x64 Windows implementation of virtual-address to physical-address translation
Modern x64 Windows uses PML4 Page Map Level 4 as paging mode. careful that interpretation of the mode is a bit different with long/legacy mode on AMD64 and Intel64.
This repository is an implementation of virtual address a.k.a linear address to physical address translation, that usually done by the CPU's MMU Memory Management Unit.
This implementation is similar to MmGetPhysicalAddress.
DTB is a Directory Table Base which represents the base physical address of paging table.
Can be found at nt!_EPROCESS.Pcb.DirectoryTableBase, PCB means Processor Control Block.
dt nt!_KPROCESS DirectoryTableBase
+0x028 DirectoryTableBase : Uint8BIf the virtual address is KVA Kernel Virtual Address, we could use system process's DTB.
The system process's DTB represents exact same value contained in CR3 because it is a part of the kernels.
Also if it is user's virtual address, ofcourse the DTB is different with the every single processes, so we have to lookup from the structure.
There's 4 things we first understand,
PML4Page Map Level 4PDPPage Directory PointerPDPage DirectoryPTPage Table
- Lookup
DTB - Lookup
PDPentry usingDTBentry's PFN and VA'spml4_index - Lookup
PDentry usingPDPentry's PFN and VA'spd_index - Lookup
PTentry usingPDentry's PFN and VA'spt_index - Translate to the physical address using
PTentry's PFN and VA'soffset, the first 12-bits value of virtual address.
Some of you may know that there is PML5 Page Map Level 5 is available on Linux. (some versions)
The PML5 is expanded physical address to the 56-bits allowing use of 4PiB of physical address ranges and 128PiB of virtual address ranges.
Do you think that Windows should have PML5?
MIT copyright Kento Oki <hrn832@protonmail.com>