📄 jiurl玩玩win2k内存篇 lookasidelist.htm
字号:
810eb698<BR><BR>kd><BR>810eafb8 810eaf38
810ea038<BR><BR>kd><BR>810eaf38 80473368
810eafb8<BR><BR>kd><BR>80473368 8046a9d0 810eaf38<BR>// 我们又看到了 80473368
,表示链已经循环了<BR></P>
<P><B>遍历 NPagedLookasideList</B></P>
<P>kd> ? ExNPagedLookasideListHead<BR>?
ExNPagedLookasideListHead<BR>Evaluate expression: -2142817416 =
80473378<BR><BR>kd> !strct LIST_ENTRY
ExNPagedLookasideListHead<BR>!strct LIST_ENTRY
ExNPagedLookasideListHead<BR>struct _LIST_ENTRY (sizeof=8)<BR>+0 struct
_LIST_ENTRY *Flink = 8047F8D0<BR>+4 struct _LIST_ENTRY *Blink =
EEFFEC90<BR><BR>kd> !strct NPAGED_LOOKASIDE_LIST<BR>!strct
NPAGED_LOOKASIDE_LIST<BR>struct _NPAGED_LOOKASIDE_LIST
(sizeof=80)<BR>...<BR>+30 struct _LIST_ENTRY
ListEntry<BR>...<BR><BR>kd> ? 8047F8D0-30<BR>? 8047F8D0-30<BR>Evaluate
expression: -2142766944 = 8047f8a0<BR><BR>kd> !lookaside
8047f8a0<BR>!lookaside 8047f8a0<BR><BR>Lookaside "" @ 8047f8a0
"ObCi"<BR>Type = 0000 NonPagedPool<BR>Current Depth = 2 Max Depth =
4<BR>Size = 48 Max Alloc = 192<BR>AllocateMisses = 24 FreeMisses =
0<BR>TotalAllocates = 73 TotalFrees = 51<BR>Hit Rate = 67% Hit Rate =
100%<BR><BR>kd> !strct NPAGED_LOOKASIDE_LIST 8047f8a0<BR>!strct
NPAGED_LOOKASIDE_LIST 8047f8a0<BR>struct _NPAGED_LOOKASIDE_LIST
(sizeof=80)<BR>+00 struct _GENERAL_LOOKASIDE L<BR>+00 union _SLIST_HEADER
ListHead<BR>+00 uint64 Alignment = 0064000281feeb88<BR>+00 struct
_SINGLE_LIST_ENTRY Next<BR>+00 struct _SINGLE_LIST_ENTRY *Next =
81FEEB88<BR>+04 uint16 Depth = 0002<BR>+06 uint16 Sequence = 0064<BR>+08
uint16 Depth = 0004<BR>+0a uint16 MaximumDepth = 0100<BR>+0c uint32
TotalAllocates = 00000049<BR>+10 uint32 AllocateMisses = 00000018<BR>+10
uint32 AllocateHits = 00000018<BR>+14 uint32 TotalFrees = 00000033<BR>+18
uint32 FreeMisses = 00000000<BR>+18 uint32 FreeHits = 00000000<BR>+1c
int32 Type = 00000000<BR>+20 uint32 Tag = 6943624f<BR>+24 uint32 Size =
00000030<BR>+28 function *Allocate = 80466C80<BR>+2c function *Free =
80467297<BR>+30 struct _LIST_ENTRY ListEntry<BR>+30 struct _LIST_ENTRY
*Flink = 8047F930<BR>+34 struct _LIST_ENTRY *Blink = 80473378<BR>+38
uint32 LastTotalAllocates = 00000049<BR>+3c uint32 LastAllocateMisses =
00000018<BR>+3c uint32 LastAllocateHits = 00000018<BR>+40 uint32 Future[2]
= 00000000 00000000 .... .<BR>...<BR>+48 uint32 Lock = 00000000</P>
<P>kd> dd ExNPagedLookasideListHead l 2<BR>dd ExNPagedLookasideListHead
l 2<BR>80473378 8047f8d0 eeffec90<BR>// 记住我们是从 ExPagedLookasideListHead
80473378 开始的,当我们再看到 80473378<BR>// 就表示链已经循环了。</P>
<P>kd> dd $p l 2<BR>dd $p l 2<BR>8047f8d0 8047f930
80473378<BR><BR>kd><BR>8047f930 814521f8
8047f8d0<BR><BR>kd><BR>814521f8 81452198
