Virtual Memory and Address Translating for x86 and x86 PAE
https://www.windowsscope.com/wp-content/themes/corpus/images/empty/thumbnail.jpg 150 150 WindowsSCOPE WindowsSCOPE https://www.windowsscope.com/wp-content/themes/corpus/images/empty/thumbnail.jpgWhen a process starts on an x86 (32-bit) system, it is given 4GB (232 = 4GB) of virtual memory. 4GB is a lot of memory and most processes don’t utilize the entire virtual memory space. Memory is broken up into pages of 4KB (212 = 4KB). This gives each process access to 220 pages (232 ÷ 212 = 220) of memory. Each page that is present in physical memory can be located by looking up its Page Table Entry. If a page of virtual memory is not present in physical memory then it is in the Page File, which is located on the hard drive. The operating system will move pages from physical memory to the Page File if additional physical memory needs to be freed.
A virtual memory space can have pages that are present in physical memory, in the page file, or both. Pages of virtual memory are given virtual addresses. Each virtual address points to a Page Table Entry (PTE). Below is a figure showing a PTE as seen in WindowsSCOPE.
Figure 1
The PTE here is a 36-bit number. This is because the x86 system has a feature enabled called PAE. PAE stands for “Physical Address Extension” and it allows the computer to access up to 64GB of physical memory. It takes 36 bits to address 64GB (236 = 64GB). If PAE was not enabled, then the computer would only have access to 4GB of physical memory, and the PTE would be 32 bits instead of 36.
The upper 24 bits of the 36-bit PTE in Figure 1 represent the Page Frame Number. If the page is located in physical memory, the Page Frame Number is used to identify its physical address. The lower 12 bits of the PTE are flags that indicate various parameters for how the memory will be used. The lowest bit, the Valid Bit, is very important because it indicates if the page is present in physical memory or not. If the page is present in physical memory, the physical address of the page is found by shifting the Page Frame Number by 12 bits. For example, using the PTE in Figure 1, if the Page Frame Number is 0x034A22 then the physical address of the page is 0x034A22000.
Below is an image of a virtual address referenced by the explorer.exe process seen in WindowsSCOPE.
The address is highlighted in blue in the left column.
Figure 2
The virtual address in the figure above is in hexadecimal format. In order to locate its PTE, it is helpful to convert the address to binary.
0x6CD51100 → 0110 1100 1101 0101 0001 0001 0000 0000
Hex Binary
x86 and x86 PAE architectures use slightly different methods to locate the Page Table Entry from a virtual address. The 32-bit address must be broken down into particular sections of bits, as shown in the tables below:
x86 PAE | ||||||
section of bits: | Page Directory | Page Table | Page Table Entry | Byte Offset | ||
bit ranges: | 3130 | 2921 | 2012 | 110 | ||
bits from example: | 01 | 101100110 | 101010001 | 000100000000 | ||
x86 | ||||||
section of bits: | Page Table | Page Table Entry | Byte Offset | |||
bit ranges: | 31 22 | 21 12 | 11 0 | |||
bits from example: | 0110110011 | 0101010001 | 000100000000 | |||
Figure 3
Keep in mind that in our example PAE is enabled. If we use the x86 (no PAE) method, then we will get the wrong PTE. The 32 bits of the virtual address are already placed in the proper sections in figure 3. Now that we have the correct entries for the Page Directory, Page Table, and Page Table Entry, we convert the binary numbers to decimal. So in our example we are referencing Page Directory 1, Page Table 358, and Page Table Entry 337.
Figure 4
The figure above shows the Memory View section in WindowsSCOPE. To locate the PTE, we select the Page Directory Pointer marked by the process that contains our virtual address. In this example our address is in the explorer.exe process. From there we find Page Directory 358, and then Page Table Entry 337. Finally we have located the PTE, which can be seen back in Figure 1.
One thing you may have noticed is that we never used the Byte Offset from Figure 3 to locate the PTE. The Byte Offset taken from the virtual address is used to access a specific byte of information at the physical address. So if we follow the process of locating a page in physical memory described earlier, adding the Byte Offset specifies a particular byte of information from within the page. So the physical address 0x034A22000 will be offset by 0x100, giving us the address of our byte in memory: 0x034A22100.
WindowsSCOPE can automatically do the work of locating a Page Table Entry for you. Just right click on the virtual address of the code you are observing and select “lookup page table entry”, seen in the figure below:
Figure 5
Although WindowsSCOPE makes it easy, it is important to know how to locate a Page Table Entry from a Virtual Address. The example in this article shows how this process works by breaking the bits into the proper sections. We also showed how the Byte Offset can be used to locate a specific byte of information within the page of physical memory.