问题
i dump some process data. I got DirBase value as 00030000 How windows generate this value ? Any AVL Tree data structure at the begining of kernel gives this data? I want to learn how process is created internally on kernel. What kind of global variables assigns DirBase , ObjectTable etc values.
Here is some sample windbg: !process fb667a00 7 PROCESS fb667a00 Cid: 0002 Peb: 00000000 ParentCid: 0000 DirBase: 00030000 ObjectTable: e1000f88 TableSize: 112.
When a process created by system.
System creates new pagedirectory for process and assigns a number to process page directory.
How can windows assigns that number ? is there an AVL Tree data structure that has free page tables and busy page tables trees.
And system allocates one page directory from that AVL Tree ?
There is no documentation how this mechanism works ?
I want to learn how page directory gets its data ?
回答1:
DirBase is a physical address of a page directory. Each process has own page directory, it is placed in the struct KPROCESS::DirectoryTableBase. When OS activates a process, the value from KPROCESS::DirectoryTableBase is loaded to CR3 register.
Page directory has a structure descripbed in Intel Developer Manual http://wiki.osdev.org/Paging
来源:https://stackoverflow.com/questions/39438679/how-eprocess-dirbase-generated-maybe-vad-tree-root