8047f930<BR><BR>kd><BR>81452198 80472130
814521f8<BR><BR>kd><BR>80472130 8141b1b8
81452198<BR><BR>kd><BR>8141b1b8 80473650
80472130<BR><BR>kd><BR>80473650 804736b0
8141b1b8<BR><BR>kd><BR>804736b0 80473530
80473650<BR><BR>kd><BR>80473530 80473590
804736b0<BR><BR>kd><BR>80473590 804735f0
80473530<BR><BR>kd><BR>804735f0 804737b0
80473590<BR><BR>kd><BR>804737b0 80475830
804735f0<BR><BR>kd><BR>80475830 804756d0
804737b0<BR><BR>kd><BR>804756d0 804758d0
80475830<BR><BR>kd><BR>804758d0 80475770
804756d0<BR><BR>kd><BR>80475770 8141a2f8
804758d0<BR><BR>kd><BR>8141a2f8 81416d18
80475770<BR><BR>kd><BR>81416d18 81416cb8
8141a2f8<BR><BR>kd><BR>81416cb8 81416c58
81416d18<BR><BR>kd><BR>81416c58 80480b30
81416cb8<BR><BR>kd><BR>80480b30 fcd5c510
81416c58<BR><BR>kd><BR>fcd5c510 fcd5c1b0
80480b30<BR><BR>kd><BR>fcd5c1b0 fcd5c390
fcd5c510<BR><BR>kd><BR>fcd5c390 fcd5c290
fcd5c1b0<BR><BR>kd><BR>fcd5c290 fcd5c0f0
fcd5c390<BR><BR>kd><BR>fcd5c0f0 fcd1e9b0
fcd5c290<BR><BR>kd><BR>fcd1e9b0 fcd1ea00
fcd5c0f0<BR><BR>kd><BR>fcd1ea00 813d0618
fcd1e9b0<BR><BR>kd><BR>813d0618 813cf3d8
fcd1ea00<BR><BR>kd><BR>813cf3d8 813f6ef8
813d0618<BR><BR>kd><BR>813f6ef8 813f6c58
813cf3d8<BR><BR>kd><BR>813f6c58 8140c198
813f6ef8<BR><BR>kd><BR>8140c198 8140cef8
813f6c58<BR><BR>kd><BR>8140cef8 8140cc58
8140c198<BR><BR>kd><BR>8140cc58 8140c9b8
8140cef8<BR><BR>kd><BR>8140c9b8 8140c6b8
8140cc58<BR><BR>kd><BR>8140c6b8 813f5198
8140c9b8<BR><BR>kd><BR>813f5198 813f53d8
8140c6b8<BR><BR>kd><BR>813f53d8 fcccd430
813f5198<BR><BR>kd><BR>fcccd430 fcccd530
813f53d8<BR><BR>kd><BR>fcccd530 fcccd610
fcccd430<BR><BR>kd><BR>fcccd610 813c84b8
fcccd530<BR><BR>kd><BR>813c84b8 f08915d0
fcccd610<BR><BR>kd><BR>f08915d0 f0325c10
813c84b8<BR><BR>kd><BR>f0325c10 f0325a30
f08915d0<BR><BR>kd><BR>f0325a30 f0325ff0
f0325c10<BR><BR>kd><BR>f0325ff0 f0325a90
f0325a30<BR><BR>kd><BR>f0325a90 f0325f70
f0325ff0<BR><BR>kd><BR>f0325f70 f03260f0
f0325a90<BR><BR>kd><BR>f03260f0 f03259d0
f0325f70<BR><BR>kd><BR>f03259d0 8132eb58
f03260f0<BR><BR>kd><BR>8132eb58 812aa5f0
f03259d0<BR><BR>kd><BR>812aa5f0 812aa640
8132eb58<BR><BR>kd><BR>812aa640 812aa690
812aa5f0<BR><BR>kd><BR>812aa690 812aa6e0
812aa640<BR><BR>kd><BR>812aa6e0 812aa730
812aa690<BR><BR>kd><BR>812aa730 812aa780
812aa6e0<BR><BR>kd><BR>812aa780 f05283f0
812aa730<BR><BR>kd><BR>f05283f0 f0528450
812aa780<BR><BR>kd><BR>f0528450 812a7f98
f05283f0<BR><BR>kd><BR>812a7f98 812a32e8
f0528450<BR><BR>kd><BR>812a32e8 812a3338
812a7f98<BR><BR>kd><BR>812a3338 812a50f8
812a32e8<BR><BR>kd><BR>812a50f8 f05574b0
812a3338<BR><BR>kd><BR>f05574b0 f05572f0
812a50f8<BR><BR>kd><BR>f05572f0 f05576b0
f05574b0<BR><BR>kd><BR>f05576b0 f05573b0
f05572f0<BR><BR>kd><BR>f05573b0 f0557450
f05576b0<BR><BR>kd><BR>f0557450 f0557650
f05573b0<BR><BR>kd><BR>f0557650 f07fd150
f0557450<BR><BR>kd><BR>f07fd150 f07fd330
f0557650<BR><BR>kd><BR>f07fd330 ef093848
f07fd150<BR><BR>kd><BR>ef093848 ef05d910
f07fd330<BR><BR>kd><BR>ef05d910 810a6b38
ef093848<BR><BR>kd><BR>810a6b38 810a6b88
ef05d910<BR><BR>kd><BR>810a6b88 810a6bd8
810a6b38<BR><BR>kd><BR>810a6bd8 810a6c28
810a6b88<BR><BR>kd><BR>810a6c28 eeffeb50
810a6bd8<BR><BR>kd><BR>eeffeb50 eeffebf0
810a6c28<BR><BR>kd><BR>eeffebf0 eeffeba0
eeffeb50<BR><BR>kd><BR>eeffeba0 eeffec40
eeffebf0<BR><BR>kd><BR>eeffec40 eeffec90
eeffeba0<BR><BR>kd><BR>eeffec90 80473378
eeffec40<BR><BR>kd><BR>80473378 8047f8d0 eeffec90<BR>// 我们又看到了 80473378
,表示链已经循环了</P>
<P><BR><B>LookasideList 的项</B></P>
<P> LookasideList 的项通过 +00 struct _SINGLE_LIST_ENTRY
*Next 的链,链在一起。为空表示链结束。<BR>下面使用 kd 举一个例子。</P>
<P>kd> !lookaside 810eae68<BR>!lookaside 810eae68<BR><BR>Lookaside "" @
810eae68 "Usqm"<BR>Type = 0021 PagedPool<BR>Current Depth = 4 Max Depth =
4<BR>Size = 48 Max Alloc = 192<BR>AllocateMisses = 922 FreeMisses =
918<BR>TotalAllocates = 56869 TotalFrees = 56869<BR>Hit Rate = 98% Hit
Rate = 98%<BR><BR>// 810eae68 处是 PAGED_LOOKASIDE_LIST +0
处的4个字节就是链的开始<BR>kd> dd 810eae68+0 l 1<BR>dd 810eae68+0 l 1<BR>810eae68
e2f44428<BR><BR>// e2f44428 是指向Buf的指针,之前的4个字节是维护该Buf结构中的Tag<BR>//
Buf的首地址开始的4个字节用来形成链<BR>kd> db e2f44428-4 l 4 ; dd e2f44428 l 1<BR>db
e2f44428-4 l 4 ; dd e2f44428 l 1<BR>e2f44424 55 73 71 6d Usqm<BR>e2f44428
e2fdc2a8<BR><BR>kd> db e2fdc2a8-4 l 4 ; dd e2fdc2a8 l 1<BR>db
e2fdc2a8-4 l 4 ; dd e2fdc2a8 l 1<BR>e2fdc2a4 55 73 71 6d Usqm<BR>e2fdc2a8
e13a2c68<BR><BR>kd> db e13a2c68-4 l 4 ; dd e13a2c68 l 1<BR>db
e13a2c68-4 l 4 ; dd e13a2c68 l 1<BR>e13a2c64 55 73 71 6d Usqm<BR>e13a2c68
e16d4f88<BR><BR>kd> db e16d4f88-4 l 4 ; dd e16d4f88 l 1<BR>db
e16d4f88-4 l 4 ; dd e16d4f88 l 1<BR>e16d4f84 55 73 71 6d Usqm<BR>e16d4f88
00000000<BR><BR>// 我们看到每一个的Tag的确是 Usqm。也看到一共4项,和通过 PAGED_LOOKASIDE_LIST
结构得到的项数是相<BR>// 符的。最后一项为0表示链表结束。</P>
<P><B>LookasideList 上的申请与释放</B></P>
<P> 跟 ntoskrnl!ExFreeToPagedLookasideList 会发现,会比较
LookasideList 结构+4处的 ListHead.Depth(uint16)和+8处的Depth(uint16),如果
ListHead.Depth 小于 Depth
就会把被free的项插入到链头(将free项的开始4个字节,设为原来的链头,然后把链头的值设为free项的地址)如果大于等于的话,就会用free项地址做参数调用+2c处的free函数。</P>
<P> 跟 ntoskrnl!ExAllocateFromPagedLookasideList 会发现,会测试
LookasideList 结构开头的Next是否为空,为空调用+28处的alloc函数申请一块。不为空就把这一块提交。</P>
<P>欢迎交流,欢迎交朋友,<BR>欢迎访问 <A
href="http://jiurl.yeah.net/">http://jiurl.yeah.net/</A> <A
href="http://jiurl.cosoft.org.cn/forum">http://jiurl.cosoft.org.cn/forum</A></P>
<P> </P></TD></TR></TBODY></TABLE></DIV></BODY></HTML>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -