墙外通道:http://fivelinesofcode.blogspot.com/2014/03/how-to-translate-virtual-to-physical.html

I currently work on a project where I need to make translations for virtual addresses of user-level application to physical addresses in Linux. I implemented my own system call to do that, but had hard times with verifying the results I'm getting.

Later I found out that in newer kernels there is a really nice virtual file in the /proc file system to get this information. I tried to cat it, doing cat /proc/self/pagemap, and got terrible binary output in my console.

So, it looks like working with this file is not such a pleasant experience. It's a binary file with all that it implies. I found couple of scripts that access this file and provide you with a nice text result, but unfortunately those were written in perl and ruby, and I needed to run it on very minimalistic embedded system. I needed something that fits into a single binary.

Long story short, I decided to bite the bullet and write a tool in C. My contribution might be helpful for someone, that's why I'm sharing this code.

#include <stdio.h>

#include <stdlib.h>

#include <unistd.h>

#include <assert.h>

#include <errno.h>

#include <stdint.h>

#define PAGEMAP_ENTRY 8

#define GET_BIT(X,Y) (X & ((uint64_t)1<<Y)) >> Y

#define GET_PFN(X) X & 0x7FFFFFFFFFFFFF

const int __endian_bit = ;

#define is_bigendian() ( (*(char*)&__endian_bit) == 0 )

int i, c, pid, status;

unsigned long virt_addr;

uint64_t read_val, file_offset;

char path_buf [0x100] = {};

FILE * f;

char *end;

int read_pagemap(char * path_buf, unsigned long virt_addr);

int main(int argc, char ** argv){

   //printf("%lu\n", GET_BIT(0xA680000000000000, 63));

   //return 0;

   if(argc!=){

      printf("Argument number is not correct!\n pagemap PID VIRTUAL_ADDRESS\n");

      return -;

   }

   if(!memcmp(argv[],"self",sizeof("self"))){

      sprintf(path_buf, "/proc/self/pagemap");

      pid = -;

   }

   else{

         pid = strtol(argv[],&end, );

         if (end == argv[] || *end != '\0' || pid<=){

            printf("PID must be a positive number or 'self'\n");

            return -;

            }

       }

   virt_addr = strtol(argv[], NULL, );

   if(pid!=-)

      sprintf(path_buf, "/proc/%u/pagemap", pid);

   read_pagemap(path_buf, virt_addr);

   return ;

}

int read_pagemap(char * path_buf, unsigned long virt_addr){

   printf("Big endian? %d\n", is_bigendian());

   f = fopen(path_buf, "rb");

   if(!f){

      printf("Error! Cannot open %s\n", path_buf);

      return -;

   }

   //Shifting by virt-addr-offset number of bytes

   //and multiplying by the size of an address (the size of an entry in pagemap file)

   file_offset = virt_addr / getpagesize() * PAGEMAP_ENTRY;

   printf("Vaddr: 0x%lx, Page_size: %d, Entry_size: %d\n", virt_addr, getpagesize(), PAGEMAP_ENTRY);

   printf("Reading %s at 0x%llx\n", path_buf, (unsigned long long) file_offset);

   status = fseek(f, file_offset, SEEK_SET);

   if(status){

      perror("Failed to do fseek!");

      return -;

   }

   errno = ;

   read_val = ;

   unsigned char c_buf[PAGEMAP_ENTRY];

   for(i=; i < PAGEMAP_ENTRY; i++){

      c = getc(f);

      if(c==EOF){

         printf("\nReached end of the file\n");

         return ;

      }

      if(is_bigendian())

           c_buf[i] = c;

      else

           c_buf[PAGEMAP_ENTRY - i - ] = c;

      printf("[%d]0x%x ", i, c);

   }

   for(i=; i < PAGEMAP_ENTRY; i++){

      //printf("%d ",c_buf[i]);

      read_val = (read_val << ) + c_buf[i];

   }

   printf("\n");

   printf("Result: 0x%llx\n", (unsigned long long) read_val);

