Difference between revisions of "Techwiki:Memory Layout"
ThePhysicist (talk | contribs) |
|||
(16 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
− | MIPS R-Series | + | |
− | 00000000 | + | == x86 (non-PAE) == |
− | + | ||
− | 80000000 | + | {| class="wikitable" |
− | A0000000 | + | ! Address |
− | C0000000 | + | ! Description |
− | C2400000 - HyperSpace | + | |- |
− | + | | 00000000 || UserMode Addresses | |
− | + | |- | |
− | DE000000 | + | | 7FFFF000 || No Access Area (64kB) |
− | + | |- | |
− | + | | 80000000 || HAL/NTOSKRNL/Boot Drivers | |
+ | |- | ||
+ | | 8??????? || PFN database | ||
+ | |- | ||
+ | | BD000000 || MiSessionPoolStart = MmSessionBase | ||
+ | |- | ||
+ | | BE000000 || MiSessionViewStart | ||
+ | |- | ||
+ | | BF800000 || MiSessionImageStart (default) | ||
+ | |- | ||
+ | | C0000000 || Page Table pages - 4Mb | ||
+ | |- | ||
+ | | C0400000 || HyperSpace | ||
+ | |- | ||
+ | | C0C00000 || System Cache structures | ||
+ | |- | ||
+ | | C1000000 || System Cache | ||
+ | |- | ||
+ | | E1000000 || Paged System area | ||
+ | |- | ||
+ | | ???????? || System PTE area | ||
+ | |- | ||
+ | | ???????? || Nonpaged System area | ||
+ | |- | ||
+ | | FFBE0000 || Crash dump driver area | ||
+ | |- | ||
+ | | FFC00000 || Reserved for HAL (4mb) | ||
+ | |- | ||
+ | | FFDFF000 || Boot PCR (KIP0PCRADDRESS) | ||
+ | |} | ||
+ | |||
+ | == IBM PowerPC == | ||
+ | {| class="wikitable" | ||
+ | ! Address | ||
+ | ! Description | ||
+ | |- | ||
+ | | 00000000 || UserMode Addresses | ||
+ | |- | ||
+ | | 7FFFF000 || No Access Area (64kB) | ||
+ | |- | ||
+ | | 80000000 || HAL/NTOSKRNL/Boot Drivers | ||
+ | |- | ||
+ | | 90000000 || System Cache working set | ||
+ | |- | ||
+ | | 90400000 || System Cache | ||
+ | |- | ||
+ | | A0000000 || Kernel segment | ||
+ | |- | ||
+ | | C0000000 || Page Table pages - 4Mb - Kernel Only | ||
+ | |- | ||
+ | | C0400000 || HyperSpace | ||
+ | |- | ||
+ | | D0000000 || System Mapped Views | ||
+ | |- | ||
+ | | D3000000 || Paged System area | ||
+ | |- | ||
+ | | EFBFFFFF || Nonpaged System area | ||
+ | |- | ||
+ | | FFFFD000 || PCR Structure, per processor | ||
+ | |- | ||
+ | | FFFFF000 || Debugger Page | ||
+ | |} | ||
+ | |||
+ | |||
+ | == MIPS R-Series == | ||
+ | |||
+ | {| class="wikitable" | ||
+ | ! Address | ||
+ | ! Description | ||
+ | |- | ||
+ | | 00000000 || UserMode Addresses | ||
+ | |- | ||
+ | | 7FFFF000 || No Access Area (64kB) | ||
+ | |- | ||
+ | | 80000000 || HAL/NTOSKRNL/Boot Drivers | ||
+ | |- | ||
+ | | A0000000 || Kernel segment | ||
+ | |- | ||
+ | | C0000000 || Page Table pages - 4Mb - Kernel Only | ||
+ | |- | ||
+ | | C2400000 || HyperSpace | ||
+ | |- | ||
+ | | C2800000 || System Cache structures | ||
+ | |- | ||
+ | | C2C00000 || System Cache | ||
+ | |- | ||
+ | | DE000000 || System Mapped Views | ||
+ | |- | ||
+ | | FFBFFFFF || Nonpaged System area | ||
