Virtual Memory and Address Translating for x64https://www.windowsscope.com/wp-content/uploads/2016/07/vtop-x64-figure-2_1-1024x819.jpg 1024 819 WindowsSCOPE WindowsSCOPE https://www.windowsscope.com/wp-content/uploads/2016/07/vtop-x64-figure-2_1-1024x819.jpg
Pages are represented by Page Table Entries. A Page Table Entry is part of a virtual memory hierarchy. This hierarchy gives virtual to physical address mappings at the page granularity. From highest level to lowest, the hierarchy looks like this:
Page Map Level →Page Directory Pointers → Page Directories →Page Tables →Page Table Entries
Every virtual address has a Page Table Entry. Bits from the address are used to locate it. This article will explain how to decode a virtual address to locate the Page Table Entry.
Figure 2 shows a virtual address highlighted in blue. This address specifies a page of virtual memory. To decode the address, it helps to convert from hexadecimal format to binary.
Binary: 0000 0000 0000 0000 0000 0111 1111 1110 1111 1100 1000 0011 0001 0000 0001 0000
To locate the page, we break the 64-bit number into sections. Each section is used for a specific level in the virtual memory hierarchy shown in figure 1. The bits are an entry or index in that level. The index number is usually read in decimal or hexadecimal format, so we will convert our binary numbers to decimal.
Using the decimal values corresponding to our bits, we traverse the virtual memory hierarchy shown in Figure 1. In our example with WindowsSCOPE, we start at Page Map Level – Explorer.exe. From there we go to Page Directory Pointer 15, then to Page Directory 507, then Page Table 484, and finally Page Table Entry 49.
Figure 3 below shows what the resulting Page Table Entry looks like.
Now that we know how to decode a virtual address, let’s examine some key information about our Page Table Entry. The Page Frame Number gives us the physical address of a page of memory. We just need to account for the 12-bit offset, so 0x00885ED will become 0x00885ED000. You may have noticed that the Page Offset in the virtual address was not used for locating the Page Table Entry. The Page Offset is actually the offset for the physical address given by the Page Frame Number. So by using the Page Offset in our page located at 0x00885ED000, we access a specific byte of information at 0x00885ED010. The lower 12 bits of the Page Table Entry are indicators for how the memory will be used. The Valid Bit is very important because it tells us if the page is present in physical memory or not. In our example, the page is present in physical memory.
WindowsSCOPE can automatically do the work of locating a Page Table Entry for you. Just right click on the virtual address of the code you are observing and select “lookup page table entry”. It will do all of the calculations and give you the indices for each level of the hierarchy, as can be seen in the figure below.
If you click OK, WindowsSCOPE will give you the option of jumping right to the Page Table Entry like the one shown in figure 4.
Although WindowsSCOPE makes it easy, it is important to know how to locate a Page Table Entry from a Virtual Address. We saw how this process works with the virtual memory hierarchy. We checked the Valid Bit to make sure our page was present in physical memory. We also located the physical page from the Page Table Entry with the offset to locate a specific byte of information.