   //if(GET_BIT(read_val, 63))

   if(GET_BIT(read_val, ))

      printf("PFN: 0x%llx\n",(unsigned long long) GET_PFN(read_val));

   else

      printf("Page not present\n");

   if(GET_BIT(read_val, ))

      printf("Page swapped\n");

   fclose(f);

   return ;

}

And now how you use it. It's very simple. Of course you need to compile it. Then you need to find out what mapping your target process does have. You can do that by reading /proc/pid/maps file. Fortunately that file is human readable.
When you know a valid virtual address, you can pass it to our tool to get actual value from pagemap, including physical frame number. Here is an example:

$ #let's find get virtual address of a page

$ cat /proc/self/maps

-0040b000 r-xp  :                             /bin/cat

0060a000-0060b000 r--p 0000a000 :                             /bin/cat

0060b000-0060c000 rw-p 0000b000 :                             /bin/cat

0223a000-0225b000 rw-p  :                                   [heap]

7fe7e15e1000-7fe7e1cc3000 r--p  :                     /usr/lib/locale/locale-archive

7fe7e1cc3000-7fe7e1e80000 r-xp  :                      /lib/x86_64-linux-gnu/libc-2.17.so

7fe7e1e80000-7fe7e2080000 ---p 001bd000 :                      /lib/x86_64-linux-gnu/libc-2.17.so

7fe7e2080000-7fe7e2084000 r--p 001bd000 :                      /lib/x86_64-linux-gnu/libc-2.17.so

7fe7e2084000-7fe7e2086000 rw-p 001c1000 :                      /lib/x86_64-linux-gnu/libc-2.17.so

7fe7e2086000-7fe7e208b000 rw-p  :

7fe7e208b000-7fe7e20ae000 r-xp  :                      /lib/x86_64-linux-gnu/ld-2.17.so

7fe7e228d000-7fe7e2290000 rw-p  :

7fe7e22ab000-7fe7e22ad000 rw-p  :

7fe7e22ad000-7fe7e22ae000 r--p  :                      /lib/x86_64-linux-gnu/ld-2.17.so

7fe7e22ae000-7fe7e22b0000 rw-p  :                      /lib/x86_64-linux-gnu/ld-2.17.so

7fffce6b6000-7fffce6d7000 rw-p  :                           [stack]

7fffce722000-7fffce724000 r-xp  :                           [vdso]

ffffffffff600000-ffffffffff601000 r-xp  :                   [vsyscall]

$ #don't forget alsr, normally only /bin/cat will remain same

$ #so let's pick 0x00400000. Now we run our program.

$ #First argument is pid, "self" is a legal option too, the second is virtual address

$ ./pagemap self 0x00400000

Reading /proc/self/pagemap at 0x2000

Result: 0a60000000008c445

We got  0x0a60000000008c445 as a result. There are some bits showing that the page is valid, along with the size of the page. You can reed more in Linux documentation: https://www.kernel.org/doc/Documentation/vm/pagemap.txt. Basically, the physical page number is 0x8c445.

Note, that in different kernel versions bits 56-60 have different meaning. In most current versions, they are forced to zero, however in kernel version 3.11.0 they represent page size.

How to translate virtual to physical addresses through /proc/pid/pagemap的更多相关文章

  1. PatentTips - Maintaining shadow page tables in a sequestered memory region

    BACKGROUND Malicious code, known as malware, which includes viruses, worms, adware, etc., may attack ...

  2. ARM linux内核启动时几个关键地址【转】

    转自:http://www.cnblogs.com/armlinux/archive/2011/11/06/2396787.html 1.       内核启动地址1.1.   名词解释ZTEXTAD ...

  3. 利用/proc/pid/pagemap将虚拟地址转换为物理地址

    内核文档: Documentation/vm/pagemap.txt pagemap is a new (as of 2.6.25) set of interfaces in the kernel t ...

