FS_Process_Virt2Phys
The directory virt2phys exists as a sub-directory in each process directory.
The virt2phys directory contains one special file named virt.txt that the user of MemProcFS may write a virtual address into. Once saved the other files will automatically update to reflect the user-selected virtual address written to the virt.txt file.
NB! Memory may still be readable even though virt2phys may not find it if the memory is "paged out". The virt2phys looks at currently active memory only.
| File | Description |
|---|---|
| virt.txt | Virtual address in hex - always user writable! |
| phys.txt | Physical address (in hex) that the virtual address maps to |
| map.txt | virtual to physical translation map - showing page table entries and their locations in the PML4, PDPT, PD and PT page tables. |
| readme.txt | Informational README file. |
| pt_pml4.mem* | PML4 page table |
| pt_pdpt.mem* | PDPT page table |
| pt_pd.mem* | Page Directory page table |
| pt_pt.mem* | Page Table page table |
| page.mem | 4kB page that the virt address maps to (or corresponding 4kB section of memory if large pages are used) |
*) On arm64 architectures the page table memory files are named pt_lvl0.mem, pt_lvl1.mem, pt_lvl2.mem and pt_lvl3.mem.
The virt.txt file is always writable. The map.txt file is always read-only while all other files are writable if a write-capable memory acquisition device is used.
The example below shows the files in the virt2phys sub-directory of the explorer.exe process. The virtual memory address 00007ff75fc50000 is echoed into the virt.txt file. The page table walk is shown by viewing the map file with the cat map.txt command. The resulting physical address of 0x1a6c96000 is shown by viewing the phys.txt file with the cat phys.txt command. Also shown, in the HxD hex editor, is the 4th level page table for the virtual address.
The first column of the map file shows which page table. Then the physical address of the page table is shown next. Then the offset (in bytes) of the page table entry and at last the page table entry itself (PML4E/PDPTE/PDE/PTE) is shown.
The virt2phys sub-directory is implemented as a built-in native C-code plugin. The plugin source is located in the file modules/m_proc_virt2phys.c in the vmm project. The plugin contains limited caching functionality that will allow it to store the contents of virt file even though the process list may be refreshed in a read/write scenario.