Windows虚拟内存和内核模式
[英]Windows virtual memory and kernel mode
问题描述
I know that in 32-bit architecture the kernel mode virtual memory is mapped between 0x80000000 and 0xFFFFFFFF . 
我知道在32位体系结构中,内核模式虚拟内存映射在0x80000000和0xFFFFFFFF之间。
It contains some structures as EPROCESS , ETHREAD ... etc and also the page directories and tables for the current process. 它包含一些结构,如EPROCESS , ETHREAD ...等,还包含当前进程的页面目录和表。
While trying to fetch the virtual address of a certain function is ntoskrnl let's say "nt!NtReadFile" I find that's it's mapped in the kernel virtual address 0x89421130 for example. 当尝试获取某个函数的虚拟地址是ntoskrnl时,我们说“ nt!NtReadFile”,我发现它例如映射在内核虚拟地址0x89421130中。
I tried to patch some nops after the RET with a random instruction and when switching to another process context I found that the instruction I put is still there. 我尝试使用随机指令在RET之后打些补丁,当切换到另一个进程上下文时,我发现放置的指令仍然存在。
Does that mean that virtual memory where Ntoskrnl is loaded stays unchanged in every process virtual address space ? 这是否意味着加载Ntoskrnl的虚拟内存在每个进程虚拟地址空间中都保持不变?
Thanks. 谢谢。
1 个解决方案
解决方案1
3 已采纳 2014-04-30 20:34:58
Does that mean that virtual memory where Ntoskrnl is loaded stays unchanged in every process virtual address space?
Yes. 是。 There is one copy of the kernel in memory on a running Windows system, and the exact same kernel address space (ie 0x80000000-0xFFFFFFFF on 32-bit) is mapped into every process. 在运行的Windows系统上,内存中有一个内核副本,并且完全相同的内核地址空间(即32位为0x80000000-0xFFFFFFFF )映射到每个进程。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.