+ | |- | ||
+ | | FFC00000 || Reserved for HAL (4mb) | ||
+ | |} | ||
+ | |||
+ | |||
+ | == DEC Alpha (32bit) == | ||
+ | |||
+ | {| class="wikitable" | ||
+ | ! Address | ||
+ | ! Description | ||
+ | |- | ||
+ | | 00000000 || UserMode Addresses | ||
+ | |- | ||
+ | | 7FFFF000 || No Access Area (64kB) | ||
+ | |- | ||
+ | | 80000000 || HAL/NTOSKRNL/Boot Drivers | ||
+ | |- | ||
+ | | C0000000 || Page Table pages - 2Mb - Kernel Only | ||
+ | |- | ||
+ | | C1000000 || HyperSpace | ||
+ | |- | ||
+ | | C2000000 || PTEs | ||
+ | |- | ||
+ | | C3000000 || System Cache structures | ||
+ | |- | ||
+ | | C4000000 || System Cache | ||
+ | |- | ||
+ | | DE000000 || System Mapped Views | ||
+ | |- | ||
+ | | E1000000 || Paged System area | ||
+ | |- | ||
+ | | F0000000 || Nonpaged System area | ||
+ | |- | ||
+ | | FE000000 || Reserved for HAL (4mb) | ||
+ | |} | ||
+ | |||
+ | |||
+ | == DEC Alpha (64bit) AXP64 == | ||
+ | |||
+ | {| class="wikitable" | ||
+ | ! Address | ||
+ | ! Description | ||
+ | |- | ||
+ | | 0000000000000000 || UserMode Addresses (4TB) | ||
+ | |- | ||
+ | | 000003FFFFFF0000 || No Access Area (64kB) | ||
+ | |- | ||
+ | | FFFFFC0000000000 || Start of System area, 2TB accessable | ||
+ | |- | ||
+ | | FFFFFE0000000000 || 8GB three-level Page Table map | ||
+ | |- | ||
+ | | FFFFFE0400000000 || Reserved for Win32k.sys | ||
+ | |- | ||
+ | | FFFFFE0600000000 || System Cache working set | ||
+ | |- | ||
+ | | FFFFFE0800000000 || System Cache (1TB) | ||
+ | |- | ||
+ | | FFFFFF0800000000 || Start of Paged System Area. (128GB) | ||
+ | |- | ||
+ | | FFFFFF2800000000 || System PTE Pool (128GB) | ||
+ | |- | ||
+ | | FFFFFF67FFFFFFFF || Nonpaged System area (128GB) | ||
+ | |- | ||
+ | | FFFFFFFF80000000 || HAL/NTOSKRNL/Boot Drivers | ||
+ | |- | ||
+ | | FFFFFFFFFF000000 || Shared System Page | ||
+ | |- | ||
+ | | FFFFFFFFFF002000 || Reserved for HAL | ||
+ | |} | ||
+ | |||
+ | |||
+ | == Intel Itanium ia64 == | ||
+ | |||
+ | {| class="wikitable" | ||
+ | ! Address | ||
+ | ! Description | ||
+ | |- | ||
+ | | 0000000000000000 || UserMode Addresses (8084GB) | ||
+ | |- | ||
+ | | 000003FFFFFF0000 || No Access Area (64kB) | ||
+ | |- | ||
+ | | 0000040000000000 || HyperSpace | ||
+ | |- | ||
+ | | 1FFFFF0000000000 || 8gb Leaf level Page Table map | ||
+ | |- | ||
+ | | 2000000000000000 || win32k.sys reserved (8gb) | ||
+ | |- | ||
+ | | 3FFFFF0000000000 || 8gb Leaf level Page Table map | ||
+ | |- | ||
+ | | 8000000000000000 || Addressable Physical Memory | ||
+ | |- | ||
+ | | E000000080000000 || HAL/NTOSKRNL/Boot Drivers | ||
+ | |- | ||
+ | | E0000000A0000000 || Reserved for Win32k.sys | ||
+ | |- | ||
+ | | E0000000FF002000 || Reserved for HAL | ||
+ | |- | ||
+ | | E000000400000000 || System Cache working set | ||
+ | |- | ||
+ | | E000000600000000 || System Cache (1TB) | ||
+ | |- | ||