  4. linux kernel内存映射实例分析

    作者:JHJ(jianghuijun211@gmail.com)日期:2012/08/24 欢迎转载,请注明出处 引子 现在android智能手机市场异常火热,硬件升级非常迅猛,arm cortex ...

  5. EGLImage与纹理

    http://blog.csdn.net/sunnytina/article/details/51895406 Android使用Direct Textures提高glReadPixels.glTex ...

  6. pagemap, from the userspace perspective

    pagemap, from the userspace perspective --------------------------------------- pagemap is a new (as ...

  7. stuff in /proc/PID/

    Table of Contents 1. /proc/PID/cwd 2. /proc/PID/clear_refs 3. /proc/PID/coredump_filter 4. /proc/PID ...

  8. Linux下如何在进程中获取虚拟地址对应的物理地址【转】

    转自:http://blog.csdn.net/kongkongkkk/article/details/74366200 如果让你编写一个程序,来获取虚拟地址对应的物理地址..你会试着操作MMU吗.. ...

  9. intel:spectre&Meltdown侧信道攻击(四)—— cache mapping

    前面简单介绍了row hammer攻击的原理和方法,为了更好理解这种底层硬件类攻击,今天介绍一下cpu的cache mapping: 众所周知,cpu从内存读数据,最开始用的是虚拟地址,需要通过分页机 ...

随机推荐

  1. flask 未完待续

    Flask - 一个短小精悍.可扩展的一个Web框架很多可用的第三方组件:http://flask.pocoo.org/extensions/blogs:https://www.cnblogs.com ...

  2. hibernate save数据的时候报错:ids for this class must be manually assigned before calling save()

    这个错误是因为eclipse  这种jpatools 自动生成的实体类内没把id 设置为自增,还有id的值在生成的时候默认为string 即使加上了也所以无法自增 ,所以还需要把string 换成In ...

  3. c#关于Mysql MySqlBulkLoader 批量上传

    有个list表有几万数据 用insert插入,速度跟蜗牛爬行, 几十个表,传起来可就需要时间了. 搜搜,发现有  MySqlBulkLoader  这个人家mysql 的dll 里边已经提供了这个方法 ...

  4. 巧克力分配问题——C语言

    某品牌巧克力使用500克原料可制作55小块巧克力,请编程实现:输入原料重量(以千克为单位),计算出制作巧克力的块数(四舍五入).然后对这些巧克力进行分包,小盒放11块,大盒放24块,问各分装多少大盒多 ...

  5. MySQL优化(二) 优化诀窍

    一.索引的使用 (1)查询要使用索引最重要的条件是查询条件中的字段建立了索引: (2)下列几种情况可能使用到索引: <1> 对于创建的多列索引,只要查询条件使用了最坐边的列,索引一般就会被 ...

  6. Luogu3587[POI2015]POD - hash + 单调队列

    Solution 还是去看了题解. 感谢大佬的博客→  题解传送门 是一道思路比较新的题. 搞一个前缀和, 记录前 $i$ 个位置每种颜色的出现次数, 如果位置 $i$ 是 颜色 $a[i]$ 的最后 ...

  7. shell启动执行cypher语句

    1.跳转到目录:cd /data/soft/neo4j-community-not/ 2.修改配置文件:nano ./conf/neo4j.conf: 3. 登录:bin/cypher-shell - ...

  8. x64 assembler fun-facts(转载)

    原文地址 While implementing the x64 built-in assembler for Delphi 64bit, I got to “know” the AMD64/EM64T ...

  9. winSCP无法连接虚拟机Linux解决

    刚在虚拟机上装上Linux(Centos7)后使用winSCP建立文件共享发现连接超时,经过几个小时的查找发现Linux中没有eth0文件,这说明其网卡名不是eth0,在网上查过一些解决办法有的通过修 ...

  10. MySQL—函数大全

    一.数学函数: #ABS 绝对值函数 ) ; #BIN 返回二进制,OCT()八进制,hex十六进制 ); #ceiling 天花板整数,也就是大于x的整数 select CEILING(-13.5) ...