JIURL play Win2k memory of VAD articles: JIURL Home: http://jiurl.yeah.net Date: 2003-7-30
In the program we can use VirtualAlloc to apply (reserved or submit) a paragraph address space for the address and size in the user address space (low 2G in 4G address space). So how do you know how the specified address space has been assigned (reserved or submit). For the specified address space has been submitted to physical memory, it can be judged by page directory and page table, but this is very troublesome. Whether or not to specify whether the address space has been retained, there is no way to judge by page directory and page table. Use VAD in Win2k to solve this problem. VAD is an abbreviation of Virtual Address Descriptor, a virtual address descriptor. A VAD saves a section of the assigned address space, all VAD constitutes a binary sort tree to describe the case where the user address space is described. Each process has its own user address space, so each process also has its own VAD binary sort tree. The address of the root of the VAD binary sort tree is saved in the process structure EPROCESS. For Win2K Build 2195, VADROOT offset 194 at EPRocess. The binary sequence tree is a binary tree, and each node has a maximum of about two subtots. The value of all nodes on the left subtree is smaller than the value of its root node, and the value of all nodes on the right subtree is greater than the value of its root node. Use a binary sequence tree to ensure a lookup speed. VAD structure is defined as typedef struct _VAD_HEADER {/ * 00 * / PVOID StartVPN; / * 04 * / PVOID EndVPN; / * 08 * / _VAD_HEADER * ParentLink; / * 0C * / _VAD_HEADER * LeftLink; / * 10 * / _VAD_HEADER * RightLink ; / * 14 * / ulong commitcharge: 20; / * 14 * / ulong flags: 12; / * 18 * / pvoid control,; / * 1c * / pvoid firstprotopte; / * 20 * / pvoid lastpte; / * 24 * / Ulong unknown; / * 28 * / list_entry second; /} VAD_HEADER, * PVAD_HEADER; StartVPN This address space of the address space described by this VAD ENDVPN ENDVPN This VAD is described in the end of the address space described in the address space described. Page Numbership Commital 'Some other fields submitted by the Physical Pages of the Vad structure will be more introduced in other parts.
Below we use KD to see an actual example // system process PID 8kd>! Process 8 0! Process 8 0searching for process with cid == 8process 8141e020 sessionid: 0 Cid: 0008 PEB: 00000000 ParentCID: 0000DirBase: 00030000 ObjectTable: 81452A68 TABLESIZE: 106.Image: The eProcess address of the system // system process is 8141E020 // vAdroot offset 194 in EPROCESS 194 Kd>! STRCT EPROCESS 8141E020 ... 194 void * VADROOT = 8141bb48. ..// VadRoot address 8141BB48kd>! vad 8141BB48! vad 8141BB48VAD level start end commit8141bb48 (0) 10 42 0 Mapped READWRITE810f8208 (2) 60 60 1 Private READWRITE810ba508 (3) 70 70 0 Mapped READWRITE813e6ca8 (1) 77f80 77ff8 3 Mapped Exe EXECUTE_WRITECOPYTotal VADs: 4 average level: 2 maximum depth: 3 // we look at the root of the specific content of the VAD, the root node at 8141bb48 kd> dd 8141bb48 l 30 / 4dd 8141bb48 l 30 / 48141bb48 00000010 00000042 00000000 000000008141bb58 813E6CA8 E10089E08141BB68 E1008AA8 40000000 00000000 00000000 Need to point out that only the user address space of the system process will be as simple as the system, the VAD binary tree of the general program will have more than 20 nodes. Let's take a look at an example, this is the output of a program JIURLVADSEE I wrote, which can list the VAD binary tree of the specified process. The ID of the system running the process can be obtained via the Windows Task Manager.
ProcessId (Decimal): 5560 - Min Information 1 - Max InformationType: 1Vad Level StartVPN EndVPN Commit Flags0x82b05928 [1] 0x00010 0x00010 1 c40StartVirtualAddress: 0x00010000 EndVirtualAddress: 0x00010fff / * 00 * / PVOID StartVPN; = 0x00010 / * 04 * / PVOID EndVPN; = 0x00010 / * 08 * / _VAD_HEADER * parentLink; = 0x810482a8 / * 0C * / _VAD_HEADER * LeftLink; = 0x00000000 / * 10 * / _VAD_HEADER * RightLink; = 0x82b05da8 / * 14 * / ULONG CommitCharge: 20; = 0x00001 / * 14 * / ULONG Flags: 12; = 0xc40 / * 18 * / PVOID ControlArea; = 0x02018001 / * 1C * / PVOID FirstProtoPte; = 0x20646156 / * 20 * / PVOID LastPTE; = 0x00005240 / * 24 * / ULONG Unknown; = 0x0000533f / * 28 * / LIST_ENTRY Secured; = 0x8106d2e8 0x000000000x82b05da8 [2] 0x00020 0x00020 1 c40StartVirtualAddress: 0x00020000 EndVirtualAddress: 0x00020fff / * 00 * / PVOID startVPN; = 0x00020 / * 04 * / PVOID EndVPN; = 0x00020 / * 08 * / _VAD_HEADER * parentLink ; = 0x82B05928 / * 0C * / _VAD_HEADER * LEFTLINK; = 0x00000000 / * 10 * / _VAD_HEADER * RightLink; = 0x8269A808 / * 14 * / ulong commitcharge: 20; = 0x00001 / * 14 * / ulo NG Flags: 12; = 0xc40 / * 18 * / PVOID ControlArea; = 0x02018001 / * 1C * / PVOID FirstProtoPte; = 0x20646156 / * 20 * / PVOID LastPTE; = 0x0007ffd8 / * 24 * / ULONG Unknown; = 0x0007ffd8 / * 28 * / LIST_ENTRY Secured; = 0x84875a28 0x000000000x8269a808 [3] 0x00030 0x0012f 3 840StartVirtualAddress: 0x00030000 EndVirtualAddress: 0x0012ffff / * 00 * / PVOID startVPN; = 0x00030 / * 04 * / PVOID EndVPN; = 0x0012f / * 08 * / _VAD_HEADER * parentLink; = 0x82B05DA8 / * 0C * / _VAD_HEADER * LEFTLINK; = 0x00000000 / * 10 * / _VAD_HEADER * RightLink; = 0x826f9ba8 / * 14 * / ulong commitcharge: 20; = 0x00003 / * 14 * / ulong flags: 12; = 0x840 / * 18 * / PVOID ControlAresa; =
0x02018001 / * 1C * / PVOID FirstProtoPte; = 0x20646156 / * 20 * / PVOID LastPTE; = 0x000777f0 / * 24 * / ULONG Unknown; = 0x000777fd / * 28 * / LIST_ENTRY Secured; = 0x82a65c28 0x82f11e880x826f9ba8 [4] 0x00130 0x0022f 4 840StartVirtualAddress: 0x00130000 EndVirtualAddress: 0x0022ffff / * 00 * / PVOID startVPN; = 0x00130 / * 04 * / PVOID EndVPN; = 0x0022f / * 08 * / _VAD_HEADER * parentLink; = 0x8269a808 / * 0C * / _VAD_HEADER * LeftLink; = 0x00000000 / * 10 * / _VAD_HEADER * RightLink; = 0x810b7fc8 / * 14 * / ULONG CommitCharge: 20; = 0x00004 / * 14 * / ULONG Flags: 12; = 0x840 / * 18 * / PVOID ControlArea; = 0x02018001 / * 1C * / PVOID FirstProtoPte; = 0x45746146 / * 20 * / PVOID LastPTE; = 0x834e40e8 / * 24 * / ULONG Unknown; = 0x8351dde8 / * 28 * / LIST_ENTRY Secured; = 0x00000000 0x000000000x810b7fc8 [5] 0x00230 0x0023f 0 040StartVirtualAddress: 0x00230000 EndVirtualAddress: 0x0023ffff / * 00 * / PVOID STARTVPN; = 0x00230 / * 04 * / pvoid endvpn; = 0x0023f / * 08 * / _vad_header * parentLink; = 0x826f9ba8 / * 0c * / _vad_header * leftLink; = 0x00000000 / * 10 * / _vad_header * rightlink; = 0x8109d6c8 / * 14 * / ulong commitcharge: 20; = 0x00000 / * 14 * / ulong flags: 12; = 0x040 / * 18 * / pvoid controlArea; = 0x86346148 / * 1C * / pvoid firstprotopte; = 0xE33EDA40 / * 20 * / PVOID LastPTE; = 0xe33eda7c / * 24 * / ULONG Unknown; = 0x00000000 / * 28 * / LIST_ENTRY Secured; = 0x00000000 0x000000000x8109d6c8 [6] 0x00240 0x00255 0 010StartVirtualAddress: 0x00240000 EndVirtualAddress: 0x00255fff / * 00 * / PVOID startVPN; = 0x00240 / * 04 * / PVOID EndVPN; = 0x00255 / * 08 * / _VAD_HEADER * parentLink; = 0x810b7fc8 / * 0C * / _VAD_HEADER * LeftLink; = 0x00000000 / * 10 * / _VAD_HEADER * RightLink; = 0x82b057a8 / * 14 * / ULONG CommitCharge: 20; =
0x00000 / * 14 * / ULONG Flags: 12; = 0x010 / * 18 * / PVOID ControlArea; = 0x810e83c8 / * 1C * / PVOID FirstProtoPte; = 0xe2beb380 / * 20 * / PVOID LastPTE; = 0xe2beb3d4 / * 24 * / ULONG Unknown ; = 0x80000000 / * 28 * / LIST_ENTRY Secured; = 0x00000000 0x000000000x82b057a8 [7] 0x00260 0x0028e 0 010StartVirtualAddress: 0x00260000 EndVirtualAddress: 0x0028efff / * 00 * / PVOID startVPN; = 0x00260 / * 04 * / PVOID EndVPN; = 0x0028e / * 08 * / _VAD_HEADER * parentLink; = 0x8109d6c8 / * 0C * / _VAD_HEADER * LeftLink; = 0x00000000 / * 10 * / _VAD_HEADER * RightLink; = 0x82b05768 / * 14 * / ULONG CommitCharge: 20; = 0x00000 / * 14 * / ULONG Flags: 12 ; = 0x010 / * 18 * / PVOID ControlArea; = 0x810e7be8 / * 1C * / PVOID FirstProtoPte; = 0xe2becd20 / * 20 * / PVOID LastPTE; = 0xe2becdd8 / * 24 * / ULONG Unknown; = 0x80000000 / * 28 * / LIST_ENTRY Secured ; = 0x00000000 0x000000000x82b05768 [8] 0x00290 0x002d0 0 010StartVirtualAddress: 0x00290000 EndVirtualAddress: 0x002d0fff / * 00 * / PVOID startVPN; = 0x00290 / * 04 * / PVOID EndVPN; = 0x002d0 / * 08 * / _VAD_HEADER * parentLink; = 0x82b057a8 / * 0C * / _VAD_HEADER * LEFTLINK; = 0x00000000 / * 10 * / _VAD_HEADER * RightLink; = 0x82b05728 / * 14 * / ulong commitcharge: 20; = 0x00000 / * 14 * / ulong flags: 12; = 0x010 / * 18 * / pvoid controlArarea; = 0x810e7828 / * 1C * / PVOID FirstProtoPte; = 0xe2bed600 / * 20 * / PVOID LastPTE; = 0xe2bed700 / * 24 * / ULONG Unknown; = 0x80000000 / * 28 * / LIST_ENTRY Secured; = 0x00000000 0x000000000x82b05728 [9] 0x002e0 0x002e3 0 010StartVirtualAddress: 0x002e0000 EndVirtualAddress: 0x002e3fff / * 00 * / PVOID startVPN; = 0x002e0 / * 04 * / PVOID EndVPN; = 0x002e3 / * 08 * / _VAD_HEADER * parentLink; = 0x82b05768 / * 0C * / _VAD_HEADER * LeftLink; =
0x00000000 / * 10 * / _VAD_HEADER * RightLink; = 0x82B056E8 / * 14 * / ulong commitcharge: 20; = 0x00000 / * 14 * / ulong flags: 12; = 0x010 / * 18 * / pvoid control over; = 0x810e7648 / * 1c * / PVOID FirstProtoPte; = 0xe139cfa0 / * 20 * / PVOID LastPTE; = 0xe139cfac / * 24 * / ULONG Unknown; = 0x80000000 / * 28 * / LIST_ENTRY Secured; = 0x00000000 0x000000000x82b056e8 [10] 0x002f0 0x00330 0 010StartVirtualAddress: 0x002f0000 EndVirtualAddress: 0x00330fff / * 00 * / PVOID startVPN; = 0x002f0 / * 04 * / PVOID EndVPN; = 0x00330 / * 08 * / _VAD_HEADER * parentLink; = 0x82b05728 / * 0C * / _VAD_HEADER * LeftLink; = 0x00000000 / * 10 * / _VAD_HEADER * RightLink; = 0x81070188 / * 14 * / ulong commitcharge: 20; = 0x00000 / * 14 * / ulong flags: 12; = 0x010 / * 18 * / pvoid constrolarea; = 0x810e7228 / * 1c * / pvoid firstprotopte; = 0xE2Beebe0 / * 20 * / PVOID LastPTE; = 0xe2beece0 / * 24 * / ULONG Unknown; = 0x00000000 / * 28 * / LIST_ENTRY Secured; = 0x00000000 0x000000000x81070188 [11] 0x00380 0x0038f 6 840StartVirtualAddress: 0x00380000 EndVirtualAddress: 0x0038ffff / * 00 * / PVOID startVPN; = 0x0 0380 / * 04 * / PVOID EndVPN; = 0x0038f / * 08 * / _VAD_HEADER * ParentLink; = 0x82b056e8 / * 0C * / _VAD_HEADER * LeftLink; = 0x00000000 / * 10 * / _VAD_HEADER * RightLink; = 0x00000000 / * 14 * / ULONG Commitcharge: 20; = 0x00006 / * 14 * / Ulong flags: 12; = 0x840 / * 18 * / pvoid controlA; = 0x02018001 / * 1c * / pvoid firstprotopte; = 0x6d665346 / * 20 * / pvoid lastpte; = 0x00000001 / * 24 * / ULONG Unknown; = 0x00000000 / * 28 * / LIST_ENTRY Secured; = 0x00000000 0x000400010x810482a8 [0] 0x00400 0x00405 2 071StartVirtualAddress: 0x00400000 EndVirtualAddress: 0x00405fff / * 00 * / PVOID startVPN; = 0x00400 / * 04 * / PVOID EndVPN; =
0x00405 / * 08 * / _VAD_HEADER * ParentLink; = 0x00000000 / * 0C * / _VAD_HEADER * LeftLink; = 0x82b05928 / * 10 * / _VAD_HEADER * RightLink; = 0x83040348 / * 14 * / ULONG CommitCharge: 20; = 0x00002 / * 14 * / ULONG Flags: 12; = 0x071 / * 18 * / PVOID ControlArea; = 0x8401f428 / * 1C * / PVOID FirstProtoPte; = 0xe2beb260 / * 20 * / PVOID LastPTE; = 0xfffffffc / * 24 * / ULONG Unknown; = 0x40000000 / * 28 * / LIST_ENTRY Secured; = 0x00000000 0x000000000x86348b68 [3] 0x00410 0x0050f 8 840StartVirtualAddress: 0x00410000 EndVirtualAddress: 0x0050ffff / * 00 * / PVOID startVPN; = 0x00410 / * 04 * / PVOID EndVPN; = 0x0050f / * 08 * / _VAD_HEADER * parentLink; = 0x810BBA08 / * 0C * / _VAD_HEADER * LEFTLINK; = 0x00000000 / * 10 * / _VAD_HEADER * RightLink; = 0x8109de08 / * 14 * / ulong commitcharge: 20; = 0x00008 / * 14 * / ulong flags: 12; = 0x840 / * 18 * / PVOID ControlArea; = 0x01018001 / * 1C * / PVOID FirstProtoPte; = 0x53646156 / * 20 * / PVOID LastPTE; = 0x00000010 / * 24 * / ULONG Unknown; = 0x00000010 / * 28 * / LIST_ENTRY Secured; = 0x810745e8 0x000000000x8109de08 [ 4] 0x00510 0x00511 0 010StartV irtualAddress: 0x00510000 EndVirtualAddress: 0x00511fff / * 00 * / PVOID StartVPN; = 0x00510 / * 04 * / PVOID EndVPN; = 0x00511 / * 08 * / _VAD_HEADER * ParentLink; = 0x86348b68 / * 0C * / _VAD_HEADER * LeftLink; = 0x00000000 / * 10 * / _VAD_HEADER * RightLink; = 0x00000000 / * 14 * / ulong commitcharge: 20; = 0x00000 / * 14 * / Ulong flags: 12; = 0x010 / * 18 * / pvoid constrolarea; = 0x810E7A08 / * 1C * / PVOID FIRSTPROTOPTE ; = 0xE139CF40 / * 20 * / pvoid lastpte; = 0xE139CF44 / * 24 * / ulong unknown; = 0x80000000 / * 28 * / list_entry secured; =
0x00000000 0x000000000x810bba08 [2] 0x77e60 0x77f34 2 071StartVirtualAddress: 0x77e60000 EndVirtualAddress: 0x77f34fff / * 00 * / PVOID StartVPN; = 0x77e60 / * 04 * / PVOID EndVPN; = 0x77f34 / * 08 * / _VAD_HEADER * ParentLink; = 0x83040348 / * 0C * / _VAD_HEADER * LEFTLINK; = 0x86348B68 / * 10 * / _VAD_HEADER * RightLink; = 0x00000000 / * 14 * / ulong commitcharge: 20; = 0x00002 / * 14 * / ulong flags: 12; = 0x071 / * 18 * / pvoid controlArarea; = 0x810f4f28 / * 1C * / PVOID FirstProtoPte; = 0xe17bfc40 / * 20 * / PVOID LastPTE; = 0xfffffffc / * 24 * / ULONG Unknown; = 0x40000000 / * 28 * / LIST_ENTRY Secured; = 0x00000000 0x000000000x83040348 [1] 0x77f80 0x77ff8 3 071StartVirtualAddress: 0x77f80000 EndVirtualAddress: 0x77ff8fff / * 00 * / PVOID startVPN; = 0x77f80 / * 04 * / PVOID EndVPN; = 0x77ff8 / * 08 * / _VAD_HEADER * parentLink; = 0x810482a8 / * 0C * / _VAD_HEADER * LeftLink; = 0x810bba08 / * 10 * / _VAD_HEADER * RightLink; = 0x8106a248 / * 14 * / ULONG CommitCharge: 20; = 0x00003 / * 14 * / ULONG Flags: 12; = 0x071 / * 18 * / PVOID ControlArea; = 0x813e6a08 / * 1C * / PVOID FirstProtoPte; = 0xe13c9520 / * 20 * / PVOID LastPTE; = 0xfffffffc / * 24 * / ULONG Unknown; = 0x40000000 / * 28 * / LIST_ENTRY Secured; = 0x00000000 0x000000000x810b7e48 [3] 0x7f6f0 0x7f7ef 0 034StartVirtualAddress: 0x7f6f0000 EndVirtualAddress: 0x7f7effff / * 00 * / PVOID startVPN; = 0x7f6f0 / * 04 * / PVOID EndVPN; = 0x7f7ef / * 08 * / _VAD_HEADER * parentLink; = 0x8106a248 / * 0C * / _VAD_HEADER * LeftLink; = 0x00000000 / * 10 * / _VAD_HEADER * RightLink; = 0x00000000 / * 14 * / ulong commitcharge: 20; = 0x00000 / * 14 * / Ulong flags: 12; = 0x034 / * 18 * / pvoid controlArea; = 0x810e8ca8 / * 1c * / pvoid firstprotopte; = 0xE2BE6BE0 / * 20 * / pvoid lastpte; =
0xe2be6fdc / * 24 * / ULONG Unknown; = 0x01000000 / * 28 * / LIST_ENTRY Secured; = 0x00000000 0x000000000x8106a248 [2] 0x7ffa0 0x7ffd2 0 014StartVirtualAddress: 0x7ffa0000 EndVirtualAddress: 0x7ffd2fff / * 00 * / PVOID StartVPN; = 0x7ffa0 / * 04 * / PVOID EndVPN; = 0x7ffd2 / * 08 * / _VAD_HEADER * parentLink; = 0x83040348 / * 0C * / _VAD_HEADER * LeftLink; = 0x810b7e48 / * 10 * / _VAD_HEADER * RightLink; = 0x81fd5708 / * 14 * / ULONG CommitCharge: 20; = 0x00000 / * 14 * / ulong flags: 12; = 0x014 / * 18 * / pvoid controlA; = 0x8141bae8 / * 1c * / pvoid firstprotopte; = 0xE10089E0 / * 20 * / pvoid lastpte; = 0xE1008AA8 / * 24 * / ULONG UNKNOWN; = 0x41000000 / * 28 * / LIST_ENTRY Secured; = 0x00000000 0x000000000x82b052a8 [4] 0x7ffde 0x7ffde 1 c64StartVirtualAddress: 0x7ffde000 EndVirtualAddress: 0x7ffdefff / * 00 * / PVOID startVPN; = 0x7ffde / * 04 * / PVOID EndVPN; = 0x7ffde / * 08 * / _VAD_HEADER * ParentLink; = 0x81fd5708 / * 0c * / _vad_header * leftLink; = 0x00000000 / * 10 * / _vad_header * rightlink; = 0x00000000 / * 14 * / ulong commitcharge: 20; = 0x00001 / * 14 * / ulong flags: 12; = 0xc64 / * 18 * / PVOID ControlArea; = 0x00000000 / * 1C * / PVOID FirstProtoPte; = 0x00000002 / * 20 * / PVOID LastPTE; = 0xe13d08a0 / * 24 * / ULONG Unknown; = 0x12000000 / * 28 * / LIST_ENTRY Secured; = 0x7ffde000 0x7ffdefff0x81fd5708 [3] 0x7ffdf 0x7ffdf 1 c64StartVirtualAddress: 0x7ffdf000 EndVirtualAddress: 0x7ffdffff / * 00 * / PVOID startVPN; = 0x7ffdf / * 04 * / PVOID EndVPN; = 0x7ffdf / * 08 * / _VAD_HEADER * parentLink; = 0x8106a248 / * 0C * / _VAD_HEADER * LEFTLINK; = 0x82B052A8 / * 10 * / _VAD_HEADER * RIGHTLINK; = 0x00000000 / * 14 * / ulong commitcharge: 20; = 0x00001 / * 14 * / Ulong flags: 12; = 0xc64 / * 18 * / pvoid control =
A = 0x7ffdf000 0x7ffdffff traverse VAD binary sort tree; 0x00000000 / * 1C * / PVOID FirstProtoPte; = 0x00000002 / * 20 * / PVOID LastPTE; = 0xffffffff / * 24 * / ULONG Unknown; = 0x12000000 / * 28 * / LIST_ENTRY Secured Method In order to make functions simply clear, there is no example in jiurlvadsee. The following functions need to be placed in the driver (VAD Binary Tree In the system address space, the RING0 program can be accessed), and the output of dbgPrint () can be viewed using www.sysinternals.com tool DBGVIEW. Void Jiurldumpvad (PVAD_HEADER PVAD, ULONG Level) {if (pvad-> leftlink! = null) {level ; jiumldumpvad (pvad-> leftlink, level; level ---;} dbgprint ("0x% 08X [% 2D] 0x% 08X 0x% 08X% 7D% 03X / N ", PVAD, Level, PVAD-> StartVPN, PVAD-> Endvpn, PVAD-> Commitcharge, PVAD-> Flags); if (pvad-> rightlink! = Null) {level ; JIURLDUMPVAD (PVAD-> RightLink, Level); Level ---;}} By recursive, first left subtree, re-root node, and then right. This will output in the order of the address segment according to VAD. The program applies for memory, uses memory, releases the change of the memory VAD binary tree to run a small program separately, use, release memory, using getch () stop between each step, observe the process VAD binary tree and the page table table table table table The change. We experiment at the 0x60000000 in the address space. 1 getch (); 0x60000000 No corresponding VAD, observation page directory, corresponding PDE invalid C0300600: 000000002 Virtualalloc (void *) 0x60000000, 0x3000, MEM_RESERVE, PAGE_READOONLY; start from 0x60000000, hold 3 pages. VAD LEVEL STARTVPN ENDVPN COMMIT FLAGS0X830AC008 [5] 0x60000 0x60002 0 810 There is a corresponding VAD, you can see the 3 pages, but there is no submission page to observe the page directory, corresponding PDE invalid C0300600: 00000000 Try CHAR BUF [100]; Memcpy (BUF, (void *) 0x60000000, 100); will result in Access Viocation3 Virtualalloc ((void *) 0x60000000, 0x2000, MEM_COMMIT, PAGE_READOONLY); starting from 0x60000000, submitting 2 pages.
(Note : 00000020 00000020 000000004 CHAR BUF [100]; Memcpy (BUF, (Void *) 0x60000000, 100); Read 100 bytes from 0x60000000, read successfully. Vad Level StartVPN EndVPN Commit Flags0x849f3328 [5] 0x60000 0x60002 2 810 corresponding to the PDE c0300600: 03cbc067 the corresponding PTE c0180000: a corresponding PTE 00559025 00000020 00000000 effectively be accessed at this time the 5 VirtualFree ((void *) 0x60000000,0, MEM_RELEASE) 0x60000000 The corresponding VAD disappears, observed the page directory, corresponding PDE has become invalid C0300600: 00000000 We can see. Keep the address space, only one corresponding VAD. The submission page is just set the corresponding page directory and page entry (possibly required to assign physical memory to the page table). The physical page is only given when the address is accessed. Win2k uses this idea called Lazy-Evaluation Algorithm to improve the efficiency of memory. Structure and definition of the flag in www.insidewindows.inf ntifs.h unofficial document, the following definitions of VAD_HEADER typedef struct _VAD_HEADER {PVOID StartVPN; PVOID EndVPN; PVAD_HEADER ParentLink; PVAD_HEADER LeftLink; PVAD_HEADER RightLink; ULONG Flags; // Lsb = commitchargepvoid control; pvoid lastpte; ulong unknown; list_entry second;} VAD_HEADER, * PVAD_HEADER; During the analysis of VAD, found in the Flags field, definition is not very clear. So I wrote a driver and an application, the application is responsible for receiving a DWORD value input, then communicating with the driver, transmitting this value to the driver. The driver is responsible for applying a section of memory, size, and VAD_HEADER in the system address space. After receiving the DWORD from the application, placed in the position of the FLAGS, the value of the other position is some of the fixed values that are fixed. And use dBGPrint () to output the first address of this memory. After getting the first address of this space, use the KD! VAD command to see the result of the command. Enter a new value in your application. Use it! VAD command to see the output result. After several comparisons, the low 20 digits of this DWORD in VAD are used to save the number of pages submitted (20bit Maximum can be submitted 1024 * 1024, corresponding to 4GB size), high 12 digits as a flag. In this way, the definition of some flag bits is obtained (because! VAD may not explain some flag bits).
