0], (PUSHORT) &L"NonPaged Pool");
|
|
i+= 1;
|
|
|
|
KernelMap->Count = i;
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
ULONG64 SpecialPoolStart;
|
|
ULONG64 SpecialPoolEnd;
|
|
#define VI_POOL_FREELIST_END ((ULONG64)-1)
|
|
|
|
LOGICAL
|
|
VerifierDumpPool (
|
|
IN ULONG64 Verifier
|
|
)
|
|
{
|
|
ULONG64 HashTableAddress;
|
|
ULONG PoolTag;
|
|
ULONG i;
|
|
ULONG64 HashEntry;
|
|
ULONG64 PoolHashSize;
|
|
ULONG SizeofEntry;
|
|
LONG64 FreeListNext;
|
|
|
|
//
|
|
// Display the current and peak pool usage by allocation & bytes.
|
|
//
|
|
|
|
#define PP(x) isprint(((x)&0xff))?((x)&0xff):('.')
|
|
|
|
InitTypeRead(Verifier, nt!_MI_VERIFIER_DRIVER_ENTRY);
|
|
|
|
dprintf("\n");
|
|
|
|
dprintf("Current Pool Allocations %08I64lx %08I64lx\n",
|
|
ReadField(CurrentPagedPoolAllocations),
|
|
ReadField(CurrentNonPagedPoolAllocations));
|
|
|
|
dprintf("Current Pool Bytes %08I64lx %08I64lx\n",
|
|
ReadField(PagedBytes),
|
|
ReadField(NonPagedBytes));
|
|
|
|
dprintf("Peak Pool Allocations %08I64lx %08I64lx\n",
|
|
ReadField(PeakPagedPoolAllocations),
|
|
ReadField(PeakNonPagedPoolAllocations));
|
|
|
|
dprintf("Peak Pool Bytes %08I64lx %08I64lx\n",
|
|
ReadField(PeakPagedBytes),
|
|
ReadField(PeakNonPagedBytes));
|
|
|
|
//
|
|
// If no current allocations then the dump is over.
|
|
//
|
|
|
|
if ((ReadField(CurrentPagedPoolAllocations) == 0) &&
|
|
(ReadField(CurrentNonPagedPoolAllocations) == 0)) {
|
|
dprintf("\n");
|
|
return FALSE;
|
|
}
|
|
|
|
dprintf("\n");
|
|
|
|
PoolHashSize = ReadField(PoolHashSize);
|
|
HashTableAddress = ReadField(PoolHash);
|
|
|
|
dprintf("PoolAddress SizeInBytes Tag CallersAddress\n");
|
|
|
|
i = 0;
|
|
HashEntry = HashTableAddress;
|
|
SizeofEntry = GetTypeSize("nt!_VI_POOL_ENTRY");
|
|
|
|
for (i = 0; i < PoolHashSize; i += 1, HashEntry += SizeofEntry) {
|
|
|
|
if (GetFieldValue(HashEntry, "nt!_VI_POOL_ENTRY", "FreeListNext", FreeListNext)) {
|
|
dprintf("%08p: Unable to get verifier hash page\n", HashEntry);
|
|
return FALSE;
|
|
}
|
|
|
|
//
|
|
// Sign extend if necessary.
|
|
//
|
|
|
|
if (!IsPtr64()) {
|
|
FreeListNext = (ULONG64)(LONG64)(LONG)FreeListNext;
|
|
}
|
|
|
|
//
|
|
// Skip freelist entries.
|
|
//
|
|
|
|
if ((FreeListNext == VI_POOL_FREELIST_END) ||
|
|
((FreeListNext & MINLONG64_PTR) == 0)) {
|
|
continue;
|
|
}
|
|
|
|
InitTypeRead(HashEntry, nt!_VI_POOL_ENTRY);
|
|
|
|
PoolTag = (ULONG) ReadField(InUse.Tag);
|
|
|
|
dprintf("%p 0x%08p %c%c%c%c ",
|
|
ReadField(InUse.VirtualAddress),
|
|
ReadField(InUse.NumberOfBytes),
|
|
(PP(PoolTag) & ~0x80),
|
|
PP(PoolTag >> 8),
|
|
PP(PoolTag >> 16),
|
|
PP(PoolTag >> 24)
|
|
);
|
|
|
|
dprintf("%p\n", ReadField(InUse.CallingAddress));
|
|
|
|
if (CheckControlC()) {
|
|
return TRUE;
|
|
}
|
|
}
|
|
|
|
#undef PP
|
|
dprintf("\n");
|
|
|
|
return FALSE;
|
|
}
|
|
|
|
#if 0
|
|
|
|
typedef struct _COMMIT_INFO {
|
|
LPSTR Name;
|
|
ULONG Index;
|
|
} COMMIT_INFO, *PCOMMIT_INFO;
|
|
|
|
COMMIT_INFO CommitInfo[] = {
|
|
"MM_DBG_COMMIT_NONPAGED_POOL_EXPANSION", 0,
|
|
"MM_DBG_COMMIT_PAGED_POOL_PAGETABLE", 1,
|
|
"MM_DBG_COMMIT_PAGED_POOL_PAGES", 2,
|
|
"MM_DBG_COMMIT_SESSION_POOL_PAGE_TABLES", 3,
|
|
"MM_DBG_COMMIT_ALLOCVM1", 4,
|
|
"MM_DBG_COMMIT_ALLOCVM_SEGMENT", 5,
|
|
"MM_DBG_COMMIT_IMAGE", 6,
|
|
"MM_DBG_COMMIT_PAGEFILE_BACKED_SHMEM", 7,
|
|
"MM_DBG_COMMIT_INDEPENDENT_PAGES", 8,
|
|
"MM_DBG_COMMIT_CONTIGUOUS_PAGES", 9,
|
|
"MM_DBG_COMMIT_MDL_PAGES", 0xA,
|
|
"MM_DBG_COMMIT_NONCACHED_PAGES", 0xB,
|
|
"MM_DBG_COMMIT_MAPVIEW_DATA", 0xC,
|
|
"MM_DBG_COMMIT_FILL_SYSTEM_DIRECTORY", 0xD,
|
|
"MM_DBG_COMMIT_EXTRA_SYSTEM_PTES", 0xE,
|
|
"MM_DBG_COMMIT_DRIVER_PAGING_AT_INIT", 0xF,
|
|
"MM_DBG_COMMIT_PAGEFILE_FULL", 0x10,
|
|
"MM_DBG_COMMIT_PROCESS_CREATE", 0x11,
|
|
"MM_DBG_COMMIT_KERNEL_STACK_CREATE", 0x12,
|
|
"MM_DBG_COMMIT_SET_PROTECTION", 0x13,
|
|
"MM_DBG_COMMIT_SESSION_CREATE", 0x14,
|
|
"MM_DBG_COMMIT_SESSION_IMAGE_PAGES", 0x15,
|
|
"MM_DBG_COMMIT_SESSION_PAGETABLE_PAGES", 0x16,
|
|
"MM_DBG_COMMIT_SESSION_SHARED_IMAGE", 0x17,
|
|
"MM_DBG_COMMIT_DRIVER_PAGES", 0x18,
|
|
"MM_DBG_COMMIT_INSERT_VAD", 0x19,
|
|
"MM_DBG_COMMIT_SESSION_WS_INIT", 0x1A,
|
|
"MM_DBG_COMMIT_SESSION_ADDITIONAL_WS_PAGES", 0x1B,
|
|
"MM_DBG_COMMIT_SESSION_ADDITIONAL_WS_HASHPAGES", 0x1C,
|
|
