Analyzing Windows Process Memory


Addresses are always virtual addresses, whether the process is running under User Mode or the process is running under Kernel Mode.

Its has been more theoretical experience of understanding process data, but what happens under the hood is interesting. This document falls back to my previous post of “Basic Postmortem Of Windows Process” , once you have collected the dump , your next step is to identify the root cause of the problem, for which you need to identify the process and the thread activity accordingly.

Once you have identified the process, you should dwell down to the memory reserved for the process. Processor at the other end, addresses only Physical Memory , so there is a mapping between Virtual Memory and Main Memory. Intel architecture provides 3 memory models

  • Flat Memory Model
  • Segmented Memory Model
  • Real-address Memory Model.

 

Flat Memory Model : This model is also known as Linear address space, programs / applications view memory as one contiguous memory block  and it is a “byte” addressable.

 Segmented Memory Model : Memory is presented to application / program as segments , each segment stores code , data and stack and these segments are then mapped into linear address space.

Real-Address Memory Model: This was specifically designed for 8086 processor to provide support for programs written on 8086 architecture.

Alright!, enough of theory and let us now see how to view these addresses. As I mentioned above , debugger interprets addresses as virtual , and Windbg provides a way to map the virtual memory address to physical memory and vice versa using the below command. 

  • !ptov
  • !vtop

!ptov: provides a physical-virtual memory map for any given process. After identifying the process which you need to debug under the kernel debug mode, you should now select the page frame number of the process.

In order to analyze physical to virtual mapping , you should get the relevant address for which you need to use the address specified at DirBase attribute which is also Page Frame number. 

Eg: !ptov b340960   

Eg2 : If the Dirbase address is 0b340000 or 0b300000  , truncate the trailing 0’s and issue the command as  !ptov b34 or !ptov b3 

 

!vtop: To convert virtual to physical address , you can use this command. The syntax is different from !ptov , you need to provide virtual address as 3rd parameter . So first we need to get the virtual address of the process and then execute the !vtop command. 

In order to get the virtual address of the process you have to use !address command. You can run !address command either in user mode or in kernel mode, but I prefer running the command in the user mode context. Once you get the virtual address of the process you can use the command as below 

Eg: !vtop b34 00411000 where b34 is PFN and 00411000 is the virtual address.I will be updating the document with the ways to analyze the segmented / linear address space for an particular process

In order to get the virtual address of the process you have to use !address command. You can run !address command either in user mode or in kernel mode, but I prefer running the command in the user mode context. Once you get the virtual address of the process you can use the command as below 

Eg: !vtop b34 00411000 where b34 is PFN and 00411000 is the virtual address. 

You can also obtain the virtual address information of specific module using lm command shows the start and end address range of an process.

 

I will be updating the document with the ways to analyze the segmented / linear address space for an particular process.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s