Results 1 to 3 of 3

Thread: Windows - Bios mapping to kernel address space

  1. #1

    Windows - Bios mapping to kernel address space

    Hi,

    I was recently looking at the windows kernel address space layout and noticed that physical address 0xf0000 (bios page) is mapped several hundred times (roughly .7Mb) in windows kernel address space (pte type - syspte). I wasn't able to justify the need for such a large mapping to the same physical page and was wondering if there is an obvious reason to that which I am missing? Thought I would check before I start tracing the kernel allocation code to dig deeper. Please let me know if you have any thoughts on this. Thanks.

    Kamala
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,154
    Blog Entries
    5
    How did you determine that you had several hundred bios mappings? If I use the Softice PHYS command in XP to translate the physical address 0xf0000 to virtual, I get exactly 2 shadow mappings. Both show a recognizable SMBIOS Entry Point Table structure and distinctive vendor string.

    Approaching it from a different angle, if I search all memory above 0x80000000 for the SMBIOS header string '_SM_', I get exactly 3 hits, though one now may be a Softice mapping.

    Are you certain that your mappings are actually BIOS code?

  3. #3
    I used WinDgb. A bit more on that (could possibly help others as well) - I used cmkd debugger extension (http://www.codemachine.com/tool_cmkd.html) to get the kernel virtual address space layout and used !pte windbg extension command in a script to conditionally check for physical address of certain range. I am surprised SoftICE listed only 2 mappings. What version of Windows and SoftICE are you using?

    Also, doing a search starting at the same address above and for the whole kernel address range under windbg does list all instances of '_SM_' and there are way more than 3.

    Unless there is a flaw in the approach I have mentioned here, I believe they must be BIOS physical address mapping.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Replies: 4
    Last Post: December 1st, 2011, 21:38
  2. Replies: 0
    Last Post: February 23rd, 2009, 14:17
  3. Windows 7 kernel structures
    By OpenRCE_omega_red in forum Blogs Forum
    Replies: 0
    Last Post: January 19th, 2009, 07:18
  4. Windows ME kernel not loading into SoftICE
    By Goat in forum Tools of Our Trade (TOT) Messageboard
    Replies: 4
    Last Post: August 28th, 2001, 13:37
  5. Environment space in Windows Me
    By [KSC] in forum Advanced Reversing and Programming
    Replies: 2
    Last Post: June 13th, 2001, 16:51

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •