May 17, 2011, 5:17 a.m.
posted by odin
As you'll remember from the section on shared memory earlier in the chapter, the section object, which the Win32 subsystem calls a file mapping object, represents a block of memory that two or more processes can share. A section object can be mapped to the paging file or to another file on disk.
The executive uses sections to load executable images into memory, and the cache manager uses them to access data in a cached file. (See Chapter 11 for more information on how the cache manager uses section objects.) You can also use section objects to map a file into a process address space. The file can then be accessed as a large array by mapping different views of the section object and reading or writing to memory rather than to the file (an activity called mapped file I/O). When the program accesses an invalid page (one not in physical memory), a page fault occurs and the memory manager automatically brings the page into memory from the mapped file. If the application modifies the page, the memory manager writes the changes back to the file during its normal paging operations (or the application can flush a view by using the Win32 FlushViewOfFile function).
Section objects, like other objects, are allocated and deallocated by the object manager. The object manager creates and initializes an object header, which it uses to manage the objects; the memory manager defines the body of the section object. The memory manager also implements services that user-mode threads can call to retrieve and change the attributes stored in the body of section objects. The structure of a section object is shown in Figure.
Figure A section object
Figure summarizes the unique attributes stored in section objects.
Figure Section Object Body Attributes
|Maximum size||The largest size to which the section can grow in bytes; if mapping a file, the maximum size is the size of the file.|
|Page protection||Page-based memory protection assigned to all pages in the section when it is created.|
|Paging file/Mapped file||Indicates whether the section is created empty (backed by the paging file—as explained earlier, page file backed sections use page-file resources only when the pages need to be written out to disk) or loaded with a file (backed by the mapped file).|
|Based/Not based||Indicates whether a section is a based section, which must appear at the same virtual address for all processes sharing it, or a nonbased section, which can appear at different virtual addresses for different processes.|
Viewing Section Objects
With the Object Viewer (\Sysint\Winobj from the book's companion CD or Winobj.exe in the Platform SDK), you can see the list of sections that have global names. As explained in Chapter 3, these names are stored in the object manager directory \BaseNamedObjects.
With the Windows 2000 resource kit OH (Open Handles) tool, you can list the open handles to section objects. The following command displays all open handles to objects of type section, whether or not they have names. (A section must have a name only if other processes need to open it by name.)
c:\> oh -t section -a 00000008 System Section 0070 0000008C smss.exe Section 0004 000000A4 csrss.exe Section 0004 000000A4 csrss.exe Section 0024 000000A4 csrss.exe Section 0038 000000A4 csrss.exe Section 0040 \NLS\NlsSectionUnicode 000000A4 csrss.exe Section 0044 \NLS\NlsSectionLocale 000000A4 csrss.exe Section 0048 \NLS\NlsSectionCType 000000A4 csrss.exe Section 004c \NLS\NlsSectionSortkey 000000A4 csrss.exe Section 0050 \NLS\NlsSectionSortTbls 000000A0 winlogon.exe Section 0004 000000A0 winlogon.exe Section 0034 000000A0 winlogon.exe Section 0168 \BaseNamedObjects\mmGlobalPnpInfo
You can also use HandleEx (\Sysint\Handleex on the companion CD) to view mapped files. Select View DLLs from the View menu. Files marked with an asterisk in the MM column are mapped files (rather than DLLs and other files the image loader loads as modules). Here's an example:
The data structures maintained by the memory manager that describe mapped sections are shown in Figure. These structures ensure that data read from mapped files is consistent, regardless of the type of access (open file, mapped file, and so on).
Figure Internal section structures
For each open file (represented by a file object), there is a single section object pointers structure. (This structure is also discussed in Chapter 11.) This structure is the key to maintaining data consistency for all types of file access as well as to providing caching for files. The section object pointers structure points to one or two control areas. One control area is used to map the file when it is accessed as a data file, and one is used to map the file when it is run as an executable image.
A control area in turn points to subsection structures that describe the mapping information for each section of the file (read-only, read-write, copy-on-write, and so on). The control area also points to a segment structure allocated in paged pool, which in turn points to the prototype PTEs used to map to the actual pages mapped by the section object. As described earlier in the chapter, process page tables point to these prototype PTEs, which in turn map the pages being referenced.
Although Windows 2000 ensures that any process that accesses (reads or writes) a file will always see the same, consistent data, there is one case in which two copies of pages of a file can reside in physical memory (but even in this case, all accessors get the latest copy and data consistency is maintained). This duplication can happen when an image file has been accessed as a data file (having been read or written) and then run as an executable image (for example, when an image is linked and then run—the linker had the file open for data access, and then when the image was run, the image loader mapped it as an executable). Internally, the following actions occur:
- When the image file is created, a data control area is created to represent the data pages in the image file being read or written.
- When the image is run and the section object is created to map the image as an executable, the memory manager finds that the section object pointers for the image file point to a data control area and flushes the section. This step is necessary to ensure that any modified pages have been written to disk before accessing the image through the image control area.
- The memory manager then creates a control area for the image file.
- As the image begins execution, its (read-only) pages are faulted in from the image file.
Because the pages mapped by the data control area might still be resident (on the standby list), this is the one case in which two copies of the same data are in two different pages in memory. However, this duplication doesn't result in a data consistency issue because, as mentioned, the data control area has already been flushed to disk, so the pages read from the image are up to date.
Viewing Control Areas
To find the address of the control area structures for a file, you must first get the address of the file object in question. You can obtain this address through the kernel debugger by dumping the process handle table with the !handle command and noting the object address of a file object. Although the kernel debugger !file command displays the basic information in a file object, it doesn't display the pointer to the section object pointers structure. However, because file objects are defined in the public DDK header file Ntddk.h, you can look up the offset (0x14 in Windows 2000). So, simply examine the pointer at offset 0x14 into the file object, and you'll have the section object pointers structure. That structure is also defined in Ntddk.h. It consists of three 32-bit pointers: a pointer to the data control area, a pointer to the shared cache map (explained in Chapter 11), and a pointer to the image control area. From the section object pointers structure, you can obtain the address of a control area for the file (if one exists) and feed that address into the !ca command.
Another technique is to display the list of all control areas with the !memusage command. The following excerpt is from the output of this command:
kd> !memusage loading PFN database loading (99% complete) Zeroed: 9 ( 36 kb) Free: 0 ( 0 kb) Standby: 2103 ( 8412 kb) Modified: 300 ( 1200 kb) ModifiedNoWrite: 1 ( 4 kb) Active/Valid: 30318 (121272 kb) Transition: 3 ( 12 kb) Unknown: 0 ( 0 kb) TOTAL: 32734 (130936 kb) Building kernel map Finished building kernel map Usage Summary (in Kb): Control Valid Standby Dirty Shared Locked PageTables name 8119b608 3000 528 0 0 0 0 mapped_file( WINWORD.EXE ) 849e7c68 96 0 0 0 0 0 No Name for File 8109c388 24 0 0 0 0 0 mapped_file( DEVDTG.PKG ) 81402488 236 0 0 0 0 0 No Name for File 80fba0a8 268 0 0 0 0 0 mapped_file( kernel32.pdb ) 810ab168 1504 380 0 0 0 0 mapped_file( OUTLLIB.DLL ) 81126a08 0 276 0 0 0 0 mapped_file( H ) 81112d28 656 0 0 0 0 0 No Name for File
The Control column points to the control area structure that describes the mapped file. You can display control areas, segments, and subsections with the kernel debugger !ca command. For example, to dump the control area for the mapped file Winword.exe in this example, type the !ca command followed by the Control number, as shown here:
kd> !ca 8119b608 ControlArea @8119b608 Segment: e2c28000 Flink 0 Blink: 0 Section Ref 1 Pfn Ref 372 Mapped Views: 1 User Ref 2 Subsections 6 Flush Count: 0 File Object 8213fb98 ModWriteCount 0 System Views: 0 WaitForDel 0 Paged Usage 3000 NonPaged Usage 100 Flags (90000a0) Image File HadUserReference Accessed File: \Program Files\Microsoft Office\Office\WINWORD.EXE Segment @ e2c28000: Base address 0 Total Ptes 86a NonExtendPtes: 86a Image commit d7 ControlArea 8119b608 SizeOfSegment: 86a000 Image Base 0 Committed 0 PTE Template: 919b6c38 Based Addr 30000000 ProtoPtes e2c28038 Image Info: e2c2a1e4 Subsection 1. @ 8119b640 ControlArea: 8119b608 Starting Sector 0 Number Of Sectors 8 Base Pte e2c28038 Ptes In subsect 1 Unused Ptes 0 Flags 15 Sector Offset 0 Protection 1 ReadOnly CopyOnWrite Subsection 2. @ 8119b660 ControlArea: 8119b608 Starting Sector 10 Number Of Sectors 3c00 Base Pte e2c2803c Ptes In subsect 780 Unused Ptes 0 Flags 35 Sector Offset 0 Protection 3 ReadOnly CopyOnWrite Subsection 3. @ 8119b680 ControlArea: 8119b608 Starting Sector 3C10 Number Of Sectors 5d8 Base Pte e2c29e3c Ptes In subsect c1 Unused Ptes 0 Flags 55 Sector Offset 0 Protection 5 ReadOnly CopyOnWrite Subsection 4. @ 8119b6a0 ControlArea: 8119b608 Starting Sector 41E8 Number Of Sectors a8 Base Pte e2c2a140 Ptes In subsect 15 Unused Ptes 0 Flags 55 Sector Offset 0 Protection 5 ReadOnly CopyOnWrite Subsection 5. @ 8119b6c0 ControlArea: 8119b608 Starting Sector 0 Number Of Sectors 0 Base Pte e2c2a194 Ptes In subsect 1 Unused Ptes 0 Flags 55 Sector Offset 0 Protection 5 ReadOnly CopyOnWrite Subsection 6. @ 8119b6e0 ControlArea: 8119b608 Starting Sector 4290 Number Of Sectors 90 Base Pte e2c2a198 Ptes In subsect 12 Unused Ptes 0 Flags 15 Sector Offset 0 Protection 1 ReadOnly CopyOnWrite