Walking "page directory" with SoftICE - understanding "address context".

A 32-bit application program running under Windows NT is given its own process space for its exclusive use. With this separation of address spaces, it eliminated a possibility of accessing physical momory that another application may be using.

This "process space" is also called "address context" and it is implemented by assigning a dedicated "page directory" to each application. Note that "page directory" is a term which is a part of the Intel x86 paging mechanism which Windows uses to implement its "virtual memory" functionality.

SoftICE "ADDR" command lists all the running processes and their "page directories". At any given moment, there can be only one "address context". The processor keeps track of current process by caching a "page directory address" in its control registers, CR3. Issue "CPU" command to see the content of CR3.

A "page directory" is a table of pointers to "page tables". (Yes, this is little confusing and you should refer to Intel x86 processor manual. It contains many useful diagrams.) Each "page table" is a table of pointers to "page frames". A page frame is a 4K-byte size "page" which contains actual bits.

Step-by-step walk

The following figure shows how to walk the page directory and page tables to get to the point where we see a memory mapped PE file of the sample program, "TryPage.exe" which owns this process space. Note that address values involved in those page related tables are in "physical address" format instead of "linear address" format. This is becuase these data structures implement "linear address" instead of using it. To view a physical memory location, you must first convert it to a "linear" address because SoftICE "D" command ("Dump memory") only takes address in "linear format". Use "PHYS" command to do the conversion.

1. According to SoftICE "ADDR" command, "page directory" of the process "TryPage" is 0x023FD000.

2. With SoftICE "PHYS" command, physical address 0x023FD000 is converted to linear address 0x823FD000.

3. SoftICE "D" command dumps memory content at 0x823FD000 which shows three entries, 0x2059067, 0x3856067, and 0x2944067. ( lower 0x067 part of each entry describes attributes of the entry such as "accessed" and "present" - see Intel x86 manual for description of "page directory/table entry".) Also, note that this is the output of SoftICE "PAGE" command output.

4. According to SoftICE "PAGE" command output, target address 0x00400000 is described by "page table" located at 0x3856000. In anotherword, the target page frame is managed by a page table at 0x3856000.

5. Physical address 0x3856000 is converted to linear address 0x83856000.

6. Dump at 0x83856000 shows a half dozen entries. The first entry, 0x187C025 (again, first 12-bit (i.e. 025) is NOT part of the address) shoud point to the first 4K page where our program, TryPage, is mapped at.

7. Physical address 0x187C000 is converted to linear address 0x817C025 and 0x400000 (as we expected).

8. Dump at 0x400000 contains signature 'MZ' and 'PE' that indicate that this is the beginning of the memory mapped PE file, "TryPage.exe".