Difference between revisions of "Techwiki:Memory Layout"
ThePhysicist (talk | contribs) (→AMD64) |
ThePhysicist (talk | contribs) (→AMD64) |
||
Line 251: | Line 251: | ||
− | Windows Vista+ (based on http://www.codemachine.com/tool_cmkd.html#kvas): | + | Windows Vista+ (based on http://www.codemachine.com/tool_cmkd.html#kvas / http://www.codemachine.com/article_x64kvas.html): |
{| class="wikitable" | {| class="wikitable" | ||
! Address | ! Address |
Revision as of 17:19, 25 January 2015
Contents
x86 (non-PAE)
Address | Description |
---|---|
00000000 | UserMode Addresses |
7FFFF000 | No Access Area (64kB) |
80000000 | HAL/NTOSKRNL/Boot Drivers |
8??????? | PFN database |
BD000000 | MiSessionPoolStart = MmSessionBase |
BE000000 | MiSessionViewStart |
BF800000 | MiSessionImageStart (default) |
C0000000 | Page Table pages - 4Mb |
C0400000 | HyperSpace |
C0C00000 | System Cache structures |
C1000000 | System Cache |
E1000000 | Paged System area |
???????? | System PTE area |
???????? | Nonpaged System area |
FFBE0000 | Crash dump driver area |
FFC00000 | Reserved for HAL (4mb) |
IBM PowerPC
Address | Description |
---|---|
00000000 | UserMode Addresses |
7FFFF000 | No Access Area (64kB) |
80000000 | HAL/NTOSKRNL/Boot Drivers |
90000000 | System Cache working set |
90400000 | System Cache |
A0000000 | Kernel segment |
C0000000 | Page Table pages - 4Mb - Kernel Only |
C0400000 | HyperSpace |
D0000000 | System Mapped Views |
D3000000 | Paged System area |
EFBFFFFF | Nonpaged System area |
FFFFD000 | PCR Structure, per processor |
FFFFF000 | Debugger Page |
MIPS R-Series
Address | Description |
---|---|
00000000 | UserMode Addresses |
7FFFF000 | No Access Area (64kB) |
80000000 | HAL/NTOSKRNL/Boot Drivers |
A0000000 | Kernel segment |
C0000000 | Page Table pages - 4Mb - Kernel Only |
C2400000 | HyperSpace |
C2800000 | System Cache structures |
C2C00000 | System Cache |
DE000000 | System Mapped Views |
FFBFFFFF | Nonpaged System area |
FFC00000 | Reserved for HAL (4mb) |
DEC Alpha (32bit)
Address | Description |
---|---|
00000000 | UserMode Addresses |
7FFFF000 | No Access Area (64kB) |
80000000 | HAL/NTOSKRNL/Boot Drivers |
C0000000 | Page Table pages - 2Mb - Kernel Only |
C1000000 | HyperSpace |
C2000000 | PTEs |
C3000000 | System Cache structures |
C4000000 | System Cache |
DE000000 | System Mapped Views |
E1000000 | Paged System area |
F0000000 | Nonpaged System area |
FE000000 | Reserved for HAL (4mb) |
DEC Alpha (64bit) AXP64
Address | Description |
---|---|
0000000000000000 | UserMode Addresses (4TB) |
000003FFFFFF0000 | No Access Area (64kB) |
FFFFFC0000000000 | Start of System area, 2TB accessable |
FFFFFE0000000000 | 8GB three-level Page Table map |
FFFFFE0400000000 | Reserved for Win32k.sys |
FFFFFE0600000000 | System Cache working set |
FFFFFE0800000000 | System Cache (1TB) |
FFFFFF0800000000 | Start of Paged System Area. (128GB) |
FFFFFF2800000000 | System PTE Pool (128GB) |
FFFFFF67FFFFFFFF | Nonpaged System area (128GB) |
FFFFFFFF80000000 | HAL/NTOSKRNL/Boot Drivers |
FFFFFFFFFF000000 | Shared System Page |
FFFFFFFFFF002000 | Reserved for HAL |
Intel Itanium ia64
Address | Description |
---|---|
0000000000000000 | UserMode Addresses (8084GB) |
000003FFFFFF0000 | No Access Area (64kB) |
0000040000000000 | HyperSpace |
1FFFFF0000000000 | 8gb Leaf level Page Table map |
2000000000000000 | win32k.sys reserved (8gb) |
3FFFFF0000000000 | 8gb Leaf level Page Table map |
8000000000000000 | Addressable Physical Memory |
E000000080000000 | HAL/NTOSKRNL/Boot Drivers |
E0000000A0000000 | Reserved for Win32k.sys |
E0000000FF002000 | Reserved for HAL |
E000000400000000 | System Cache working set |
E000000600000000 | System Cache (1TB) |
E000010600000000 | Start of Paged System Area. (128GB) |
E000014600000000 | System PTE Pool (128GB) |
E00001465FFFFFFF | Nonpaged System area (128GB) |
E000040000000000 | PFN Database (2TB) |
FFFFFF0000000000 | 8gb Leaf level Page Table map |
AMD64
Windows 2003 (based on Windows internals 4):
Address | Size | Description |
---|---|---|
0000000000000000 - 000007FFFFFEFFFF | 8TB-64k | UserMode Addresses |
000007FFFFFF0000 - 000007FFFFFFFFFF | 64k | No Access Area |
0000080000000000 - FFFF7FFFFFFFFFFF | - | |
FFFF800000000000 - FFFFF67FFFFFFFFF | Start of system space | |
FFFFF68000000000 - FFFFF6FFFFFFFFFF | 512 GB | 4 lvl page table map |
FFFFF70000000000 - FFFFF77FFFFFFFFF | 512 GB | HyperSpace |
FFFFF78000000000 - FFFFF77000000FFF | 4 KB | Shared system page |
FFFFF78000001000 - FFFFF7FFFFFFFFFF | 512 GB | system working set |
FFFFF80000000000 - FFFFF8FFFFFFFFFF | 1 TB | Mappings initialized by the loader |
FFFFF90000000000 - FFFFF97FFFFFFFFF | 512 GB | Session space |
FFFFF98000000000 - FFFFFA7FFFFFFFFF | 1 TB | System cache |
FFFFFA8000000000 - FFFFFA9FFFFFFFFF | 128 GB | Start of Paged System Area. |
FFFFFAA000000000 - FFFFFABFFFFFFFFF | 128 GB | System PTE pool (MmNonPagedSystemStart) |
FFFFFAC000000000 - FFFFFADFFFFFFFFF | 128 GB | Non paged pool |
FFFFFAE000000000 - FFFFFFFFFFFFFFFF | 2 GB | Reserved for HAL |
FFFFFFFFFFFFFFFF | End of VA space |
Windows Vista+ (based on http://www.codemachine.com/tool_cmkd.html#kvas / http://www.codemachine.com/article_x64kvas.html):
Address | Size | Description |
---|---|---|
0000000000000000 - 000007FFFFFEFFFF | 8TB-64k | UserMode Addresses |
000007FFFFFF0000 - 000007FFFFFFFFFF | 64k | No Access Area |
0000080000000000 - FFFF7FFFFFFFFFFF | - | |
FFFF800000000000 - FFFFF67FFFFFFFFF | 238 TB | System space |
FFFFF68000000000 - FFFFF6FFFFFFFFFF | 512 GB | Page tables |
FFFFF70000000000 - FFFFF77FFFFFFFFF | 512 GB | HyperSpace |
FFFFF78000000000 - FFFFF77000000FFF | 4 KB | Shared system page |
FFFFF78000001000 - FFFFF7FFFFFFFFFF | 511 GB | Cache working set |
FFFFF80000000000 - FFFFF87FFFFFFFFF | 512 GB | Loader mappings |
FFFFF88000000000 - FFFFF89FFFFFFFFF | 128 GB | System PTEs |
FFFFF8A000000000 - FFFFF8BFFFFFFFFF | 128 GB | Paged pool |
FFFFF8C000000000 - FFFFF8FFFFFFFFFF | ||
FFFFF90000000000 - FFFFF97FFFFFFFFF | 512 GB | Session space |
FFFFF98000000000 - FFFFFA7FFFFFFFFF | 1 TB | Dynamic kernel VA |
FFFFFA8000000000 - FFFFF??????????? | up to 8 TB | Pfn database |
FFFFF??????????? - FFFFFFFFFFBFFFFF | up to 128 GB | Non paged pool |
FFFFFFFFFFC00000 - FFFFFFFFFFFFFFFF | 4 MB | Hal reserved |
FFFFFFFFFFFFFFFF | End of VA space |
Note: On Windows MmSystemRangeStart contains the value 0xFFFF080000000000, this is probably a typo. The real system range start is 0xFFFF800000000000
Session space layout:
Address | Size | Description |
---|---|---|
FFFFF90000000000 - FFFFF90000001E57 | 8 KB | ??? |
FFFFF90000001E58 - FFFFF90000010000 | 56 KB | MiSessionSpecialPool |
FFFFF90000010000 - FFFFF90000011FFF | 8 KB | MiSessionDynamicVaBitBuffer |
FFFFF90000012000 - FFFFF90000411FFF | 4 MB | MiSessionDynamicPoolBitBuffer |
FFFFF90000412000 - FFFFF90000811FFF | 4 MB | MiSessionDynamicPtesBitBuffer |
FFFFF90000812000 - FFFFF90080000FFF | 2039 MB | MiSessionSpaceWs |
FFFFF90080001000 - FFFFF900A0101007 | 513 MB | MiSessionWsHashStart .. MiSessionWsHashEnd-1 |
FFFFF900C0000000 - FFFFF97FFFFFFFFF | 509 GB | MiSessionDynamicVaStart |