Edit

Share via

!vtop

  • Article

The !vtop extension converts a virtual address to the corresponding physical address, and displays other page table and page directory information.

Syntax

!vtop PFN VirtualAddress 
!vtop 0 VirtualAddress

Parameters

DirBase
Specifies the directory base for the process. Each process has its own virtual address space. Use the !process extension to determine the directory base for a process.

PFN
Specifies the page frame number (PFN) of the directory base for the process.

0
Causes !vtop to use the current process context for address translation.

VirtualAddress
Specifies the virtual address whose page is desired.

DLL

Kdexts.dll

Additional Information

For other methods of achieving these results, see Converting Virtual Addresses to Physical Addresses. Also see !ptov. For information about page tables and page directories, see Microsoft Windows Internals, by Mark Russinovich and David Solomon.

Remarks

To use this command, first use the !process extension to determine the directory base of the process. The page frame number (PFN) of this directory base can be found by removing the three trailing hexadecimal zeros (in other words, by right-shifting the number 12 bits).

Here is an example:

kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
....
PROCESS ff779190  SessionId: 0  Cid: 04fc    Peb: 7ffdf000  ParentCid: 0394
 DirBase: 098fd000  ObjectTable: e1646b30  TableSize:   8.
    Image: MyApp.exe

Since the directory base is 0x098FD000, its PFN is 0x098FD.

kd> !vtop 98fd 12f980
Pdi 0 Pti 12f
0012f980 09de9000 pfn(09de9)

Notice how the trailing three zeros are optional. The !vtop extension displays the page directory index (PDI), the page table index (PTI), the virtual address that you had originally input, the physical address of the beginning of the physical page, and the page frame number (PFN) of the page table entry (PTE).

If you want to convert the virtual address 0x0012F980 to a physical address, you simply have to take the last three hexadecimal digits (0x980) and add them to the physical address of the beginning of the page (0x09DE9000). This gives the physical address 0x09DE9980.

If you forget to remove the three zeros, and pass the full directory base to !vtop instead of the PFN, the results will usually be correct. This is because when !vtop receives a number too large to be a PFN, it right-shifts it twelve bits and uses that number instead:

kd> !vtop 98fd 12f980
Pdi 0 Pti 12f
0012f980 09de9000 pfn(09de9)

kd> !vtop 98fd000 12f980
Pdi 0 Pti 12f
0012f980 09de9000 pfn(09de9)

However, it is better to always use the PFN, because some directory base values will not be converted in this manner.