轉自:http://blog.nandaka.io/paging-virtual-to-physical-address-translation/

I will start by recalling the first part of the address translation ‘Segmentation‘ which we have already covered. This post will expand further on Paging Mechanism for translating the virtual address to physical address.

On x86 architecture, enabling paging is easy task. All we need to do is turn on the paging bit. Paging bit is the 31st bit of CR0 CPU register. You can use ‘r’ command to print the content of CR0 register in WinDbg to dump it content:

kd> r cr0
cr0=8001003b   >> 10000000 00000001 00000000 00111011

Before we enable paging, we need to initialize a couple of tables first. In Paging Introduction we learnt how paging mechanism helps translating the virtual address to physical address. On x86 processor, paging mechanism of Memory Management Unit(MMU) maps the memory through a series of tables.

1. Page Directory Table
2. Page Table

I will currently keep the discussion to non-PAE mode only and will cover PAE separately to keep things simple to understand.
A Page by default is a 4K(2^12) size block of memory. Although, it could be of higher size but we will stick to the default page size during our discussion.

We already know that virtual address space is 4GB and if we map this virtual address space to Pages, we get around 2^32/2^12 = 2^20

Pages. We store the information for 2^20 pages in above mentioned tables.

2^20 pages are mapped in two levels of tables(for non-PAE). Both the tables above contain 1024 Entries with each entry size of 4 bytes size i.e. 1024*4 = 4096 (4K or 1 Page). So each table takes 1 page of memory.

Each Table entry(Page Directory Entry and Page Table Entry) can be visualized in two parts as shown below:

1. Physical Address
2. Access

Bit 12 to 31(20 bits) of each Page Directory Entry( PDE – 4 byte) in Page Directory Table represents the Physical Address of the base of a Page Table.

Bit 12 to 31(20 bits) of each Page Table Entry( PTE – 4 byte) in Page Table represents the Physical Address of the base of a Page.

Access fields of PDE and PTE are mostly similar. Table below explains the meaning and usage of bits. NX bit is available in 64 bit PTE only(PAE Mode on x86 or x64 bit machine) and WSI is available in 64 bit PTE in 64 bit system. I will discuss these in upcoming blogs.

 

 

If you just consider the 20 bits in PTE in Page Table, you can call it Page Frame Number(PFN). Append PFN with remaining 12 bits, it would become the base address of the page represented by PFN. 

Access bits defines the page protection and other settings per page. We will get into the details of it while exploring the PFNDatabase via WinDbg.

PFN Database: Page Frame Number(PFN) Database is the list that represents the physical pages in the memory.

Going back a bit, we know that 4GB virtual address space will be mapped into 2^20 pages. Each page is represented by a Page Table Entry(PTE) or carries a PFN. Each PTE is 4 bytes in size so your Page Tables would take around 2^20 * 4 = 4,194,304 (4MB) of space. Don’t forget one page 1024 PDEs in addition.

Let’s take a step further in address translation and then we will put the whole thing together.

On x86 architecture, a virtual address is interpreted in 3 separate components:

1. Page Directory Index (10 bits)  – Can address 2^10(1024) entries
2. Page Table Index (10 bits) – can address 2^10(1024) entries
3. Byte Index (12 bits) – can address 2^12(4096) entries. i.e. all the bytes in a 4K page

Here is how the address translation works on non-PAE 32 bit machine:

Image taken from the book Windows Internals by M Russinovich, D A Solomon, A Ionescu.

So before enabling the paging we need to make sure we have our page tables setup done and CR3 CPU register is loaded with Page Directory physical address i.e. the base of the Page Directory.

mov eax, PageDirectoryBase
mov cr3, eax
mov eax, cr0
or eax, 0x80000000  ;Enable paging by turning on 31st bit of CR0 CPU Register
mov cr0, eax

During address translation:

1. CR3 register contains the physical address of Page Directory Base of PDT.
2. Bit 22 to 31 of the virtual address represent an index to PDE in PDT.
3. PDE uniquely selects a Page Table(PT) and points to the base(Physical Address) of PT.
4. Bit 12 to 21 of the virtual address represent an index to PTE in selected PT.
5. PTE in the selected PT represents a page in physical memory and points to the base address of the start of the physical page.
6. Bit 0 to 11 represent byte index in the selects physical page.
7. Base address of the physical page and byte index together uniquely locate an address(desired byte) in physical memory.

In the next article we will look into PAE mode which is by default enabled and will see address translation in practice via WinDbg