"MM_DBG_COMMIT_SPECIAL_POOL_PAGES", 0x1D,
|
|
|
|
"MM_DBG_COMMIT_SMALL", 0x1F,
|
|
"MM_DBG_COMMIT_EXTRA_WS_PAGES", 0x20,
|
|
"MM_DBG_COMMIT_EXTRA_INITIAL_SESSION_WS_PAGES", 0x21,
|
|
"MM_DBG_COMMIT_ALLOCVM_PROCESS", 0x22,
|
|
"MM_DBG_COMMIT_INSERT_VAD_PT", 0x23,
|
|
"MM_DBG_COMMIT_ALLOCVM_PROCESS2", 0x24,
|
|
"MM_DBG_COMMIT_CHARGE_NORMAL", 0x25,
|
|
"MM_DBG_COMMIT_CHARGE_CAUSE_POPUP", 0x26,
|
|
"MM_DBG_COMMIT_CHARGE_CANT_EXPAND", 0x27,
|
|
|
|
"MM_DBG_COMMIT_RETURN_NONPAGED_POOL_EXPANSION", 0x40,
|
|
"MM_DBG_COMMIT_RETURN_PAGED_POOL_PAGES", 0x41,
|
|
"MM_DBG_COMMIT_RETURN_SESSION_DATAPAGE", 0x42,
|
|
"MM_DBG_COMMIT_RETURN_ALLOCVM_SEGMENT", 0x43,
|
|
"MM_DBG_COMMIT_RETURN_ALLOCVM2", 0x44,
|
|
|
|
"MM_DBG_COMMIT_RETURN_IMAGE_NO_LARGE_CA", 0x46,
|
|
"MM_DBG_COMMIT_RETURN_PTE_RANGE", 0x47,
|
|
"MM_DBG_COMMIT_RETURN_NTFREEVM1", 0x48,
|
|
"MM_DBG_COMMIT_RETURN_NTFREEVM2", 0x49,
|
|
"MM_DBG_COMMIT_RETURN_INDEPENDENT_PAGES", 0x4A,
|
|
"MM_DBG_COMMIT_RETURN_AWE_EXCESS", 0x4B,
|
|
"MM_DBG_COMMIT_RETURN_MDL_PAGES", 0x4C,
|
|
"MM_DBG_COMMIT_RETURN_NONCACHED_PAGES", 0x4D,
|
|
"MM_DBG_COMMIT_RETURN_SESSION_CREATE_FAILURE", 0x4E,
|
|
"MM_DBG_COMMIT_RETURN_PAGETABLES", 0x4F,
|
|
"MM_DBG_COMMIT_RETURN_PROTECTION", 0x50,
|
|
"MM_DBG_COMMIT_RETURN_SEGMENT_DELETE1", 0x51,
|
|
"MM_DBG_COMMIT_RETURN_SEGMENT_DELETE2", 0x52,
|
|
"MM_DBG_COMMIT_RETURN_PAGEFILE_FULL", 0x53,
|
|
"MM_DBG_COMMIT_RETURN_SESSION_DEREFERENCE", 0x54,
|
|
"MM_DBG_COMMIT_RETURN_VAD", 0x55,
|
|
"MM_DBG_COMMIT_RETURN_PROCESS_CREATE_FAILURE1", 0x56,
|
|
"MM_DBG_COMMIT_RETURN_PROCESS_DELETE", 0x57,
|
|
"MM_DBG_COMMIT_RETURN_PROCESS_CLEAN_PAGETABLES", 0x58,
|
|
"MM_DBG_COMMIT_RETURN_KERNEL_STACK_DELETE", 0x59,
|
|
"MM_DBG_COMMIT_RETURN_SESSION_DRIVER_LOAD_FAILURE1",0x5A,
|
|
"MM_DBG_COMMIT_RETURN_DRIVER_INIT_CODE", 0x5B,
|
|
"MM_DBG_COMMIT_RETURN_DRIVER_UNLOAD", 0x5C,
|
|
"MM_DBG_COMMIT_RETURN_DRIVER_UNLOAD1", 0x5D,
|
|
"MM_DBG_COMMIT_RETURN_NORMAL", 0x5E,
|
|
"MM_DBG_COMMIT_RETURN_PF_FULL_EXTEND", 0x5F,
|
|
"MM_DBG_COMMIT_RETURN_EXTENDED", 0x60,
|
|
"MM_DBG_COMMIT_RETURN_SEGMENT_DELETE3", 0x61,
|
|
};
|
|
|
|
VOID
|
|
DumpCommitTracker ()
|
|
{
|
|
ULONG64 MmTrackCommit;
|
|
ULONG64 PfnEntry;
|
|
ULONG64 displacement;
|
|
ULONG64 AcquiredAddress;
|
|
ULONG64 ReleasedAddress;
|
|
CHAR SymbolBuffer[80];
|
|
PCHAR SymPointer;
|
|
ULONG EntrySize;
|
|
ULONG result;
|
|
ULONG64 ReadCount;
|
|
ULONG64 i;
|
|
ULONG64 j;
|
|
PSIZE_T LocalData;
|
|
PCHAR local;
|
|
ULONG64 NumberOfCommitEntries;
|
|
|
|
MmTrackCommit = GetExpression ("nt!MmTrackCommit");
|
|
|
|
if (MmTrackCommit == 0) {
|
|
dprintf("%08p: Unable to get commit track data.\n", MmTrackCommit);
|
|
return;
|
|
}
|
|
|
|
PfnEntry = MmTrackCommit;
|
|
|
|
#if 0
|
|
NumberOfCommitEntries = GetUlongValue ("MiMaxPfnTimings");
|
|
EntrySize = GetTypeSize("SIZE_T");
|
|
#else
|
|
NumberOfCommitEntries = 128;
|
|
EntrySize = 4;
|
|
#endif
|
|
|
|
ReadCount = NumberOfCommitEntries * EntrySize;
|
|
|
|
dprintf("Scanning %I64u %I64u commit points\n", NumberOfCommitEntries, ReadCount);
|
|
|
|
LocalData = LocalAlloc(LPTR, (ULONG) (NumberOfCommitEntries * EntrySize));
|
|
|
|
if (!LocalData) {
|
|
dprintf("unable to get allocate %ld bytes of memory\n",
|
|
(ULONG)(NumberOfCommitEntries * EntrySize));
|
|
return;
|
|
}
|
|
|
|
if ((!ReadMemory(MmTrackCommit,
|
|
LocalData,
|
|
(ULONG) ReadCount,
|
|
&result)) || (result < (ULONG) ReadCount)) {
|
|
dprintf("unable to get track commit table - "
|
|
"address %p - count %I64u\n",
|
|
LocalData, ReadCount);
|
|
}
|
|
else {
|
|
|
|
dprintf("\n%-50s %s\n", "Instance", "HexCount");
|
|
|
|
for (i = 0; i < NumberOfCommitEntries; i += 1) {
|
|
|
|
if (LocalData[i] != 0) {
|
|
for (j = 0; j < sizeof(CommitInfo) / sizeof (COMMIT_INFO); j += 1) {
|
|
if (CommitInfo[j].Index == i) {
|
|
dprintf ("%-50s %8x\n", CommitInfo[j].Name, LocalData[i]);
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
if (LocalData) {
|
|
LocalFree((void *)LocalData);
|
|
}
|
|
|
|
return;
|
|
}
|
|
|
|
#endif
|
|
|
|
VOID
|
|
DumpFaultInjectionTraceLog (
|
|
PCSTR Args
|
|
);
|
|
|
|
VOID
|
|
DumpTrackIrqlLog (
|
|
PCSTR args
|
|
);
|
|
|
|
DECLARE_API( verifier )
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Displays the current Driver Verifier data.