+ | | E000010600000000 || Start of Paged System Area. (128GB) | ||
+ | |- | ||
+ | | E000014600000000 || System PTE Pool (128GB) | ||
+ | |- | ||
+ | | E00001465FFFFFFF || Nonpaged System area (128GB) | ||
+ | |- | ||
+ | | E000040000000000 || PFN Database (2TB) | ||
+ | |- | ||
+ | | FFFFFF0000000000 || 8gb Leaf level Page Table map | ||
+ | |} | ||
+ | |||
+ | == AMD64 == | ||
+ | |||
+ | Windows 2003 (based on Windows internals 4): | ||
+ | {| class="wikitable" | ||
+ | ! Address | ||
+ | ! Size | ||
+ | ! Description | ||
+ | |- | ||
+ | | 0000000000000000 - 000007FFFFFEFFFF || 8TB-64k || UserMode Addresses | ||
+ | |- | ||
+ | | 000007FFFFFF0000 - 000007FFFFFFFFFF || 64k || No Access Area | ||
+ | |- | ||
+ | | 0000080000000000 - FFFF7FFFFFFFFFFF || || - | ||
+ | |- | ||
+ | | FFFF800000000000 - FFFFF67FFFFFFFFF || || Start of system space | ||
+ | |- | ||
+ | | FFFFF68000000000 - FFFFF6FFFFFFFFFF || 512 GB || 4 lvl page table map | ||
+ | |- | ||
+ | | FFFFF70000000000 - FFFFF77FFFFFFFFF || 512 GB || HyperSpace | ||
+ | |- | ||
+ | | FFFFF78000000000 - FFFFF77000000FFF || 4 KB || Shared system page | ||
+ | |- | ||
+ | | FFFFF78000001000 - FFFFF7FFFFFFFFFF || 512 GB || system working set | ||
+ | |- | ||
+ | | FFFFF80000000000 - FFFFF8FFFFFFFFFF || 1 TB || Mappings initialized by the loader | ||
+ | |- | ||
+ | | FFFFF90000000000 - FFFFF97FFFFFFFFF || 512 GB || Session space | ||
+ | |- | ||
+ | | FFFFF98000000000 - FFFFFA7FFFFFFFFF || 1 TB || System cache | ||
+ | |- | ||
+ | | FFFFFA8000000000 - FFFFFA9FFFFFFFFF || 128 GB || Start of Paged System Area. | ||
+ | |- | ||
+ | | FFFFFAA000000000 - FFFFFABFFFFFFFFF || 128 GB || System PTE pool (MmNonPagedSystemStart) | ||
+ | |- | ||
+ | | FFFFFAC000000000 - FFFFFADFFFFFFFFF || 128 GB || Non paged pool | ||
+ | |- | ||
+ | | FFFFFAE000000000 - FFFFFFFFFFFFFFFF || 2 GB || Reserved for HAL | ||
+ | |- | ||
+ | | FFFFFFFFFFFFFFFF || || End of VA space | ||
+ | |} | ||
+ | |||
+ | |||
+ | Windows Vista+ (based on http://www.codemachine.com/tool_cmkd.html#kvas / http://www.codemachine.com/article_x64kvas.html): | ||
+ | {| class="wikitable" | ||
+ | ! Address | ||
+ | ! Size | ||
+ | ! Description | ||
+ | |- | ||
+ | | 0000000000000000 - 000007FFFFFEFFFF || 8TB-64k || UserMode Addresses | ||
+ | |- | ||
+ | | 000007FFFFFF0000 - 000007FFFFFFFFFF || 64k || No Access Area | ||
+ | |- | ||
+ | | 0000080000000000 - FFFF7FFFFFFFFFFF || || - | ||
+ | |- | ||
+ | | FFFF800000000000 - FFFFF67FFFFFFFFF || 238 TB || System space | ||
+ | |- | ||
+ | | FFFFF68000000000 - FFFFF6FFFFFFFFFF || 512 GB || Page tables | ||
+ | |- | ||
+ | | FFFFF70000000000 - FFFFF77FFFFFFFFF || 512 GB || HyperSpace | ||
+ | |- | ||
+ | | FFFFF78000000000 - FFFFF77000000FFF || 4 KB || Shared system page | ||
+ | |- | ||
+ | | FFFFF78000001000 - FFFFF7FFFFFFFFFF || 511 GB || Cache working set | ||
+ | |- | ||
