1

How does the translation from virtual to physical address work for kernel space virtual addresses (VA > 0xFFFF000000000000) on Windows x64?

I know how it work for user space virtual addresses: the VA is made of multiple indexes in multiple tables, the first one (PML4) being located at the physical address stored in CR3 register (and the process DirectoryTableBase aka "DirBase" in WinDbg). I guess this is similar for kernel space VA, but where is the PML4 table for them then?

My goal is to parse kernel crash dumps without relying on DbgEng/WinDbg API. I'm already able to tell where each memory page is located in the file, but most fields in the dump file are expressed in kernel space VA. The DirectoryTableBase field in that file header is related to the user space process which triggered the crash, so it does not help.

Tey'
  • 961
  • 12
  • 23
  • "Without DbgEng API" - why? – Thomas Weller Mar 05 '18 at 08:04
  • @ThomasWeller For performances, curiosity and portability. In particular, using SearchVirtual() is slower than searching in the dump file and translating file offsets to physical/virtual addresses. – Tey' Mar 05 '18 at 09:24

1 Answers1

3

Answering my own question: the PML4 table for each (user space) process does contain the mapping of kernel space VA. This is pretty counter-intuitive as it means the OS has to update the PML4 table of each process when it adds or removes high level VA ranges.

On a side note, if you intend to implement VA to PA translation on your own, take into account that the size of virtual pages on x64 can be 4 KB, 2 MB or 1 GB. I forgot about it, and that's why I was stuck and asked this question -_-

Tey'
  • 961
  • 12
  • 23