Exercise 8: Identifying the Owner of Storage

Objectives:

Every piece of storage has an owner. Storage owned by OS/2 may not have all the storage accounting information which is kept for storage used by applications. The most common clue that this situation has occurred is the presence of the 'UVirt' flag (bit 52) in the descriptor. The next most common clue is that the procedure below may fail if complete storage accounting has not been done.

Within OS/2, handles are used extensively. Generally, a handle is nothing more than an index into some table or other. For diagnostic purposes, one can treat it as a 'magic number' that can be used as an operand on certain commands.

The initial objective is to find the module table entry which the loader built when the module was loaded. This will relate storage to the 'far' addresses in the link map.

The procedure is slightly different for private and shared storage.

With practice, one learns quickly what selectors are likely to be private, and which are likely to be shared. Refer to the address space picture which appears earlier, to refresh your memory about private and shared storage.

One way to tell is to display the entire LDT ( using 'DL' ), and to look for the gap between 'low numbered' and 'high numbered' selectors.

The dump formatter command '.I' will show you not only the handle of the module table entry for the executable which caused this process to exist, but also will show you the handle of the 'PTDA', which is the key control block for a process. If issued with a shared address, the output has the handle of the module table entry. If issued for a private address, you get a set of output lines for every process which contains the address. In this case, you will need to use the hPTDA, or PTDA handle from the '.I' command to determine which set of output lines to use. The command will not only give you the full path name of the module, but will also format a table which has a column (toward the right) titled 'sel'. This is the selector assigned. The first line of output is for the first segment in the link map, the second line is for the second segment, and so on. Thus, you can convert the selector:offset in the dump to a segment:offset in the correct link map.
.I
PROCESS slot:23 Pid:0008 Ord:0001
PTDA    handle=032e address=%ad6d97f0
MTE     handle=0363 address=%ff666d4c (DEMO)
SMTE    address=%fe14abe8
LDT     handle=035c address=%ac6d7000
CODE:   user (cs:eip)#000f:000000be cbargs=
STACKS: user (ss:esp)#001f:000014be(active)
        ring2(ss:esp)#0036:00001000(bottom)
        ring0 tcbframe=%fe023f58 bottom=%fe023f9c

.M CS:IP
*har     par      cpg        va    flg next prev link hash hob   hal
 01f5 %ff821b18 00000010 %00010000 1c9 01f6 01f3 00fa 0000 0131 0000 hptda=0240
 00fa %ff820586 00000010 %00010000 1d9 0102 00f9 0000 0000 0131 0000 hptda=0117
 hob   har hobnxt flgs own  hmte  sown,cnt lt st xf
 0131  01f5 0000  0838 0132 0132  0000 00  00 00 00 shared    c:pmshell.exe

*har     par      cpg        va    flg next prev link hash hob   hal
 0177 %ff821044 00000010 %00010000 179 0178 0175 0000 0000 01be 0000 hptda=01b9
 hob   har hobnxt flgs own  hmte  sown,cnt lt st xf
 01be  0177 0000  002c 01b9 01bf  0000 00  00 00 00 UNKNOWN

*har     par      cpg        va    flg next prev link hash hob   hal
 01f5 %ff821b18 00000010 %00010000 1c9 01f6 01f3 00fa 0000 0131 0000 hptda=0240
 00fa %ff820586 00000010 %00010000 1d9 0102 00f9 0000 0000 0131 0000 hptda=0117
 hob   har hobnxt flgs own  hmte  sown,cnt lt st xf
 0131  01f5 0000  0838 0132 0132  0000 00  00 00 00 shared    c:pmshell.exe

*har     par      cpg        va    flg next prev link hash hob   hal
 02b5 %ff822b98 00000010 %00010000 1d9 02b6 02b2 0000 0000 0322 0000 hptda=031c
 hob   har hobnxt flgs own  hmte  sown,cnt lt st xf
 0322  02b5 0000  0838 0327 0327  0000 00  00 00 00 shared    c:cmd.exe

*har     par      cpg        va    flg next prev link hash hob   hal
 02e6 %ff822fce 00000010 %00010000 1d9 02e7 02e5 0000 0000 0362 0000 hptda=032e
 hob   har hobnxt flgs own  hmte  sown,cnt lt st xf
 0362  02e6 0000  0838 0363 0363  0000 00  00 00 00 shared    c:demo.exe

.LMO 363
hmte=0363 pmte=%ff666d4c mflags=00803142 c:\pmg\pete\demo16\demo.exe
seg  sect psiz vsiz hob  sel  flags
0001 0001 2e78 2e78 0362 000f 2d20 code shr rel
0002 0000 0000 2910 0000 0017 0c01 data
0003 0019 0937 1560 0000 001f 0d01 data rel
1. The PDTA handle is __________, the module table entry handle is _________ Which 'har' line is for our process? har=_________

What is the hmte value from this set of lines? hmte=______________

3. What is the full path name of the module that contains CS:IP?

_________________________________________________________

___________________________ Issue it. The lines which start hco= are context records, which indicate all of the contexts (processes) that can reference this address. It is extremely likely to be a shared address.