VAD Tools Code

Status: Beta
Brought to you by: moyix
[r34]: / from_work / vad_ref.txt Maximize Restore History

130 lines (124 with data), 5.7 kB

The VAD tree consists of 3 types of nodes, each with its own pool tag
(remember that VADs all live in non-paged pool). Each successively
larger type contains the smaller type inside; that is, the core format
is the same for all three types, but the larger ones just have extra
fields at the end. This means that when walking the tree it is
sufficient to treat the structure as the smallest of the three,
_MMVAD_SHORT, unless extra information is desired.

At this time, the only known way of distinguishing the three types when
walking the list is to read the pool tag.

The three types are:
_MMVAD_SHORT (Pool tag "VadS")
lkd> dt _MMVAD_SHORT
   +0x000 StartingVpn      : Uint4B
   +0x004 EndingVpn        : Uint4B
   +0x008 Parent           : Ptr32 _MMVAD
   +0x00c LeftChild        : Ptr32 _MMVAD
   +0x010 RightChild       : Ptr32 _MMVAD
   +0x014 u                : __unnamed
      +0x000 LongFlags        : Uint4B
      +0x000 VadFlags         : _MMVAD_FLAGS
         +0x000 CommitCharge     : Pos 0, 19 Bits
         +0x000 PhysicalMapping  : Pos 19, 1 Bit
         +0x000 ImageMap         : Pos 20, 1 Bit
         +0x000 UserPhysicalPages : Pos 21, 1 Bit
         +0x000 NoChange         : Pos 22, 1 Bit
         +0x000 WriteWatch       : Pos 23, 1 Bit
         +0x000 Protection       : Pos 24, 5 Bits
         +0x000 LargePages       : Pos 29, 1 Bit
         +0x000 MemCommit        : Pos 30, 1 Bit
         +0x000 PrivateMemory    : Pos 31, 1 Bit

_MMVAD (Pool tag "Vad ")
lkd> dt _MMVAD
   +0x000 StartingVpn      : Uint4B
   +0x004 EndingVpn        : Uint4B
   +0x008 Parent           : Ptr32 _MMVAD
   +0x00c LeftChild        : Ptr32 _MMVAD
   +0x010 RightChild       : Ptr32 _MMVAD
   +0x014 u                : __unnamed
      +0x000 LongFlags        : Uint4B
      +0x000 VadFlags         : _MMVAD_FLAGS
         +0x000 CommitCharge     : Pos 0, 19 Bits
         +0x000 PhysicalMapping  : Pos 19, 1 Bit
         +0x000 ImageMap         : Pos 20, 1 Bit
         +0x000 UserPhysicalPages : Pos 21, 1 Bit
         +0x000 NoChange         : Pos 22, 1 Bit
         +0x000 WriteWatch       : Pos 23, 1 Bit
         +0x000 Protection       : Pos 24, 5 Bits
         +0x000 LargePages       : Pos 29, 1 Bit
         +0x000 MemCommit        : Pos 30, 1 Bit
         +0x000 PrivateMemory    : Pos 31, 1 Bit
   +0x018 ControlArea      : Ptr32 _CONTROL_AREA
   +0x01c FirstPrototypePte : Ptr32 _MMPTE
   +0x020 LastContiguousPte : Ptr32 _MMPTE
   +0x024 u2               : __unnamed
      +0x000 LongFlags2       : Uint4B
      +0x000 VadFlags2        : _MMVAD_FLAGS2
         +0x000 FileOffset       : Pos 0, 24 Bits
         +0x000 SecNoChange      : Pos 24, 1 Bit
         +0x000 OneSecured       : Pos 25, 1 Bit
         +0x000 MultipleSecured  : Pos 26, 1 Bit
         +0x000 ReadOnly         : Pos 27, 1 Bit
         +0x000 LongVad          : Pos 28, 1 Bit
         +0x000 ExtendableFile   : Pos 29, 1 Bit
         +0x000 Inherit          : Pos 30, 1 Bit
         +0x000 CopyOnWrite      : Pos 31, 1 Bit

Note: on Windows 2000 SP4, the "Vadl" pool tag is not used. Instead, the
the VAD node resides in a normal "Vad " pool, and the LongVad flag is
set in the VadFlags2 field, indicating that the structure should be
treated as an _MMVAD_LONG.

_MMVAD_LONG (Pool tag "Vadl")
lkd> dt _MMVAD_LONG
   +0x000 StartingVpn      : Uint4B
   +0x004 EndingVpn        : Uint4B
   +0x008 Parent           : Ptr32 _MMVAD
   +0x00c LeftChild        : Ptr32 _MMVAD
   +0x010 RightChild       : Ptr32 _MMVAD
   +0x014 u                : __unnamed
      +0x000 LongFlags        : Uint4B
      +0x000 VadFlags         : _MMVAD_FLAGS
         +0x000 CommitCharge     : Pos 0, 19 Bits
         +0x000 PhysicalMapping  : Pos 19, 1 Bit
         +0x000 ImageMap         : Pos 20, 1 Bit
         +0x000 UserPhysicalPages : Pos 21, 1 Bit
         +0x000 NoChange         : Pos 22, 1 Bit
         +0x000 WriteWatch       : Pos 23, 1 Bit
         +0x000 Protection       : Pos 24, 5 Bits
         +0x000 LargePages       : Pos 29, 1 Bit
         +0x000 MemCommit        : Pos 30, 1 Bit
         +0x000 PrivateMemory    : Pos 31, 1 Bit
   +0x018 ControlArea      : Ptr32 _CONTROL_AREA
   +0x01c FirstPrototypePte : Ptr32 _MMPTE
   +0x020 LastContiguousPte : Ptr32 _MMPTE
   +0x024 u2               : __unnamed
      +0x000 LongFlags2       : Uint4B
      +0x000 VadFlags2        : _MMVAD_FLAGS2
         +0x000 FileOffset       : Pos 0, 24 Bits
         +0x000 SecNoChange      : Pos 24, 1 Bit
         +0x000 OneSecured       : Pos 25, 1 Bit
         +0x000 MultipleSecured  : Pos 26, 1 Bit
         +0x000 ReadOnly         : Pos 27, 1 Bit
         +0x000 LongVad          : Pos 28, 1 Bit
         +0x000 ExtendableFile   : Pos 29, 1 Bit
         +0x000 Inherit          : Pos 30, 1 Bit
         +0x000 CopyOnWrite      : Pos 31, 1 Bit
   +0x028 u3               : __unnamed
      +0x000 List             : _LIST_ENTRY
         +0x000 Flink            : Ptr32 _LIST_ENTRY
         +0x004 Blink            : Ptr32 _LIST_ENTRY
      +0x000 Secured          : _MMADDRESS_LIST
         +0x000 StartVpn         : Uint4B
         +0x004 EndVpn           : Uint4B
   +0x030 u4               : __unnamed
      +0x000 Banked           : Ptr32 _MMBANKED_SECTION
         +0x000 BasePhysicalPage : Uint4B
         +0x004 BasedPte         : Ptr32 _MMPTE
         +0x008 BankSize         : Uint4B
         +0x00c BankShift        : Uint4B
         +0x010 BankedRoutine    : Ptr32          
         +0x014 Context          : Ptr32 Void
         +0x018 CurrentMappedPte : Ptr32 _MMPTE
         +0x020 BankTemplate     : [1] _MMPTE
      +0x000 ExtendedInfo     : Ptr32 _MMEXTEND_INFO
         +0x000 CommittedSize    : Uint8B
         +0x008 ReferenceCount   : Uint4B