断在第一个vad节点,查看此时的VAD节点值
0: kd> ??VadRoot
struct _MMVAD * 0xffffe10b`4a6e0990
+0x000 Core : _MMVAD_SHORT
+0x040 u2 : 0xc000000
+0x044 _PADDING0_ : [4] ""
+0x048 Subsection : 0xffffe10b`49efd560 _SUBSECTION
+0x050 FirstPrototypePte : 0xffff800e`754f8c60 _MMPTE
+0x058 LastContiguousPte : 0xffff800e`754f8ca0 _MMPTE
+0x060 ViewLinks : _LIST_ENTRY [ 0xffffe10b`49efd4e8 - 0xffffe10b`55c94760 ]
+0x070 VadsProcess : 0xffffe10b`55cd7341 _EPROCESS
+0x078 u4 : 0x406001
+0x080 FileObject : (null)
成员Core
1: kd> dt 0xffffe10b`4a6e0990 _MMVAD_SHORT
MyDriver1!_MMVAD_SHORT
+0x000 NextVad : (null)
+0x008 ExtraCreateInfo : (null)
+0x010 _PADDING0_ : [8] "p???"
+0x000 VadNode : _RTL_BALANCED_NODE
+0x018 StartingVpn : 0x400 //该内存的起始地址 0x400000 此字段是以页为单位的
+0x01c EndingVpn : 0x408 //结束地值 0x409000 0x408是结束内存所在页的vpn所以要加1页才是结束地址
+0x020 StartingVpnHigh : 0 ''
+0x021 EndingVpnHigh : 0 ''
+0x022 CommitChargeHigh : 0 ''
+0x023 SpareNT64VadUChar : 0 ''
+0x024 ReferenceCount : 0n0
+0x028 PushLock : _EX_PUSH_LOCK1
+0x030 u : 0x3a0
+0x034 u1 : 6
+0x038 EventList : (null)
Subsection字段
[+0x000] ControlArea : 0xffffe10b49efd4e0 [Type: _CONTROL_AREA *]
[+0x008] SubsectionBase : 0xffff800e754f8c60 [Type: _MMPTE *]
[+0x010] NextSubsection : 0xffffe10b49efd598 [Type: _SUBSECTION *]
[+0x018] GlobalPerSessionHead [Type: _RTL_AVL_TREE]
[+0x018] CreationWaitList : 0x0 [Type: _MI_CONTROL_AREA_WAIT_BLOCK *]
[+0x018] SessionDriverProtos : 0x0 [Type: _MI_PER_SESSION_PROTOS *]
[+0x020] u : 0x2 [Type: unsigned long]
[+0x024] StartingSector : 0x0 [Type: unsigned int]
[+0x028] NumberOfFullSectors : 0x2 [Type: unsigned int]
[+0x02c] PtesInSubsection : 0x1 [Type: unsigned int]
[+0x030] u1 : 0x0 [Type: unsigned long] //该块的属性
[+0x034 (29: 0)] UnusedPtes : 0x0 [Type: unsigned int]
[+0x034 (30:30)] ExtentQueryNeeded : 0x0 [Type: unsigned int]
[+0x034 (31:31)] DirtyPages : 0x0 [Type: unsigned int]
ControlArea 字段
[+0x000] Segment : 0xffff800e79dc7750 [Type: _SEGMENT *]
[+0x008] ListHead [Type: _LIST_ENTRY]
[+0x008] AweContext : 0xffffe10b55c94760 [Type: void *]
[+0x018] NumberOfSectionReferences : 0x2 [Type: unsigned __int64]
[+0x020] NumberOfPfnReferences : 0x9 [Type: unsigned __int64]
[+0x028] NumberOfMappedViews : 0x2 [Type: unsigned __int64]
[+0x030] NumberOfUserReferences : 0x4 [Type: unsigned __int64]
[+0x038] u : 0xa0 [Type: unsigned long]
[+0x03c] u1 : 0x0 [Type: unsigned long]
[+0x040] FilePointer [Type: _EX_FAST_REF] //DLL或者EXE的路径就保存在这个字段中
[+0x048] ControlAreaLock : 0 [Type: int]
[+0x04c] ModifiedWriteCount : 0x0 [Type: unsigned int]
[+0x050] WaitList : 0x0 [Type: _MI_CONTROL_AREA_WAIT_BLOCK *]
[+0x058] u2 : "???" [Type: char [16]]
[+0x068] FileObjectLock [Type: _EX_PUSH_LOCK1]
[+0x070] LockedPages : 0x1 [Type: unsigned __int64]
[+0x078] u3 : 0x8 [Type: unsigned __int64]
一个完整的控制域对象之后还紧跟着N个Subsection结构
一个EXE或者DLL 有多个段,.text .data 有多少个段就有多少个Subsection,每个Subsection对应文件中的一个section,用于描述文件中每节的映射信息,可读可写写诗复制.
PE文件中有多少个节就有多少个Subsection,所有的Subsection构成一个单链表,每个Sucsection都有一个指针回到Control_Area结构. ----------引用自 豆丁网: 共享内存的奥秘
下图可以看出 ControlArea 0xffffe10b49efd4e0 +0x80=0xffffe10b49efd560(第一个Subsection)
Segment
[+0x000] ControlArea : 0xffffe10b49efd4e0 [Type: _CONTROL_AREA *]
[+0x008] TotalNumberOfPtes : 0x9 [Type: unsigned int] //总共有多少Ptes
[+0x00c] SegmentFlags [Type: _SEGMENT_FLAGS]
[+0x010] NumberOfCommittedPages : 0x0 [Type: unsigned __int64]
[+0x018] SizeOfSegment : 0x9000 [Type: unsigned __int64] //Segment的大小 就是内存的大小
[+0x020] ExtendInfo : 0x400000 [Type: _MMEXTEND_INFO *]
[+0x020] BasedAddress : 0x400000 [Type: void *] //内存快的起始地址
[+0x028] SegmentLock [Type: _EX_PUSH_LOCK1]
[+0x030] u1 : 0x5 [Type: void *]
[+0x038] u2 : 0xffff800e79dc7798 [Type: void *]
[+0x040] PrototypePte : 0xffff800e754f8c60 [Type: _MMPTE *] //N个PTE数组
//PTE数组
PrototypePte
记录的是内存块第一页的PTE,通过查看物理内存的值,其值正是模块最开始的数据.
FirstPrototypePte
内存块第一个Pte
VadsProcess
内存块的属主进程EPROCESS
3219
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
