MmGetPhysicalAddress x86 pae or no pae

最新推荐文章于 2022-08-01 03:25:33 发布

G_Spider

最新推荐文章于 2022-08-01 03:25:33 发布

阅读量1.8k

点赞数

分类专栏： Win32/64汇编

本文链接：https://blog.csdn.net/G_Spider/article/details/12142209

版权

Win32/64汇编专栏收录该内容

63 篇文章 1 订阅

订阅专栏

    ; no pae
nt!MmGetPhysicalAddress:
8083a918 55              push    ebp
8083a919 8bec            mov     ebp,esp
8083a91b 8b4d08          mov     ecx,dword ptr [ebp+8]  ;BaseAddress
8083a91e 8bc1            mov     eax,ecx
8083a920 c1e814          shr     eax,14h
8083a923 25fc0f0000      and     eax,0FFCh
8083a928 56              push    esi
8083a929 8db0000030c0    lea     esi,[eax-3FD00000h]    ;eax-3FD00000h = eax+C0300000
8083a92f 8b16            mov     edx,dword ptr [esi]    ;pde

8083a931 8bc2            mov     eax,edx                ;pde
8083a933 66258100        and     ax,81h
8083a937 3c81            cmp     al,81h
8083a939 7504            jne     nt!MmGetPhysicalAddress+0x27 (8083a93f)
8083a93b 8bc1            mov     eax,ecx
8083a93d eb0d            jmp     nt!MmGetPhysicalAddress+0x34 (8083a94c)
;-----------------------------------------------------------------------
8083a93f 8b16            mov     edx,dword ptr [esi]
8083a941 f6c201          test    dl,1                   ;PointerPte->u.Hard.Valid == 0
8083a944 7428            je      nt!MmGetPhysicalAddress+0x56 (8083a96e)    ;no Valid
8083a946 84d2            test    dl,dl
8083a948 8bc1            mov     eax,ecx                ;BaseAddress
8083a94a 790f            jns     nt!MmGetPhysicalAddress+0x43 (8083a95b)    ;Jump short if not sign (SF=0)
;大页 4m
8083a94c c1e80c          shr     eax,0Ch        ;12
8083a94f 25ff030000      and     eax,3FFh
8083a954 c1ea0c          shr     edx,0Ch
8083a957 03c2            add     eax,edx
8083a959 eb1c            jmp     nt!MmGetPhysicalAddress+0x5f (8083a977)
;-----------------------------------------------------------------------
;4k page
8083a95b c1e80a          shr     eax,0Ah
8083a95e 25fcff3f00      and     eax,3FFFFCh
8083a963 2d00000040      sub     eax,40000000h
8083a968 8b00            mov     eax,dword ptr [eax]
8083a96a a801            test    al,1
8083a96c 7506            jne     nt!MmGetPhysicalAddress+0x5c (8083a974)

8083a96e 33c0            xor     eax,eax
8083a970 33d2            xor     edx,edx
8083a972 eb14            jmp     nt!MmGetPhysicalAddress+0x70 (8083a988)
8083a974 c1e80c          shr     eax,0Ch
8083a977 33d2            xor     edx,edx
8083a979 0fa4c20c        shld    edx,eax,0Ch
8083a97d c1e00c          shl     eax,0Ch
8083a980 81e1ff0f0000    and     ecx,0FFFh
8083a986 03c1            add     eax,ecx
8083a988 5e              pop     esi
8083a989 5d              pop     ebp
8083a98a c20400          ret     4

fasm:

proc _MmGetPhysicalAddress_nopae BaseAddress
   
    mov     eax,[BaseAddress]  ;BaseAddress
    mov     ecx,eax
    shr     ecx,14h
    and     ecx,0FFCh
    mov     edx,[ecx+0C0300000h]    ;pde
    ; -----------------------------------------------
    test    dl,1                    ;PointerPte->u.Hard.Valid == 0
    je      .noValid                ;no Valid
    test    dl,dl
    js      .largepage              ;Jump short if sign (SF=1)
    ; -----------------------------------------------
    mov     ecx,eax                 ;BaseAddress
    shr     eax,10
    and     eax,3FFFFCh
    mov     eax,[eax+0C0000000h]    ;pte
    test    al,1
    jz      .noValid
    and     eax,0fffff000h
    and     ecx,0FFFh
    or      eax,ecx

    ret
.largepage:
    and     eax,3fffffh
    and     edx,0ffc00000h
    or      eax,edx
    ret
.noValid:
    xor     eax,eax
    xor     edx,edx
    ret
endp

开启了pae的情况:

    ;pae
nt!MmGetPhysicalAddress:
80506374 8bff            mov     edi,edi
80506376 55              push    ebp
80506377 8bec            mov     ebp,esp
80506379 53              push    ebx
8050637a 56              push    esi
8050637b 57              push    edi
8050637c 8b7d08          mov     edi,dword ptr [ebp+8]          ;BaseAddress
8050637f 8bcf            mov     ecx,edi
80506381 c1e912          shr     ecx,12h
80506384 81e1f83f0000    and     ecx,3FF8h
8050638a 8b81000060c0    mov     eax,dword ptr [ecx-3FA00000h]  ;ecx+C0600000
80506390 8b89040060c0    mov     ecx,dword ptr [ecx-3F9FFFFCh]  ;ecx+C0600004
80506396 be81000000      mov     esi,81h
8050639b 8bd0            mov     edx,eax                
8050639d 23d6            and     edx,esi            ;81h
8050639f 33db            xor     ebx,ebx
805063a1 3bd6            cmp     edx,esi            ;81h
805063a3 751f            jne     nt!MmGetPhysicalAddress+0x50 (805063c4)

805063a5 85db            test    ebx,ebx
805063a7 751b            jne     nt!MmGetPhysicalAddress+0x50 (805063c4)
805063a9 0facc80c        shrd    eax,ecx,0Ch
805063ad c1e90c          shr     ecx,0Ch
805063b0 8bcf            mov     ecx,edi
805063b2 c1e90c          shr     ecx,0Ch
805063b5 25ffffff03      and     eax,3FFFFFFh
805063ba 81e1ff010000    and     ecx,1FFh
805063c0 03c1            add     eax,ecx
805063c2 eb3f            jmp     nt!MmGetPhysicalAddress+0x8f (80506403)
;------------------------------------

805063c4 83e001          and     eax,1
805063c7 33c9            xor     ecx,ecx
805063c9 0bc1            or      eax,ecx
805063cb 7424            je      nt!MmGetPhysicalAddress+0x7d (805063f1)
805063cd 8bcf            mov     ecx,edi
805063cf c1e909          shr     ecx,9
805063d2 81e1f8ff7f00    and     ecx,7FFFF8h
805063d8 8b91040000c0    mov     edx,dword ptr [ecx-3FFFFFFCh]
805063de 81e900000040    sub     ecx,40000000h
805063e4 8b01            mov     eax,dword ptr [ecx]
805063e6 8bc8            mov     ecx,eax
805063e8 83e101          and     ecx,1
805063eb 33f6            xor     esi,esi
805063ed 0bce            or      ecx,esi
805063ef 7506            jne     nt!MmGetPhysicalAddress+0x83 (805063f7)
;------------------------------------
; no valid
805063f1 33c0            xor     eax,eax
805063f3 33d2            xor     edx,edx
805063f5 eb1f            jmp     nt!MmGetPhysicalAddress+0xa2 (80506416)
;------------------------------------
805063f7 0facd00c        shrd    eax,edx,0Ch
805063fb c1ea0c          shr     edx,0Ch
805063fe 25ffffff03      and     eax,3FFFFFFh
80506403 33c9            xor     ecx,ecx
80506405 0fa4c10c        shld    ecx,eax,0Ch
80506409 c1e00c          shl     eax,0Ch
8050640c 81e7ff0f0000    and     edi,0FFFh
80506412 03c7            add     eax,edi
80506414 8bd1            mov     edx,ecx
;------------------------------------
80506416 5f              pop     edi
80506417 5e              pop     esi
80506418 5b              pop     ebx
80506419 5d              pop     ebp
8050641a c20400          ret     4

等价的fasm:

proc _MmGetPhysicalAddress_pae uses edi,BaseAddress
    mov     edi,[BaseAddress]       ;BaseAddress
    mov     ecx,edi
    shr     ecx,12h
    and     ecx,3FF8h               ;11

    mov     eax,[ecx+0C0600000h]
    mov     edx,[ecx+0C0600004h]    ;ecx:eax UINT64
    
    mov     ecx,eax                
    and     ecx,81h
    cmp     ecx,81h
    jne     .4kpage
    ; ------------
;largepage
    and     edx,0fh
    and     eax,0ffe00000h
    and     edi,01fffffh
    or      eax,edi
    ret
    ; ------------
.4kpage: 
    test    eax,1
    je      .noValid
    ; ------------
;4kpage
    mov     ecx,edi
    shr     ecx,9
    and     ecx,7FFFF8h
    mov     edx,[ecx+0C0000004h]
    mov     eax,[ecx+0C0000000h]    ;edx:eax
    test    eax,1
    je      .noValid
    
    and     edx,0fh
    and     eax,0fffff000h
    and     edi,0fffh
    or      eax,edi
    ret
    ; ------------
.noValid:
    xor     eax,eax
    xor     edx,edx
    ret
endp

如果要同时支持pae或no pae时，可以测试一下cr4，如下：

proc _MmGetPhysicalAddress BaseAddress
    mov     eax,cr4
    test    eax,20h
    jz      .nopae
    stdcall _MmGetPhysicalAddress_pae,[BaseAddress]
    ret
.nopae:
    stdcall _MmGetPhysicalAddress_nopae,[BaseAddress]
    ret
endp

G_Spider

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
MmGetPhysicalAddress x86 pae or no pae

; no paent!MmGetPhysicalAddress:8083a918 55 push ebp8083a919 8bec mov ebp,esp8083a91b 8b4d08 mov ecx,dword ptr [ebp+8] ;BaseAddress8083a91e 8bc1
复制链接

扫一扫