|
|
|
|
Arguments:
|
|
|
|
arg - Supplies 7 for full listing
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
--*/
|
|
|
|
{
|
|
ULONG result;
|
|
ULONG Flags;
|
|
ULONG VerifierFlags;
|
|
ULONG64 VerifierDataPointer;
|
|
ULONG64 SuspectPointer;
|
|
ULONG64 NextEntry;
|
|
ULONG64 VerifierDriverEntry;
|
|
PUCHAR tempbuffer;
|
|
UNICODE_STRING unicodeString;
|
|
LOGICAL Interrupted;
|
|
CHAR Buf[256];
|
|
PCHAR ImageFileName;
|
|
ANSI_STRING AnsiString;
|
|
UNICODE_STRING InputDriverName;
|
|
NTSTATUS st;
|
|
ULONG Level;
|
|
PCHAR state;
|
|
ULONG64 tmp;
|
|
|
|
UNREFERENCED_PARAMETER (Client);
|
|
|
|
//
|
|
// Display option usage.
|
|
//
|
|
|
|
if (strstr (args, "?") != NULL) {
|
|
|
|
dprintf ("!verifier \n");
|
|
dprintf (" \n");
|
|
dprintf (" Dump verifier summary information. \n");
|
|
dprintf (" \n");
|
|
dprintf ("!verifier [FLAGS [IMAGE]] \n");
|
|
dprintf (" \n");
|
|
dprintf (" 0x01 : Dump verified drivers pool statistics \n");
|
|
dprintf (" \n");
|
|
dprintf (" 0x02 : not used \n");
|
|
dprintf (" \n");
|
|
dprintf (" 0x04 [N] : Dump N traces from fault injection trace log. \n");
|
|
dprintf (" \n");
|
|
dprintf (" 0x08 [N] : Dump N traces from track IRQL trace log\n");
|
|
dprintf (" \n");
|
|
dprintf ("To display everything use: \n");
|
|
dprintf (" \n");
|
|
dprintf (" !verifier 0xf \n");
|
|
dprintf (" \n");
|
|
|
|
return S_OK;
|
|
}
|
|
|
|
//
|
|
// Read the Flags parameter.
|
|
//
|
|
|
|
Flags = 0;
|
|
Flags = (ULONG) GetExpression (args);
|
|
|
|
//
|
|
// Display fault injection stacks.
|
|
//
|
|
|
|
if ((Flags == 0x04)) {
|
|
DumpFaultInjectionTraceLog (args);
|
|
return S_OK;
|
|
}
|
|
|
|
//
|
|
// Display track irql stacks.
|
|
//
|
|
|
|
if ((Flags == 0x08)) {
|
|
DumpTrackIrqlLog (args);
|
|
return S_OK;
|
|
}
|
|
|
|
//
|
|
// Continue with normal processing: !verifier [FLAGS [NAME]]
|
|
//
|
|
|
|
Flags = 0;
|
|
RtlZeroMemory(Buf, 256);
|
|
if (GetExpressionEx(args, &tmp, &args)) {
|
|
Flags = (ULONG) tmp;
|
|
while (args && (*args == ' ')) {
|
|
++args;
|
|
}
|
|
strcpy(Buf, args);
|
|
}
|
|
|
|
if (Buf[0] != '\0') {
|
|
ImageFileName = Buf;
|
|
RtlInitAnsiString(&AnsiString, ImageFileName);
|
|
st = RtlAnsiStringToUnicodeString(&InputDriverName, &AnsiString, TRUE);
|
|
if (!NT_SUCCESS(st)) {
|
|
dprintf("%08lx: Unable to initialize unicode string\n", st);
|
|
return E_INVALIDARG;
|
|
}
|
|
} else {
|
|
ImageFileName = NULL;
|
|
}
|
|
|
|
VerifierDataPointer = GetExpression ("nt!MmVerifierData");
|
|
|
|
if (GetFieldValue(VerifierDataPointer,
|
|
"nt!_MM_DRIVER_VERIFIER_DATA",
|
|
"Level",
|
|
Level)) {
|
|
|
|
dprintf("%08p: Unable to get verifier list.\n",VerifierDataPointer);
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
dprintf("\nVerify Level %x ... enabled options are:", Level);
|
|
|
|
if (Level & DRIVER_VERIFIER_SPECIAL_POOLING) {
|
|
dprintf("\n\tspecial pool");
|
|
}
|
|
if (Level & DRIVER_VERIFIER_FORCE_IRQL_CHECKING) {
|
|
dprintf("\n\tspecial irql");
|
|
}
|
|
if (Level & DRIVER_VERIFIER_INJECT_ALLOCATION_FAILURES) {
|
|
dprintf("\n\tinject random low-resource API failures");
|
|
}
|
|
if (Level & DRIVER_VERIFIER_TRACK_POOL_ALLOCATIONS) {
|
|
dprintf("\n\tall pool allocations checked on unload");
|
|
}
|
|
if (Level & DRIVER_VERIFIER_IO_CHECKING) {
|
|
dprintf("\n\tIo subsystem checking enabled");
|
|
}
|
|
if (Level & DRIVER_VERIFIER_DEADLOCK_DETECTION) {
|
|
dprintf("\n\tDeadlock detection enabled");
|
|
}
|
|
if (Level & DRIVER_VERIFIER_ENHANCED_IO_CHECKING) {
|
|
dprintf("\n\tEnhanced Io checking enabled");
|
|
}
|
|
if (Level & DRIVER_VERIFIER_DMA_VERIFIER) {
|
|
dprintf("\n\tDMA checking enabled");
|
|
}
|
|
|
|
if (InitTypeRead(VerifierDataPointer, nt!MM_DRIVER_VERIFIER_DATA)) {
|
|
dprintf("Unable to read type nt!MM_DRIVER_VERIFIER_DATA @ %p\n", VerifierDataPointer);
|
|
}
|
|
dprintf("\n\nSummary of All Verifier Statistics\n\n");
|
|
|
|
dprintf("RaiseIrqls 0x%x\n", (ULONG) ReadField(RaiseIrqls));
|
|
dprintf("AcquireSpinLocks 0x%x\n", (ULONG) ReadField(AcquireSpinLocks));
|
|
dprintf("Synch Executions 0x%x\n", (ULONG) ReadField(SynchronizeExecutions));
|
|
dprintf("Trims 0x%x\n", (ULONG) ReadField(Trims));
|
|
|
|
dprintf("\n");
|
|
|
|
dprintf("Pool Allocations Attempted 0x%x\n", (ULONG) ReadField(AllocationsAttempted));
|
|
dprintf("Pool Allocations Succeeded 0x%x\n", (ULONG) ReadField(AllocationsSucceeded));
|
|
