【问题讨论】:
真的不是硬调试RAMMap[64].exe,看看它是如何得到这个结果的。注意 - 这里所有使用的结构和 api 类都没有记录。就这样。 processhacker 项目中声明的所有数据类型。我将按原样使用它:#include <phnt.h>
同样在ntmmapi.h我们可以查看下一个常量:
#define MMPFNUSE_PROCESSPRIVATE 0
#define MMPFNUSE_FILE 1
#define MMPFNUSE_PAGEFILEMAPPED 2
#define MMPFNUSE_PAGETABLE 3
#define MMPFNUSE_PAGEDPOOL 4
#define MMPFNUSE_NONPAGEDPOOL 5
#define MMPFNUSE_SYSTEMPTE 6
#define MMPFNUSE_SESSIONPRIVATE 7
#define MMPFNUSE_METAFILE 8
#define MMPFNUSE_AWEPAGE 9
#define MMPFNUSE_DRIVERLOCKPAGE 10
#define MMPFNUSE_KERNELSTACK 11
如果将其与屏幕截图进行比较 - 可见匹配。
工具首先通过 (SystemSuperfetchInformation, SuperfetchMemoryRangesQuery) 查询物理内存范围(显示在 5 个选项卡中),然后对每个页面(范围)查询 SuperfetchPfnQuery。
最少的代码如下所示:
NTSTATUS Rammap(PF_PHYSICAL_MEMORY_RANGE_INFO* ppmri, ULONGLONG Use[16], DWORD dwPageSize)
{
if (ULONG RangeCount = ppmri->RangeCount)
{
WCHAR kb[64];
ULONG_PTR TotalSize = 0;
PF_PHYSICAL_MEMORY_RANGE* Range = ppmri->Ranges;
PF_PFN_PRIO_REQUEST pprr = {
PF_PFN_PRIO_REQUEST_VERSION
};
SUPERFETCH_INFORMATION spi = {
SUPERFETCH_INFORMATION_VERSION, SUPERFETCH_INFORMATION_MAGIC, SuperfetchPfnQuery, &pprr, sizeof(pprr)
};
do
{
if (ULONG_PTR PageCount = Range->PageCount)
{
ULONG_PTR PfnCount;
ULONG_PTR BasePfn = Range->BasePfn;
ULONG_PTR
Start = BasePfn * dwPageSize,
Size = PageCount * dwPageSize,
End = Start + Size;
TotalSize += Size;
StrFormatKBSize(Size, kb, RTL_NUMBER_OF(kb));
DbgPrint("0x%016I64x\t0x%016I64x\t%S\n", Start, End, kb);
do
{
pprr.PfnCount = PfnCount = min(PageCount, RTL_NUMBER_OF(pprr.PageData));
MMPFN_IDENTITY* PageData = pprr.PageData;
do
{
PageData++->PageFrameIndex = BasePfn++;
} while (--PfnCount);
ULONG cb;
NTSTATUS status = NtQuerySystemInformation(SystemSuperfetchInformation, &spi, sizeof(spi), &cb);
if (0 <= status)
{
PageData = pprr.PageData;
PfnCount = pprr.PfnCount;
do
{
Use[PageData++->u1.e1.UseDescription]++;
} while (--PfnCount);
}
else
{
return status;
}
} while (PageCount -= pprr.PfnCount);
}
} while (Range++, --RangeCount);
StrFormatKBSize(TotalSize, kb, RTL_NUMBER_OF(kb));
DbgPrint("-------------\nTotalSize: %S\n", kb);
}
return STATUS_SUCCESS;
}
NTSTATUS Rammap(ULONGLONG Use[16], DWORD dwPageSize)
{
BOOLEAN b;
NTSTATUS status = RtlAdjustPrivilege(SE_PROF_SINGLE_PROCESS_PRIVILEGE, TRUE, FALSE, &b);
if (0 <= status)
{
SUPERFETCH_INFORMATION spi = {
SUPERFETCH_INFORMATION_VERSION, SUPERFETCH_INFORMATION_MAGIC, SuperfetchMemoryRangesQuery
};
ULONG rcb = sizeof(PF_PHYSICAL_MEMORY_RANGE_INFO);
static volatile UCHAR guz = 0;
PVOID stack = alloca(guz);
PF_PHYSICAL_MEMORY_RANGE_INFO* ppmri = 0;
do
{
if (spi.Length < rcb)
{
spi.Length = RtlPointerToOffset(spi.Data = alloca(rcb - spi.Length), stack);
ppmri = (PF_PHYSICAL_MEMORY_RANGE_INFO*)spi.Data;
ppmri->Version = PF_PHYSICAL_MEMORY_RANGE_INFO_VERSION;
}
if (0 <= (status = NtQuerySystemInformation(SystemSuperfetchInformation, &spi, sizeof(spi), &rcb)))
{
status = Rammap(ppmri, Use, dwPageSize);
break;
}
} while (status == STATUS_BUFFER_TOO_SMALL);
}
return status;
}
void Rammap()
{
SYSTEM_INFO sbi;
GetSystemInfo(&sbi);
ULONGLONG Use[16]={};
if (0 <= Rammap(Use, sbi.dwPageSize))
{
WCHAR sz[16], kb[32];
PCWSTR Name;
ULONG n = MMPFNUSE_KERNELSTACK;
do
{
ULONGLONG u = Use[n];
switch (n)
{
case MMPFNUSE_PROCESSPRIVATE: Name = L"Process Private";
break;
case MMPFNUSE_FILE: Name = L"Mapped File";
break;
case MMPFNUSE_PAGEFILEMAPPED: Name = L"Shareable";
break;
case MMPFNUSE_PAGETABLE: Name = L"Page Tabe";
break;
case MMPFNUSE_PAGEDPOOL: Name = L"Page Pool";
break;
case MMPFNUSE_NONPAGEDPOOL: Name = L"NonPaged Pool";
break;
case MMPFNUSE_SYSTEMPTE: Name = L"System PTE";
break;
case MMPFNUSE_SESSIONPRIVATE: Name = L"Session Private";
break;
case MMPFNUSE_METAFILE: Name = L"Metafile";
break;
case MMPFNUSE_AWEPAGE: Name = L"AWE";
break;
case MMPFNUSE_DRIVERLOCKPAGE: Name = L"DriverLocked";
break;
case MMPFNUSE_KERNELSTACK: Name = L"KernelStack";
break;
default:
swprintf(sz, L"[%x]", n);
Name = sz;
}
StrFormatKBSize(u * sbi.dwPageSize, kb, RTL_NUMBER_OF(kb));
DbgPrint("%16S %S\n", Name, kb);
} while (n--);
}
}
对于我自己的系统
0x0000000000001000 0x0000000000058000 348 KB
0x0000000000059000 0x000000000009f000 280 KB
0x0000000000100000 0x000000008122c000 2,114,736 KB
0x000000008122e000 0x000000008a2d1000 148,108 KB
0x000000008a60a000 0x000000008a772000 1,440 KB
0x000000008b3ff000 0x000000008b400000 4 KB
0x0000000100000000 0x000000046f000000 14,401,536 KB
-------------
TotalSize: 16,666,452 KB
KernelStack 24,400 KB
DriverLocked 13,768 KB
AWE 0 KB
Metafile 667,932 KB
Session Private 24,048 KB
System PTE 50,332 KB
NonPaged Pool 323,104 KB
Page Pool 314,032 KB
Page Tabe 69,020 KB
Shareable 243,288 KB
Mapped File 4,391,092 KB
Process Private 10,545,436 KB
【讨论】: