Windows 7 在Windows中转储进程的所有VAD
我想得到一些特定进程的内存转储 我发现每个windows进程在一个EPROCESS中都包含VadRoot 我用windbg获得了一些关于这个结构的信息Windows 7 在Windows中转储进程的所有VAD,windows-7,windbg,Windows 7,Windbg,我想得到一些特定进程的内存转储 我发现每个windows进程在一个EPROCESS中都包含VadRoot 我用windbg获得了一些关于这个结构的信息 kd> dt nt!_MMVAD fffffa801b7011d0 +0x000 u1 : <unnamed-tag> +0x008 LeftChild : (null) +0x010 RightChild : (null) +0x018 Star
kd> dt nt!_MMVAD fffffa801b7011d0
+0x000 u1 : <unnamed-tag>
+0x008 LeftChild : (null)
+0x010 RightChild : (null)
+0x018 StartingVpn : 0x7fefe440
+0x020 EndingVpn : 0x7fefe4b0
+0x028 u : <unnamed-tag>
+0x030 PushLock : _EX_PUSH_LOCK
+0x038 u5 : <unnamed-tag>
+0x040 u2 : <unnamed-tag>
+0x048 Subsection : 0xfffffa80`19f62640 _SUBSECTION
+0x048 MappedSubsection : 0xfffffa80`19f62640 _MSUBSECTION
+0x050 FirstPrototypePte : 0xfffff8a0`00b3ac28 _MMPTE
+0x058 LastContiguousPte : 0xffffffff`fffffffc _MMPTE
+0x060 ViewLinks : _LIST_ENTRY [ 0xfffffa80`1b7a38c0 - 0xfffffa80`1aa6d6a0 ]
+0x070 VadsProcess : 0xfffffa80`1b7e8941 _EPROCESS
kd>dt-nt_MMVAD FFFFF A801B7011D0
+0x000 u1:
+0x008 LeftChild:(空)
+0x010 RightChild:(空)
+0x018启动VPN:0x7FE440
+0x020结束VPN:0x7FE4B0
+0x028 u:
+0x030推锁:
+0x038 u5:
+0x040 u2:
+0x048小节:0xfffffa80`19f62640\u小节
+0x048映射子节:0xfffffa80`19f62640\u子节
+0x050第一原型:0xfffff8a0`00b3ac28\u MMPTE
+0x058 LastContinguousPte:0xffffffff`FFFFFFF C\u MMPTE
+0x060视图链接:列表项[0xfffffa80`1b7a38c0-0xfffffa80`1aa6d6a0]
+0x070 VadsProcess:0xfffffa80`1b7e8941_EPROCESS
谢谢 VAD是virtual地址描述符的缩写,VPN是virtual页码的缩写。所以它是一个虚拟地址,而不是物理地址 需要使用PTE(页表条目)将其转换为物理地址 给定我在用户模式调试会话中找到的用户模式地址:
0:032> !address
[...]
+ 7ff`fffdc000 7ff`fffde000 0`00002000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE TEB [~1; 13ec.10fc]
0:032> dd 7ff`fffde000 L8
000007ff`fffde000 00000000 00000000 00240000 00000000
000007ff`fffde010 0022b000 00000000 00000000 00000000
请注意虚拟地址(
dddd/plkd> !process 0 0 explorer.exe
PROCESS 8a1908d0 ...... Image: explorer.exe
lkd> .process /p /r 8a1908d0
lkd> !vad explorer 1
VAD @ 8a120ed0
Start VPN 1000 End VPN 10fe Control Area 8a81ab80
FirstProtoPte e23e9048 LastPte fffffffc Commit Charge 3 (3.)
