The processes of converting virtual address to physical addresses varies from architecture to architecture. This article lays out the process of converting a standard 64bit linear address on a processor operating in IA32e mode. It’s important to note this distinction because some constructs that exist for IA32e do not for IA32 mode (such as the PML4 Table.)
The following image is a table laying out the paging structures present depending on the specific mode of the processor. (Consult Chapter 4 – Paging in the Manual)
We’re going to teach by example… Let’s provide a 64-bit linear address to break down how we would determine the physical address from the virtual representation.
Example Address: 0x32D0C1E000
If you glanced at the image provided above you’ll notice that we need to start translation from the PML4 Table and work our way through the paging structures to obtain the physical address. There’s really no need for me to lay out which bits are indexes into which paging structures as that’s all laid out in Chapter 4 of the Intel Systems Programming Manual.
Breaking down the example address into it’s respective indexes we find that the index into the PML4 Table is 0x0, meaning that after getting the PML4 Table base from CR3 we index into this structure that is an array of pointers to retrieve the address of a specific page directory pointer table. After obtaining a pointer to the proper PDPT one will have to index into that table with 0x96, in this case, to grab another pointer to the respective page directory table. We follow this pattern of retrieving pointers to these paging structures and then index into them with the appropriate values provided by the virtual address bits. Once indexed into the appropriate page table, you’ll use the offset get the page entry. The final result, the address of the page entry, is the physical representation of the linear virtual address.
To conclude, you can obtain CR3 for any specific process by locating the DirectoryTableBase member of the EPROCESS structure for the desired process.