NTSTATUS NTAPI MmWalkGuestPageTable(
PULONG64 PageTable, //3级页表的虚拟地址
UCHAR bLevel //当前页表的级数
)
{
ULONG64 i;
PVOID VirtualAddress;
PUCHAR ShortPageVA;
PHYSICAL_ADDRESS PhysicalAddress;
PULONG64 LowerPageTable; //低一级页表
if (!MmIsAddressValid(PageTable))
return STATUS_SUCCESS;
for (i = 0; i < 0x200; i++) //每一个页表有0x200=512项 页表项
if (PageTable[i] & P_PRESENT) {//判断表项是否有值
if (((bLevel == 2) && (PageTable[i] & P_LARGE)) || (bLevel == 1)) // 判断是否是二级页表或者一级页表 //根据自映射关系,计算虚拟地址
{
if (bLevel == 1)
VirtualAddress = (PVOID)(((LONGLONG)(&PageTable[i]) - PT_BASE) << 9); //得到1级页表项对应的的虚拟地址
else
VirtualAddress = (PVOID)(((LONGLONG)(&PageTable[i]) - PD_BASE) << 18); //大页面的情况下就得到二级页表项对应的虚拟地址
//不管是一级页表虚拟地址还是二级页表虚拟地址 ;都是最低层页表了, 所以把这个虚拟地址处理一下
if ((LONGLONG)VirtualAddress & 0x0000800000000000) //判断该虚拟地址是否为内核地址
VirtualAddress = (PVOID)((LONGLONG)VirtualAddress | 0xffff000000000000); //设置高16 位全为FFFFF
PhysicalAddress.QuadPart = PageTable[i] & 0x000ffffffffff000;//2M或4K页表的物理地址
if ((ULONGLONG)VirtualAddress >= PT_BASE && (ULONGLONG)VirtualAddress < PML4_BASE + 0x1000)
// guest pagetable stuff here - so don't map it
continue; //客户机页表自映射,宿主机不映射
DbgPrint("MmWalkGuestPageTable(): %sValid pl%d at 0x%p, index 0x%x, VA 0x%p, PA 0x%p %s\n", bLevel == 3 ? " " : bLevel == 2 ? " " : bLevel == 1 ? " " : "", bLevel, &PageTable[i], i, VirtualAddress, PhysicalAddress.QuadPart, ((bLevel == 2) && (PageTable[i] & P_LARGE)) ? "LARGE" : "");
if (bLevel == 2)
{//Large Page分开映射成标准4k页
for (ShortPageVA = (PUCHAR)VirtualAddress + 0x0 * PAGE_SIZE;
ShortPageVA < (PUCHAR)VirtualAddress + 0x200 * PAGE_SIZE;
ShortPageVA += PAGE_SIZE, PhysicalAddress.QuadPart += PAGE_SIZE)
MmCreateMapping(PhysicalAddress, ShortPageVA, FALSE);
}
else
MmCreateMapping(PhysicalAddress, VirtualAddress, FALSE);
}
if ((bLevel > 1) && !((bLevel == 2) && (PageTable[i] & P_LARGE))) //如果当前页表级数大于 1 并且 页表等级不等2 或者不为 大页面 则
{
LowerPageTable = (PULONG64)(g_PageTableBases[bLevel - 2] + 8 * (i << (9 * (5 - bLevel)))); //得到每一项 下级页表的物理地址对应的虚拟地址
MmWalkGuestPageTable(LowerPageTable, bLevel - 1);//遍历下一级页表
}
}