+ | | FFFFF80000000000 - FFFFF87FFFFFFFFF || 512 GB || Loader mappings | ||
+ | |- | ||
+ | | FFFFF88000000000 - FFFFF89FFFFFFFFF || 128 GB || System PTEs | ||
+ | |- | ||
+ | | FFFFF8A000000000 - FFFFF8BFFFFFFFFF || 128 GB || Paged pool | ||
+ | |- | ||
+ | | FFFFF8C000000000 - FFFFF8FFFFFFFFFF || | ||
+ | |- | ||
+ | | FFFFF90000000000 - FFFFF97FFFFFFFFF || 512 GB || Session space | ||
+ | |- | ||
+ | | FFFFF98000000000 - FFFFFA7FFFFFFFFF || 1 TB || Dynamic kernel VA | ||
+ | |- | ||
+ | | FFFFFA8000000000 - FFFFF??????????? || up to 8 TB || Pfn database | ||
+ | |- | ||
+ | | FFFFF??????????? - FFFFFFFFFFBFFFFF || up to 128 GB || Non paged pool | ||
+ | |- | ||
+ | | FFFFFFFFFFC00000 - FFFFFFFFFFFFFFFF || 4 MB || Hal reserved | ||
+ | |- | ||
+ | | FFFFFFFFFFFFFFFF || || End of VA space | ||
+ | |} | ||
+ | |||
+ | Note: On Windows MmSystemRangeStart contains the value 0xFFFF080000000000, this is probably a typo. | ||
+ | The real system range start is 0xFFFF800000000000 | ||
+ | |||
+ | Session space layout: | ||
+ | |||
+ | {| class="wikitable" | ||
+ | ! Address | ||
+ | ! Size | ||
+ | ! Description | ||
+ | |- | ||
+ | | FFFFF90000000000 - FFFFF90000001E57 || 8 KB || ??? | ||
+ | |- | ||
+ | | FFFFF90000001E58 - FFFFF90000010000 || 56 KB || MiSessionSpecialPool | ||
+ | |- | ||
+ | | FFFFF90000010000 - FFFFF90000011FFF || 8 KB || MiSessionDynamicVaBitBuffer | ||
+ | |- | ||
+ | | FFFFF90000012000 - FFFFF90000411FFF || 4 MB || MiSessionDynamicPoolBitBuffer | ||
+ | |- | ||
+ | | FFFFF90000412000 - FFFFF90000811FFF || 4 MB || MiSessionDynamicPtesBitBuffer | ||
+ | |- | ||
+ | | FFFFF90000812000 - FFFFF90080000FFF || 2039 MB || MiSessionSpaceWs | ||
+ | |- | ||
+ | | FFFFF90080001000 - FFFFF900A0101007 || 513 MB || MiSessionWsHashStart .. MiSessionWsHashEnd-1 | ||
+ | |- | ||
+ | | FFFFF900C0000000 - FFFFF97FFFFFFFFF || 509 GB || MiSessionDynamicVaStart | ||
+ | |} |
Revision as of 14:31, 24 December 2019
Contents
x86 (non-PAE)
Address | Description |
---|---|
00000000 | UserMode Addresses |
7FFFF000 | No Access Area (64kB) |
80000000 | HAL/NTOSKRNL/Boot Drivers |
8??????? | PFN database |
BD000000 | MiSessionPoolStart = MmSessionBase |
BE000000 | MiSessionViewStart |
BF800000 | MiSessionImageStart (default) |
C0000000 | Page Table pages - 4Mb |
C0400000 | HyperSpace |
C0C00000 | System Cache structures |
C1000000 | System Cache |
E1000000 | Paged System area |
???????? | System PTE area |
???????? | Nonpaged System area |
FFBE0000 | Crash dump driver area |
FFC00000 | Reserved for HAL (4mb) |
FFDFF000 | Boot PCR (KIP0PCRADDRESS) |
IBM PowerPC
Address | Description |
---|---|
00000000 | UserMode Addresses |
7FFFF000 | No Access Area (64kB) |
80000000 | HAL/NTOSKRNL/Boot Drivers |
90000000 | System Cache working set |
90400000 | System Cache |
A0000000 | Kernel segment |
C0000000 | Page Table pages - 4Mb - Kernel Only |