dprintf("Pool Allocations Succeeded SpecialPool 0x%x\n", (ULONG) ReadField(AllocationsSucceededSpecialPool));
|
|
dprintf("Pool Allocations With NO TAG 0x%x\n", (ULONG) ReadField(AllocationsWithNoTag));
|
|
|
|
dprintf("Pool Allocations Failed 0x%x\n", (ULONG) ReadField(AllocationsFailed));
|
|
dprintf("Resource Allocations Failed Deliberately 0x%x\n", (ULONG) ReadField(AllocationsFailedDeliberately) + (ULONG) ReadField(BurstAllocationsFailedDeliberately));
|
|
|
|
dprintf("\n");
|
|
|
|
dprintf("Current paged pool allocations 0x%x for %08P bytes\n",
|
|
(ULONG) ReadField(CurrentPagedPoolAllocations),
|
|
ReadField(PagedBytes));
|
|
|
|
dprintf("Peak paged pool allocations 0x%x for %08P bytes\n",
|
|
(ULONG)ReadField(PeakPagedPoolAllocations),
|
|
ReadField(PeakPagedBytes));
|
|
|
|
dprintf("Current nonpaged pool allocations 0x%x for %08P bytes\n",
|
|
(ULONG) ReadField(CurrentNonPagedPoolAllocations),
|
|
ReadField(NonPagedBytes));
|
|
|
|
dprintf("Peak nonpaged pool allocations 0x%x for %08P bytes\n",
|
|
(ULONG)ReadField(PeakNonPagedPoolAllocations),
|
|
ReadField(PeakNonPagedBytes));
|
|
|
|
dprintf("\n");
|
|
|
|
SpecialPoolStart = GetPointerValue("nt!MmSpecialPoolStart");
|
|
SpecialPoolEnd = GetPointerValue("nt!MmSpecialPoolEnd");
|
|
|
|
if (Flags & 0x1) {
|
|
ULONG Off;
|
|
|
|
SuspectPointer = GetExpression ("nt!MiSuspectDriverList");
|
|
|
|
GetFieldOffset("nt!_MI_VERIFIER_DRIVER_ENTRY", "Links", &Off);
|
|
|
|
if (!ReadPointer(SuspectPointer,&NextEntry)) {
|
|
|
|
dprintf("%08p: Unable to get verifier list %p\n",SuspectPointer);
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
dprintf("Driver Verification List\n\n");
|
|
|
|
dprintf("Entry State NonPagedPool PagedPool Module\n\n");
|
|
while (NextEntry != SuspectPointer) {
|
|
|
|
VerifierDriverEntry = NextEntry - Off;
|
|
|
|
if (GetFieldValue( VerifierDriverEntry,
|
|
"nt!_MI_VERIFIER_DRIVER_ENTRY",
|
|
"Flags",
|
|
VerifierFlags)) {
|
|
|
|
dprintf("%08p: Unable to get verifier data\n", VerifierDriverEntry);
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
InitTypeRead(VerifierDriverEntry, nt!_MI_VERIFIER_DRIVER_ENTRY);
|
|
if ((VerifierFlags & VI_VERIFYING_DIRECTLY) == 0) {
|
|
NextEntry = ReadField(Links.Flink);
|
|
continue;
|
|
}
|
|
|
|
unicodeString.Length = (USHORT) ReadField(BaseName.Length);
|
|
tempbuffer = LocalAlloc(LPTR, unicodeString.Length);
|
|
|
|
unicodeString.Buffer = (PWSTR)tempbuffer;
|
|
unicodeString.MaximumLength = unicodeString.Length;
|
|
|
|
if (!ReadMemory (ReadField(BaseName.Buffer),
|
|
tempbuffer,
|
|
unicodeString.Length,
|
|
&result)) {
|
|
dprintf("%08p: Unable to get verifier driver name\n", ReadField(BaseName.Buffer));
|
|
}
|
|
|
|
if (ImageFileName != NULL) {
|
|
if (RtlEqualUnicodeString(&InputDriverName, &unicodeString, TRUE) == 0) {
|
|
NextEntry = ReadField(Links.Flink);
|
|
continue;
|
|
}
|
|
}
|
|
|
|
if (ReadField(Loads) == 0 && ReadField(Unloads) == 0) {
|
|
state = "Hasn't loaded";
|
|
}
|
|
else if (ReadField(Loads) != ReadField(Unloads)) {
|
|
if (ReadField(Unloads) != 0) {
|
|
state = "Loaded&Unloaded";
|
|
}
|
|
else {
|
|
state = "Loaded";
|
|
}
|
|
}
|
|
else {
|
|
state = "Unloaded";
|
|
}
|
|
|
|
dprintf("%p %-16s %08p %08p %wZ\n",
|
|
VerifierDriverEntry,
|
|
state,
|
|
ReadField(NonPagedBytes),
|
|
ReadField(PagedBytes),
|
|
&unicodeString);
|
|
|
|
Interrupted = FALSE;
|
|
NextEntry = ReadField(Links.Flink);
|
|
|
|
if ((Flags & 0x2) &&
|
|
(Level & DRIVER_VERIFIER_TRACK_POOL_ALLOCATIONS)) {
|
|
|
|
Interrupted = VerifierDumpPool (VerifierDriverEntry);
|
|
}
|
|
|
|
LocalFree(tempbuffer);
|
|
|
|
|
|
if ((Interrupted == TRUE) ||
|
|
(ImageFileName != NULL) ||
|
|
(CheckControlC())) {
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
if ((Flags & 0x04)) {
|
|
dprintf ("----------------------------------------------- \n");
|
|
dprintf ("Fault injection trace log \n");
|
|
dprintf ("----------------------------------------------- \n");
|
|
|
|
DumpFaultInjectionTraceLog (NULL);
|
|
}
|
|
|
|
if ((Flags & 0x08)) {
|
|
dprintf ("----------------------------------------------- \n");
|
|
dprintf ("Track irql trace log \n");
|
|
dprintf ("----------------------------------------------- \n");
|
|
|
|
DumpTrackIrqlLog (NULL);
|
|
}
|
|
|
|
return S_OK;
|
|
}
|
|
|
|
DECLARE_API( fpsearch )
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Free pool searcher.
