Читаем Windows® Internals, Sixth Edition, Part 2 полностью

The 32-bit versions of Windows implement a dynamic system address space layout by using a virtual address allocator (we’ll describe this functionality later in this section). There are still a few specifically reserved areas, as shown in Figure 10-8. However, many kernel-mode structures use dynamic address space allocation. These structures are therefore not necessarily virtually contiguous with themselves. Each can easily exist in several disjointed pieces in various areas of system address space. The uses of system address space that are allocated in this way include:

Nonpaged pool

Special pool

Paged pool

System page table entries (PTEs)

System mapped views

File system cache

File system structures (metadata)

Session space

x86 Session Space

For systems with multiple sessions, the code and data unique to each session are mapped into system address space but shared by the processes in that session. Figure 10-10 shows the general layout of session space.

Figure 10-10. x86 session space layout (not proportional)

The sizes of the components of session space, just like the rest of kernel system address space, are dynamically configured and resized by the memory manager on demand.

EXPERIMENT: Viewing Sessions

You can display which processes are members of which sessions by examining the session ID. This can be viewed with Task Manager, Process Explorer, or the kernel debugger. Using the kernel debugger, you can list the active sessions with the !session command as follows:lkd> !session Sessions on machine: 3 Valid Sessions: 0 1 3 Current Session 1

Then you can set the active session using the !session –s command and display the address of the session data structures and the processes in that session with the !sprocess command:lkd> !session -s 3 Sessions on machine: 3 Implicit process is now 84173500 Using session 3 lkd> !sprocess Dumping Session 3 _MM_SESSION_SPACE 9a83c000 _MMSESSION 9a83cd00 PROCESS 84173500 SessionId: 3 Cid: 0d78 Peb: 7ffde000 ParentCid: 0e80 DirBase: 3ef53500 ObjectTable: 8588d820 HandleCount: 76. Image: csrss.exe PROCESS 841a6030 SessionId: 3 Cid: 0c6c Peb: 7ffdc000 ParentCid: 0e80 DirBase: 3ef53520 ObjectTable: 85897208 HandleCount: 94. Image: winlogon.exe PROCESS 841d9cf0 SessionId: 3 Cid: 0d38 Peb: 7ffd6000 ParentCid: 0c6c DirBase: 3ef53540 ObjectTable: 8589d248 HandleCount: 165. Image: LogonUI.exe ...

To view the details of the session, dump the MM_SESSION_SPACE structure using the dt command, as follows:lkd> dt nt!_MM_SESSION_SPACE 9a83c000 +0x000 ReferenceCount : 0n3 +0x004 u : +0x008 SessionId : 3 +0x00c ProcessReferenceToSession : 0n4 +0x010 ProcessList : _LIST_ENTRY [ 0x841735e4 - 0x841d9dd4 ] +0x018 LastProcessSwappedOutTime : _LARGE_INTEGER 0x0 +0x020 SessionPageDirectoryIndex : 0x31fa3 +0x024 NonPagablePages : 0x19 +0x028 CommittedPages : 0x867 +0x02c PagedPoolStart : 0x80000000 Void +0x030 PagedPoolEnd : 0xffbfffff Void +0x034 SessionObject : 0x854e2040 Void +0x038 SessionObjectHandle : 0x8000020c Void +0x03c ResidentProcessCount : 0n3 +0x040 SessionPoolAllocationFailures : [4] 0 +0x050 ImageList : _LIST_ENTRY [ 0x8519bef8 - 0x85296370 ] +0x058 LocaleId : 0x409 +0x05c AttachCount : 0 +0x060 AttachGate : _KGATE +0x070 WsListEntry : _LIST_ENTRY [ 0x82772408 - 0x97044070 ] +0x080 Lookaside : [25] _GENERAL_LOOKASIDE ...

EXPERIMENT: Viewing Session Space Utilization