C0400000 | HyperSpace |
D0000000 | System Mapped Views |
D3000000 | Paged System area |
EFBFFFFF | Nonpaged System area |
FFFFD000 | PCR Structure, per processor |
FFFFF000 | Debugger Page |
MIPS R-Series
Address | Description |
---|---|
00000000 | UserMode Addresses |
7FFFF000 | No Access Area (64kB) |
80000000 | HAL/NTOSKRNL/Boot Drivers |
A0000000 | Kernel segment |
C0000000 | Page Table pages - 4Mb - Kernel Only |
C2400000 | HyperSpace |
C2800000 | System Cache structures |
C2C00000 | System Cache |
DE000000 | System Mapped Views |
FFBFFFFF | Nonpaged System area |
FFC00000 | Reserved for HAL (4mb) |
DEC Alpha (32bit)
Address | Description |
---|---|
00000000 | UserMode Addresses |
7FFFF000 | No Access Area (64kB) |
80000000 | HAL/NTOSKRNL/Boot Drivers |
C0000000 | Page Table pages - 2Mb - Kernel Only |
C1000000 | HyperSpace |
C2000000 | PTEs |
C3000000 | System Cache structures |
C4000000 | System Cache |
DE000000 | System Mapped Views |
E1000000 | Paged System area |
F0000000 | Nonpaged System area |
FE000000 | Reserved for HAL (4mb) |
DEC Alpha (64bit) AXP64
Address | Description |
---|---|
0000000000000000 | UserMode Addresses (4TB) |
000003FFFFFF0000 | No Access Area (64kB) |
FFFFFC0000000000 | Start of System area, 2TB accessable |
FFFFFE0000000000 | 8GB three-level Page Table map |
FFFFFE0400000000 | Reserved for Win32k.sys |
FFFFFE0600000000 | System Cache working set |
FFFFFE0800000000 | System Cache (1TB) |
FFFFFF0800000000 | Start of Paged System Area. (128GB) |
FFFFFF2800000000 | System PTE Pool (128GB) |
FFFFFF67FFFFFFFF | Nonpaged System area (128GB) |
FFFFFFFF80000000 | HAL/NTOSKRNL/Boot Drivers |
FFFFFFFFFF000000 | Shared System Page |
FFFFFFFFFF002000 | Reserved for HAL |
Intel Itanium ia64
Address | Description |
---|---|
0000000000000000 | UserMode Addresses (8084GB) |
000003FFFFFF0000 | No Access Area (64kB) |
0000040000000000 | HyperSpace |
1FFFFF0000000000 | 8gb Leaf level Page Table map |
2000000000000000 | win32k.sys reserved (8gb) |
3FFFFF0000000000 | 8gb Leaf level Page Table map |
8000000000000000 | Addressable Physical Memory |
E000000080000000 | HAL/NTOSKRNL/Boot Drivers |
E0000000A0000000 | Reserved for Win32k.sys |
E0000000FF002000 | Reserved for HAL |
E000000400000000 | System Cache working set |
E000000600000000 | System Cache (1TB) |
E000010600000000 | Start of Paged System Area. (128GB) |
E000014600000000 | System PTE Pool (128GB) |
E00001465FFFFFFF | Nonpaged System area (128GB) |
E000040000000000 | PFN Database (2TB) |
FFFFFF0000000000 | 8gb Leaf level Page Table map |
AMD64
Windows 2003 (based on Windows internals 4):
Address | Size | Description |
---|---|---|
0000000000000000 - 000007FFFFFEFFFF | 8TB-64k | UserMode Addresses |
000007FFFFFF0000 - 000007FFFFFFFFFF | 64k | No Access Area |
0000080000000000 - FFFF7FFFFFFFFFFF | - | |
FFFF800000000000 - FFFFF67FFFFFFFFF | Start of system space | |
