那些发生在Windows底层的神秘操作

以下列表仅是做索引用,该系列为持续更新集合

0x1 Paged pool与 Nonpaged pool,原文是这么定义的

■ Nonpaged pool Consists of ranges of system virtual addresses that are guaranteed to reside in physical memory at all times and thus can be accessed at any time without incurring a page fault; therefore, they can be accessed from any IRQL. One of the reasons nonpaged pool is required is because of the rule described in Chapter 2 in Part 1: page faults can’t be satisfied at DPC/dispatch level or above. Therefore, any code and data that might execute or be accessed at or above DPC/dispatch level must be in nonpageable memory.

■ Paged pool A region of virtual memory in system space that can be paged into and out of the system. Device drivers that don’t need to access the memory from DPC/dispatch level or above can use paged pool. It is accessible from any process context.

而且有

结合驱动开发的相关资料,通俗的说:分页指内存分页的内容可以被置换到磁盘上(或者其他介质),而非分页内存指内存内容不会被置换到磁盘上;且DPC/dispatch level(延迟过程调用/分发级别)或以上的IRQL不可以访问被分页的内存。

众所周知发生缺页异常之后,系统捕获该异常,从磁盘中把诱发缺页的虚拟地址要求存放的内容放到对应物理地址中,恢复程序对该虚拟地址的使用,而DPC/dispatch或之上级别的中断不能满足缺页异常,故有上述约定。