|
|
|
|
Arguments:
|
|
|
|
arg - Supplies virtual address to match.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
--*/
|
|
|
|
{
|
|
ULONG i;
|
|
ULONG BufferSize;
|
|
ULONG RawCount;
|
|
PULONG RawPointer;
|
|
ULONG Flags;
|
|
ULONG ActualRead;
|
|
ULONG64 PageFrameNumber;
|
|
ULONG64 PAddress;
|
|
ULONG64 Address;
|
|
ULONG result;
|
|
ULONG64 PfnDb;
|
|
ULONG64 Pfn;
|
|
ULONG64 PfnStart;
|
|
ULONG PfnSize;
|
|
ULONG64 ChainedBp;
|
|
ULONG64 ValidBp;
|
|
ULONG64 LastBp;
|
|
ULONG64 ReturnAddress;
|
|
PCHAR Buffer;
|
|
ULONG64 MmFreePageListHeadAddress;
|
|
CHAR SymbolBuffer[80];
|
|
ULONG64 displacement;
|
|
ULONG64 Total;
|
|
ULONG StkOffset;
|
|
ULONG PtrSize;
|
|
ULONG PoolTag;
|
|
ULONG StackBytes;
|
|
ULONG64 StackPointer;
|
|
ULONG64 ChainedBpVal;
|
|
ULONG64 LastBpVal;
|
|
ULONG64 Blink;
|
|
|
|
PtrSize = IsPtr64() ? 8 : 4;
|
|
PfnSize = GetTypeSize("nt!_MMPFN");
|
|
|
|
BufferSize = GetTypeSize("nt!_MI_FREED_SPECIAL_POOL");
|
|
|
|
if (BufferSize == 0) {
|
|
dprintf("Type MI_FREED_SPECIAL_POOL not found.\n");
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
PfnDb = GetNtDebuggerData(MmPfnDatabase );
|
|
|
|
if (!PfnDb) {
|
|
dprintf("unable to get PFN0 database address\n");
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
result = !ReadPointer(PfnDb,&PfnStart);
|
|
if (result != 0) {
|
|
dprintf("unable to get PFN database address %p %x\n", PfnDb, result);
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
Address = 0;
|
|
Flags = 0;
|
|
|
|
|
|
if (!sscanf(args,"%I64lx %lx",&Address, &Flags)) {
|
|
Address = 0;
|
|
}
|
|
// Do not use GetExpression here - the actual address to be searched is phy address
|
|
// and it can be >32bit for 32bit targets
|
|
// Address = GetExpression (args);
|
|
|
|
if (Address == 0) {
|
|
dprintf("Usage: fpsearch address\n");
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
MmFreePageListHeadAddress = GetExpression ("nt!MmFreePageListHead");
|
|
|
|
if (GetFieldValue(MmFreePageListHeadAddress,
|
|
"nt!_MMPFNLIST",
|
|
"Total",
|
|
Total)) {
|
|
|
|
dprintf("%08p: Unable to get MmFreePageLocationList\n",MmFreePageListHeadAddress);
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
|
|
if (Total == 0) {
|
|
dprintf("No pages on free list to search\n");
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
if (Address != (ULONG64)-1) {
|
|
|
|
dprintf("Searching the free page list (%I64x entries) for VA %p\n\n",
|
|
Total, Address);
|
|
|
|
Address &= ~(ULONG64)(PageSize - 1);
|
|
}
|
|
else {
|
|
dprintf("Searching the free page list (%x entries) for all freed special pool\n\n",
|
|
Total);
|
|
}
|
|
|
|
GetFieldValue (MmFreePageListHeadAddress,
|
|
"nt!_MMPFNLIST",
|
|
"Blink",
|
|
PageFrameNumber);
|
|
|
|
GetFieldOffset("_MI_FREED_SPECIAL_POOL", "StackData", &StkOffset);
|
|
|
|
Buffer = LocalAlloc(LPTR, BufferSize);
|
|
|
|
if (Buffer == NULL) {
|
|
dprintf("Could not allocate a buffer for the search\n");
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
while (PageFrameNumber != (ULONG64)-1) {
|
|
|
|
PAddress = (ULONG64)PageFrameNumber * PageSize;
|
|
|
|
ReadPhysical (PAddress, Buffer, BufferSize, &ActualRead);
|
|
|
|
if (ActualRead != BufferSize) {
|
|
dprintf("Physical memory read %I64X %x %x failed\n", PAddress, ActualRead, BufferSize);
|
|
// break;
|
|
}
|
|
|
|
if (Flags & 0x1) {
|
|
|
|
//
|
|
// Print a preview of the raw buffer.
|
|
//
|
|
|
|
#define PP(x) isprint(((x)&0xff))?((x)&0xff):('.')
|
|
|
|
RawPointer = (PULONG)Buffer;
|
|
RawCount = BufferSize / sizeof (ULONG);
|
|
if (RawCount > 32) {
|
|
RawCount = 32;
|
|
}
|
|
|
|
RawCount &= ~0x3;
|
|
|
|
for (i = 0; i < RawCount; i += 4) {
|
|
dprintf ("%I64X %08x %08x %08x %08x %c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c\n",
|
|
PageFrameNumber * PageSize,
|
|
|
|
*RawPointer,
|
|
*(RawPointer + 1),
|
|
*(RawPointer + 2),
|
|
*(RawPointer + 3),
|
|
|
|
PP(*RawPointer),
|
|
PP(*RawPointer >> 8),
|
|
PP(*RawPointer >> 16),
|
|
PP(*RawPointer >> 24),
|
|
|
|
PP(*(RawPointer + 1)),
|
|
PP(*(RawPointer + 1) >> 8),
|
|
PP(*(RawPointer + 1) >> 16),
|
|
PP(*(RawPointer + 1) >> 24),
|
|
|
|
PP(*(RawPointer + 2)),
|
|
PP(*(RawPointer + 2) >> 8),
|
|
PP(*(RawPointer + 2) >> 16),
|
|
PP(*(RawPointer + 2) >> 24),
|
|
|
|
PP(*(RawPointer + 3)),
|
|
PP(*(RawPointer + 3) >> 8),
|
|
PP(*(RawPointer + 3) >> 16),
|
|
PP(*(RawPointer + 3) >> 24));
|
|
|
|
RawPointer += 4;
|
|
}
|
|
dprintf ("\n");
|
|
}
|
|
|
|
Pfn = (PfnStart + PageFrameNumber * PfnSize);
|
|
|
|
if (GetFieldValue(Pfn,"nt!_MMPFN","u2.Blink", Blink)) {
|
|
dprintf("%08p: unable to get PFN element %x\n", Pfn, PfnSize);
|
|
break;
|
|
}
|
|
|
|
if ((ULONG)Blink == (ULONG)-1) {
|
|
Blink = (ULONG64)-1;
|
|
}
|
|
|
|
#define MI_FREED_SPECIAL_POOL_SIGNATURE 0x98764321
|
|
|
|
InitTypeReadPhysical (PAddress, nt!MI_FREED_SPECIAL_POOL);
|
|
|
|
if ((ULONG) ReadField(Signature) == MI_FREED_SPECIAL_POOL_SIGNATURE) {
|
|
|
|
if ((Address == (ULONG64)-1) ||
|
|
|
|
(((ULONG)(ReadField(VirtualAddress)) & ~(ULONG)(PageSize - 1)) == (ULONG)Address)) {
|
|
|
|
|
|
PoolTag = (ULONG) ReadField(OverlaidPoolHeader.PoolTag);
|
|
|
|
dprintf("VA PFN Tag Size Pagable Thread Tick\n");
|
|
dprintf("%p %6p %c%c%c%c %6x %s %08p %x\n",
|
|
ReadField(VirtualAddress),
|
|
PageFrameNumber,
|
|
#define PP(x) isprint(((x)&0xff))?((x)&0xff):('.')
|
|
PP(PoolTag),
|
|
PP(PoolTag >> 8),
|
|
PP(PoolTag >> 16),
|
|
PP(PoolTag >> 24),
|
|
#undef PP
|
|
(ULONG) ReadField(NumberOfBytesRequested),
|
|
ReadField(Pagable) ? "Yes" : "No ",
|
|
ReadField(Thread),
|
|
ReadField(TickCount));
|
|
|
|
dprintf("\tCALL STACK AT TIME OF DEALLOCATION\n");
|
|
|
|
//
|
|
// Calculate the relative stack and print it here symbolically.
|
|
//
|
|
|
|
StackBytes = (ULONG) ReadField(StackBytes);
|
|
|
|
StackPointer = ReadField(StackPointer);
|
|
|
|
ValidBp = (StackPointer & ~(ULONG64)(PageSize - 1));
|
|
ChainedBp = (PAddress + StkOffset);
|
|
LastBp = (ChainedBp + (ULONG) ReadField(StackBytes));
|
|
|
|
while (ChainedBp < LastBp) {
|
|
|
|
//
|
|
// Read directly from physical memory.
|
|
//
|
|
|
|
InitTypeReadPhysical(ChainedBp, nt!_LIST_ENTRY);
|
|
ChainedBpVal = ReadField(Flink);
|
|
InitTypeReadPhysical(LastBp, nt!_LIST_ENTRY);
|
|
LastBpVal = ReadField(Flink);
|
|
|
|
//
|
|
// Find a valid frame register chain.
|
|
//
|
|
|
|
if ((((ChainedBpVal) & ~(ULONG64)(PageSize - 1)) == ValidBp) &&
|
|
(ChainedBpVal > StackPointer) &&
|
|
((ChainedBpVal - (StackPointer)) <= StackBytes)) {
|
|
ULONG64 ReturnAddressVal;
|
|
|
|
//
|
|
// Increment to the stacked return address.
|
|
//
|
|
|
|
ReturnAddress = ChainedBp + PtrSize;
|
|
InitTypeReadPhysical(ReturnAddress, nt!_LIST_ENTRY);
|
|
ReturnAddressVal = ReadField(Flink);
|
|
|
|
SymbolBuffer[0] = '!';
|
|
GetSymbol((ReturnAddressVal), (PUCHAR)SymbolBuffer, &displacement);
|
|
|
|
dprintf ("\t%s", SymbolBuffer);
|
|
|
|
if (displacement) {
|
|
dprintf( "+0x%x", displacement );
|
|
}
|
|
|
|
dprintf( "\n" );
|
|
|
|
#ifdef SLOW_BUT_THOROUGH
|
|
ChainedBp += PtrSize;
|
|
#else
|
|
if ((ReturnAddressVal & ~MAXLONG64_PTR) == 0) {
|
|
break;
|
|
}
|
|
|
|
//
|
|
// Subtract the stackpointer & add stackdata offset.
|
|
//
|
|
|
|
ChainedBp = (ChainedBpVal - StackPointer + StkOffset);
|
|
|
|
//
|
|
// Adjust for relative.
|
|
//
|
|
|
|
ChainedBp = (PAddress + ChainedBp);
|
|
#endif
|
|
}
|
|
else {
|
|
ChainedBp += PtrSize;
|
|
}
|
|
}
|
|
|
|
dprintf("\n");
|
|
|
|
if (Address != (ULONG64)-1) {
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
if (CheckControlC()) {
|
|
break;
|
|
}
|
|
|
|
PageFrameNumber = Blink;
|
|
}
|
|
|
|
LocalFree(Buffer);
|
|
|
|
return S_OK;
|
|
}
|
|
|
|
|
|
USHORT
|
|
GetPfnRefCount(
|
|
IN ULONG64 PageFrameNumber
|
|
)
|
|
{
|
|
ULONG64 PfnDb;
|
|
ULONG64 Pfn;
|
|
ULONG64 PfnStart;
|
|
ULONG PfnSize;
|
|
ULONG ReferenceCount;
|
|
|
|
PfnSize = GetTypeSize("nt!_MMPFN");
|
|
|
|
PfnDb = GetNtDebuggerData(MmPfnDatabase );
|
|
|
|
if (!PfnDb) {
|
|
dprintf("unable to get PFN0 database address\n");
|
|
return 0;
|
|
}
|
|
|
|
if (!ReadPointer(PfnDb,&PfnStart)) {
|
|
dprintf("unable to get PFN database address %p\n", PfnDb);
|
|
return 0;
|
|
}
|
|
|
|
Pfn = (PfnStart + PageFrameNumber * PfnSize);
|
|
|
|
if (GetFieldValue(Pfn,"nt!_MMPFN","u3.e2.ReferenceCount", ReferenceCount)) {
|
|
dprintf("%08p: unable to get PFN element %x\n", Pfn, PfnSize);
|
|
return 0;
|
|
}
|
|
|
|
return (USHORT) ReferenceCount;
|
|
}
|
|
|
|
|
|
/////////////////////////////////////////////////////////////////////
|
|
////////////////////////////////////// Dump irql tracking log
|
|
/////////////////////////////////////////////////////////////////////
|
|
|
|
VOID
|
|
DumpTrackIrqlLog (
|
|
PCSTR args
|
|
)
|
|
{
|
|
ULONG64 TrackIrqlQueueAddress;
|
|
ULONG64 TrackIrqlIndexAddress;
|
|
ULONG64 TrackIrqlQueueLengthAddress;
|
|
ULONG64 TrackIrqlQueue;
|
|
ULONG TrackIrqlIndex;
|
|
ULONG TrackIrqlQueueLength;
|
|
ULONG I, Index;
|
|
ULONG64 Address;
|
|
ULONG TrackIrqlTypeSize;
|
|
UCHAR SymbolName[256];
|
|
ULONG64 SymbolAddress;
|
|
ULONG64 SymbolOffset;
|
|
ULONG Result;
|
|
ULONG ShowCount;
|
|
ULONG Flags;
|
|
|
|
//
|
|
// Read how many traces we want to see.
|
|
//
|
|
|
|
ShowCount = 0;
|
|
|
|
if (args) {
|
|
ULONG64 tmp;
|
|
|
|
if (GetExpressionEx(args, &tmp, &args)) {
|
|
Flags = (ULONG) tmp;
|
|
if (!sscanf (args, "%u", &ShowCount)) {
|
|
ShowCount = 0;
|
|
}
|
|
}
|
|
|
|
if (ShowCount == 0) {
|
|
ShowCount = 4;
|
|
}
|
|
}
|
|
else {
|
|
ShowCount = 4;
|
|
}
|
|
|
|
//
|
|
// Read track irql package data
|
|
//
|
|
|
|
TrackIrqlQueueAddress = GetExpression ("nt!ViTrackIrqlQueue");
|
|
TrackIrqlIndexAddress = GetExpression ("nt!ViTrackIrqlIndex");
|
|
TrackIrqlQueueLengthAddress = GetExpression ("nt!ViTrackIrqlQueueLength");
|
|
|
|
if (TrackIrqlQueueAddress == 0
|
|
|| TrackIrqlIndexAddress == 0
|
|
|| TrackIrqlIndexAddress == 0) {
|
|
|
|
dprintf ("Incorrect symbols. \n");
|
|
return;
|
|
}
|
|
|
|
ReadPointer (TrackIrqlQueueAddress, &TrackIrqlQueue);
|
|
|
|
if (TrackIrqlQueue == 0) {
|
|
|
|
dprintf ("Irql tracking is not enabled. You need to enable driver verifier \n");
|
|
dprintf ("for at least one driver to activate irql tracking. \n");
|
|
return;
|
|
}
|
|
|
|
ReadMemory (TrackIrqlIndexAddress, &TrackIrqlIndex, sizeof(ULONG), &Result);
|
|
|
|
if (Result != sizeof(ULONG)) {
|
|
dprintf ("Trackirql: read error \n");
|
|
return;
|
|
}
|
|
|
|
ReadMemory (TrackIrqlQueueLengthAddress, &TrackIrqlQueueLength, sizeof(ULONG), &Result);
|
|
|
|
if (Result != sizeof(ULONG)) {
|
|
dprintf ("Trackirql: read error \n");
|
|
return;
|
|
}
|
|
|
|
TrackIrqlTypeSize = GetTypeSize("nt!_VI_TRACK_IRQL");
|
|
|
|
//
|
|
// Dump information
|
|
//
|
|
|
|
dprintf ("\nSize of track irql queue is 0x%X \n", TrackIrqlQueueLength);
|
|
|
|
for (I = 0, Index = TrackIrqlIndex; I < TrackIrqlQueueLength; I += 1) {
|
|
|
|
if (I >= ShowCount) {
|
|
break;
|
|
}
|
|
|
|
Index -= 1;
|
|
Index &= (TrackIrqlQueueLength - 1);
|
|
|
|
Address = TrackIrqlQueue + Index * TrackIrqlTypeSize;
|
|
InitTypeRead (Address, nt!_VI_TRACK_IRQL);
|
|
|
|
dprintf ("\n");
|
|
dprintf ("Thread: %I64X\n", ReadField (Thread));
|
|
dprintf ("Old irql: %I64X\n", ReadField (OldIrql));
|
|
dprintf ("New irql: %I64X\n", ReadField (NewIrql));
|
|
dprintf ("Processor: %I64X\n", ReadField (Processor));
|
|
dprintf ("Time stamp: %I64X\n", ReadField (TickCount));
|
|
dprintf ("\n");
|
|
|
|
SymbolAddress = ReadField(StackTrace[0]);
|
|
if (SymbolAddress == 0) { continue; }
|
|
GetSymbol(SymbolAddress, SymbolName, &SymbolOffset);
|
|
dprintf (" %I64X %s+0x%I64x\n", SymbolAddress, SymbolName, SymbolOffset);
|
|
|
|
SymbolAddress = ReadField(StackTrace[1]);
|
|
if (SymbolAddress == 0) { continue; }
|
|
GetSymbol(SymbolAddress, SymbolName, &SymbolOffset);
|
|
dprintf (" %I64X %s+0x%I64x\n", SymbolAddress, SymbolName, SymbolOffset);
|
|
|
|
SymbolAddress = ReadField(StackTrace[2]);
|
|
if (SymbolAddress == 0) { continue; }
|
|
GetSymbol(SymbolAddress, SymbolName, &SymbolOffset);
|
|
dprintf (" %I64X %s+0x%I64x\n", SymbolAddress, SymbolName, SymbolOffset);
|
|
|
|
SymbolAddress = ReadField(StackTrace[3]);
|
|
if (SymbolAddress == 0) { continue; }
|
|
GetSymbol(SymbolAddress, SymbolName, &SymbolOffset);
|
|
dprintf (" %I64X %s+0x%I64x\n", SymbolAddress, SymbolName, SymbolOffset);
|
|
|
|
SymbolAddress = ReadField(StackTrace[4]);
|
|
if (SymbolAddress == 0) { continue; }
|
|
GetSymbol(SymbolAddress, SymbolName, &SymbolOffset);
|
|
dprintf (" %I64X %s+0x%I64x\n", SymbolAddress, SymbolName, SymbolOffset);
|
|
|
|
if (CheckControlC()) {
|
|
dprintf ("Interrupted \n");
|
|
break;
|
|
}
|
|
|
|
}
|
|
}
|
|
|
|
|
|
/////////////////////////////////////////////////////////////////////
|
|
////////////////////////////////////// Dump fault injection trace log
|
|
/////////////////////////////////////////////////////////////////////
|
|
|
|
ULONG64
|
|
ReadPvoid (
|
|
ULONG64 Address
|
|
)
|
|
{
|
|
ULONG64 RemoteValue = 0;
|
|
ReadPointer( Address, &RemoteValue);
|
|
return RemoteValue;
|
|
}
|
|
|
|
ULONG
|
|
ReadUlong(
|
|
ULONG64 Address
|
|
)
|
|
{
|
|
ULONG RemoteValue = 0;
|
|
ReadMemory( Address, &RemoteValue, sizeof( ULONG ), NULL );
|
|
return RemoteValue;
|
|
}
|
|
|
|
VOID
|
|
DumpFaultInjectionTrace (
|
|
ULONG64 Address
|
|
)
|
|
{
|
|
ULONG64 ReturnAddress;
|
|
CHAR SymbolName[ 1024 ];
|
|
ULONG64 Displacement;
|
|
ULONG I;
|
|
ULONG PvoidSize;
|
|
|
|
PvoidSize = IsPtr64() ? 8 : 4;
|
|
|
|
|
|
for (I = 0; I < 8; I += 1) {
|
|
|
|
ReturnAddress = ReadPvoid (Address + I * PvoidSize);
|
|
|
|
if (ReturnAddress == 0) {
|
|
break;
|
|
}
|
|
|
|
GetSymbol (ReturnAddress, SymbolName, &Displacement);
|
|
|
|
dprintf (" %p %s+0x%p\n",
|
|
ReturnAddress,
|
|
SymbolName,
|
|
Displacement);
|
|
}
|
|
}
|
|
|
|
VOID
|
|
DumpFaultInjectionTraceLog (
|
|
PCSTR Args
|
|
)
|
|
{
|
|
ULONG TracesToDisplay = 0;
|
|
ULONG64 TraceAddress;
|
|
ULONG64 Trace;
|
|
ULONG64 IndexAddress;
|
|
ULONG Index;
|
|
ULONG64 LengthAddress;
|
|
ULONG Length;
|
|
ULONG I;
|
|
ULONG PvoidSize;
|
|
ULONG64 TraceBlockAddress;
|
|
ULONG64 FirstReturnAddress;
|
|
ULONG TracesFound = 0;
|
|
BOOLEAN Interrupted = FALSE;
|
|
ULONG Flags;
|
|
|
|
if (Args) {
|
|
|
|
ULONG64 tmp;
|
|
|
|
if (GetExpressionEx(Args, &tmp, &Args)) {
|
|
Flags = (ULONG) tmp;
|
|
if (!sscanf (Args, "%u", &TracesToDisplay)) {
|
|
TracesToDisplay = 0;
|
|
}
|
|
}
|
|
|
|
|
|
if (TracesToDisplay == 0) {
|
|
TracesToDisplay = 4;
|
|
}
|
|
}
|
|
else {
|
|
TracesToDisplay = 4;
|
|
}
|
|
|
|
PvoidSize = IsPtr64() ? 8 : 4;
|
|
|
|
TraceAddress = (ULONG64) GetExpression ("nt!ViFaultTraces");
|
|
IndexAddress = (ULONG64) GetExpression ("nt!ViFaultTracesIndex");
|
|
LengthAddress = (ULONG64) GetExpression ("nt!ViFaultTracesLength");
|
|
|
|
Trace = ReadPvoid (TraceAddress);
|
|
|
|
if (Trace == 0) {
|
|
dprintf ("Driver fault injection is not enabled for this system. \n");
|
|
return;
|
|
}
|
|
|
|
Index = ReadUlong (IndexAddress);
|
|
Length = ReadUlong (LengthAddress);
|
|
|
|
for (I = 0; I < Length; I += 1) {
|
|
|
|
Index -= 1;
|
|
Index &= (Length - 1);
|
|
|
|
TraceBlockAddress = Trace + Index * PvoidSize * 8;
|
|
FirstReturnAddress = ReadPvoid (TraceBlockAddress);
|
|
|
|
if (FirstReturnAddress != 0) {
|
|
TracesFound += 1;
|
|
|
|
dprintf ("\n");
|
|
DumpFaultInjectionTrace (TraceBlockAddress);
|
|
|
|
if (TracesFound >= TracesToDisplay) {
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (CheckControlC()) {
|
|
Interrupted = TRUE;
|
|
dprintf ("Interrupted \n");
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (Interrupted == FALSE && TracesFound == 0) {
|
|
|
|
dprintf ("No fault injection traces found. \n");
|
|
}
|
|
}
|
|
|
|
PUCHAR MemoryDescriptorType[] = {
|
|
"ExceptionBlock",
|
|
"SystemBlock",
|
|
"Free",
|
|
"Bad",
|
|
"LoadedProgram",
|
|
"FirmwareTemporary",
|
|
"FirmwarePermanent",
|
|
"OsloaderHeap",
|
|
"OsloaderStack",
|
|
"SystemCode",
|
|
"HalCode",
|
|
"BootDriver",
|
|
"ConsoleInDriver",
|
|
"ConsoleOutDriver",
|
|
"StartupDpcStack",
|
|
"StartupKernelStack",
|
|
"StartupPanicStack",
|
|
"StartupPcrPage",
|
|
"StartupPdrPage",
|
|
"RegistryData",
|
|
"MemoryData",
|
|
"NlsData",
|
|
"SpecialMemory",
|
|
"BBTMemory",
|
|
"LoaderReserve",
|
|
"XIPRom",
|
|
"HALCachedMemory"
|
|
};
|
|
|
|
#define MAXIMUM_MEMORY_TYPE (sizeof(MemoryDescriptorType)/sizeof(UCHAR))
|
|
|
|
DECLARE_API( loadermemorylist )
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Displays the memory allocation list. This is the list
|
|
handed to the OS by the OSLOADER that describes physical
|
|
memory.
|
|
Displays the corresponding PDE and PTE.
|
|
|
|
Arguments:
|
|
|
|
list - points to the listheader
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
--*/
|
|
|
|
{
|
|
ULONG64 ListHeaderAddress;
|
|
ULONG64 EntryAddress;
|
|
ULONG64 LengthInPages;
|
|
ULONG64 TypeOfMemory;
|
|
ULONG Count[MAXIMUM_MEMORY_TYPE];
|
|
ULONG i;
|
|
|
|
UNREFERENCED_PARAMETER (Client);
|
|
|
|
ListHeaderAddress = 0;
|
|
|
|
ListHeaderAddress = GetExpression(args);
|
|
if (ListHeaderAddress == 0) {
|
|
dprintf("Usage: !loadermemorylist <address_of_listhead>\n");
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
if (!ReadPointer(ListHeaderAddress, &EntryAddress)) {
|
|
dprintf("Unable to read list header at %p\n", ListHeaderAddress);
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
if (EntryAddress == ListHeaderAddress) {
|
|
dprintf("List at %p is empty\n", ListHeaderAddress);
|
|
return S_OK;
|
|
}
|
|
|
|
dprintf("Base Length Type\n");
|
|
|
|
RtlZeroMemory(Count, sizeof(Count));
|
|
|
|
do {
|
|
InitTypeRead(EntryAddress, nt!MEMORY_ALLOCATION_DESCRIPTOR);
|
|
TypeOfMemory = ReadField(MemoryType);
|
|
if (TypeOfMemory < MAXIMUM_MEMORY_TYPE) {
|
|
LengthInPages = ReadField(PageCount);
|
|
dprintf("%08x %08x %s\n",
|
|
(ULONG)ReadField(BasePage),
|
|
(ULONG)LengthInPages,
|
|
MemoryDescriptorType[TypeOfMemory]);
|
|
Count[TypeOfMemory] += (ULONG)LengthInPages;
|
|
} else {
|
|
dprintf("Unrecognized Descriptor at %p\n", EntryAddress);
|
|
}
|
|
EntryAddress = ReadField(ListEntry.Flink);
|
|
} while (EntryAddress != ListHeaderAddress);
|
|
|
|
dprintf("\nSummary\nMemory Type Pages\n");
|
|
LengthInPages = 0;
|
|
for (i = 0; i < MAXIMUM_MEMORY_TYPE; i++) {
|
|
if (Count[i]) {
|
|
dprintf("%-20s%08x (%8d)\n",
|
|
MemoryDescriptorType[i],
|
|
Count[i],
|
|
Count[i]);
|
|
LengthInPages += Count[i];
|
|
}
|
|
}
|
|
dprintf(" ======== ========\n");
|
|
dprintf("Total %08x (%8d) = ~%dMB\n",
|
|
(ULONG)LengthInPages,
|
|
(ULONG)LengthInPages,
|
|
(ULONG)LengthInPages / (1024 * 1024 / 4096));
|
|
return S_OK;
|
|
}
|