FFFFF68000000000 - FFFFF6FFFFFFFFFF | 512 GB | 4 lvl page table map |
FFFFF70000000000 - FFFFF77FFFFFFFFF | 512 GB | HyperSpace |
FFFFF78000000000 - FFFFF77000000FFF | 4 KB | Shared system page |
FFFFF78000001000 - FFFFF7FFFFFFFFFF | 512 GB | system working set |
FFFFF80000000000 - FFFFF8FFFFFFFFFF | 1 TB | Mappings initialized by the loader |
FFFFF90000000000 - FFFFF97FFFFFFFFF | 512 GB | Session space |
FFFFF98000000000 - FFFFFA7FFFFFFFFF | 1 TB | System cache |
FFFFFA8000000000 - FFFFFA9FFFFFFFFF | 128 GB | Start of Paged System Area. |
FFFFFAA000000000 - FFFFFABFFFFFFFFF | 128 GB | System PTE pool (MmNonPagedSystemStart) |
FFFFFAC000000000 - FFFFFADFFFFFFFFF | 128 GB | Non paged pool |
FFFFFAE000000000 - FFFFFFFFFFFFFFFF | 2 GB | Reserved for HAL |
FFFFFFFFFFFFFFFF | End of VA space |
Windows Vista+ (based on http://www.codemachine.com/tool_cmkd.html#kvas / http://www.codemachine.com/article_x64kvas.html):
Address | Size | Description |
---|---|---|
0000000000000000 - 000007FFFFFEFFFF | 8TB-64k | UserMode Addresses |
000007FFFFFF0000 - 000007FFFFFFFFFF | 64k | No Access Area |
0000080000000000 - FFFF7FFFFFFFFFFF | - | |
FFFF800000000000 - FFFFF67FFFFFFFFF | 238 TB | System space |
FFFFF68000000000 - FFFFF6FFFFFFFFFF | 512 GB | Page tables |
FFFFF70000000000 - FFFFF77FFFFFFFFF | 512 GB | HyperSpace |
FFFFF78000000000 - FFFFF77000000FFF | 4 KB | Shared system page |
FFFFF78000001000 - FFFFF7FFFFFFFFFF | 511 GB | Cache working set |
FFFFF80000000000 - FFFFF87FFFFFFFFF | 512 GB | Loader mappings |
FFFFF88000000000 - FFFFF89FFFFFFFFF | 128 GB | System PTEs |
FFFFF8A000000000 - FFFFF8BFFFFFFFFF | 128 GB | Paged pool |
FFFFF8C000000000 - FFFFF8FFFFFFFFFF | ||
FFFFF90000000000 - FFFFF97FFFFFFFFF | 512 GB | Session space |
FFFFF98000000000 - FFFFFA7FFFFFFFFF | 1 TB | Dynamic kernel VA |
FFFFFA8000000000 - FFFFF??????????? | up to 8 TB | Pfn database |
FFFFF??????????? - FFFFFFFFFFBFFFFF | up to 128 GB | Non paged pool |
FFFFFFFFFFC00000 - FFFFFFFFFFFFFFFF | 4 MB | Hal reserved |
FFFFFFFFFFFFFFFF | End of VA space |
Note: On Windows MmSystemRangeStart contains the value 0xFFFF080000000000, this is probably a typo. The real system range start is 0xFFFF800000000000
Session space layout:
Address | Size | Description |
---|---|---|
FFFFF90000000000 - FFFFF90000001E57 | 8 KB | ??? |
FFFFF90000001E58 - FFFFF90000010000 | 56 KB | MiSessionSpecialPool |
FFFFF90000010000 - FFFFF90000011FFF | 8 KB | MiSessionDynamicVaBitBuffer |
FFFFF90000012000 - FFFFF90000411FFF | 4 MB | MiSessionDynamicPoolBitBuffer |
FFFFF90000412000 - FFFFF90000811FFF | 4 MB | MiSessionDynamicPtesBitBuffer |
FFFFF90000812000 - FFFFF90080000FFF | 2039 MB | MiSessionSpaceWs |
FFFFF90080001000 - FFFFF900A0101007 | 513 MB | MiSessionWsHashStart .. MiSessionWsHashEnd-1 |
FFFFF900C0000000 - FFFFF97FFFFFFFFF | 509 GB | MiSessionDynamicVaStart |