Secured.Flink 0 Blink 0 Banked/Extend 0
File Offset 0
ImageMap ViewShare EXECUTE_WRITECOPY
ReadOnly
ControlArea @ 8a81ab80
Segment e23e9008 Flink 00000000 Blink 00000000
Section Ref 1 Pfn Ref 4d Mapped Views 1
User Ref 2 WaitForDel 0 Flush Count 0
File Object 8ab28240 ModWriteCount 0 System Views 0
Flags (90000a0) Image File HadUserReference Accessed
\WINDOWS\explorer.exe
Segment @ e23e9008
ControlArea 8a81ab80 BasedAddress 01000000
Total Ptes ff
WriteUserRef 0 SizeOfSegment ff000
Committed 0 PTE Template 8a81ac3000000420
Based Addr 1000000 Image Base 0
Image Commit 2 Image Info e23e9840
ProtoPtes e23e9048
Reload command: .reload explorer.exe=01000000,ff000
lkd> !process 0 0 explorer.exe
PROCESS 8a1908d0 ...... Image: explorer.exe
lkd> .process /p /r 8a1908d0
lkd> !vad explorer 1
VAD @ 8a120ed0
Start VPN 1000 End VPN 10fe Control Area 8a81ab80
FirstProtoPte e23e9048 LastPte fffffffc Commit Charge 3 (3.)
Secured.Flink 0 Blink 0 Banked/Extend 0
File Offset 0
ImageMap ViewShare EXECUTE_WRITECOPY
ReadOnly
ControlArea @ 8a81ab80
Segment e23e9008 Flink 00000000 Blink 00000000
Section Ref 1 Pfn Ref 4d Mapped Views 1
User Ref 2 WaitForDel 0 Flush Count 0
File Object 8ab28240 ModWriteCount 0 System Views 0
Flags (90000a0) Image File HadUserReference Accessed
\WINDOWS\explorer.exe
Segment @ e23e9008
ControlArea 8a81ab80 BasedAddress 01000000
Total Ptes ff
WriteUserRef 0 SizeOfSegment ff000
Committed 0 PTE Template 8a81ac3000000420
Based Addr 1000000 Image Base 0
Image Commit 2 Image Info e23e9840
ProtoPtes e23e9048
Reload command: .reload explorer.exe=01000000,ff000
lkd> lm m explorer
start end module name
01000000 010ff000 Explorer (deferred)
lkd> !process 0 0 explorer.exe
PROCESS 8a1908d0 ...... Image: explorer.exe
lkd> .process /p /r 8a1908d0
lkd> !vad explorer 1
VAD @ 8a120ed0
Start VPN 1000 End VPN 10fe Control Area 8a81ab80
FirstProtoPte e23e9048 LastPte fffffffc Commit Charge 3 (3.)
Secured.Flink 0 Blink 0 Banked/Extend 0
File Offset 0
ImageMap ViewShare EXECUTE_WRITECOPY
ReadOnly
ControlArea @ 8a81ab80
Segment e23e9008 Flink 00000000 Blink 00000000
Section Ref 1 Pfn Ref 4d Mapped Views 1
User Ref 2 WaitForDel 0 Flush Count 0
File Object 8ab28240 ModWriteCount 0 System Views 0
Flags (90000a0) Image File HadUserReference Accessed
\WINDOWS\explorer.exe
Segment @ e23e9008
ControlArea 8a81ab80 BasedAddress 01000000
Total Ptes ff
WriteUserRef 0 SizeOfSegment ff000
Committed 0 PTE Template 8a81ac3000000420
Based Addr 1000000 Image Base 0
Image Commit 2 Image Info e23e9840
ProtoPtes e23e9048
Reload command: .reload explorer.exe=01000000,ff000
lkd> !vad 8a120ed0 0
VAD level start end commit
8a03b1d8 ( 3) e50 e51 0 Mapped READONLY Pagefile-backed section
8a6fe240 ( 4) e60 e6f 0 Mapped READWRITE Pagefile-backed section
................................
89c86600 ( 5) ff0 ff0 1 Private READWRITE
8a120ed0 ( 0) 1000 10fe 3 Mapped Exe EXECUTE_WRITECOPY \WINDOWS\explorer.exe
.................................
8a87bb18 ( 7) 26d0 2733 0 Mapped READWRITE \Documents and Settings\Admin\Local Settings\History\History.IE5\index.dat
8a74b420 ( 0) 3e1c0 3ec52 10 Mapped Exe EXECUTE_WRITECOPY \WINDOWS\system32\ieframe.dll
8abfa398 ( 1) 7ffde 7ffde 1 Private READWRITE
总阀:1231,平均液位:5,最大深度:4294967295是和是。。那么,我如何将VPN转换为虚拟地址呢?在64位窗口。。。谢谢:)我稍后会尝试用一个例子来描述<代码>!vtop,
!ptov.process/p!pte.dump/ma