[prev in list] [next in list] [prev in thread] [next in thread]
List: vol-users
Subject: [Vol-users] Why doesn't memmap tally with vadinfo?
From: Bridgey theGeek <bridgeythegeek () gmail ! com>
Date: 2015-07-07 18:29:30
Message-ID: CAP4F+rBUEVXONAxB_YPyQK5_-5pHWwCqKL27c80MTkA459Okpg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi all,
System is Win7SP1x86.
pagefile is OFF.
Consider this VAD node (from vadinfo):
VAD node @ 0x85e076d0 Start 0x76440000 End 0x764dffff Tag Vad
Flags: CommitCharge: 5, Protection: 7, VadType: 2
Protection: PAGE_EXECUTE_WRITECOPY
Vad Type: VadImageMap
ControlArea @853ab1e0 Segment 8f6eba98
NumberOfSectionReferences: 1 NumberOfPfnReferences: 120
NumberOfMappedViews: 32 NumberOfUserReferences: 33
Control Flags: Accessed: 1, File: 1, Image: 1
FileObject @853ab898, Name:
\Device\HarddiskVolume1\Windows\System32\advapi32.dll
First prototype PTE: 8f6ebac8 Last contiguous PTE: fffffffc
Flags2: Inherit: 1
My understanding is that this VAD node is tracking the pages from
0x76440000 through to 0x764dffff.
When I look at the output of memmap for this process and this range I see:
--SNIP--
0x76228000 0x1f04c000 0x1000 0x2c1000
0x76440000 0x20670000 0x1000 0x2c2000 <-- start
0x76441000 0x0b728000 0x1000 0x2c3000
0x76451000 0x233a8000 0x1000 0x2c4000
0x76454000 0x1f5ab000 0x1000 0x2c5000
0x76455000 0x2336c000 0x1000 0x2c6000
0x76456000 0x1f6ed000 0x1000 0x2c7000
0x76457000 0x1f6ae000 0x1000 0x2c8000
0x76458000 0x2346f000 0x1000 0x2c9000
0x76459000 0x1e48b000 0x1000 0x2ca000
0x7645a000 0x21fcc000 0x1000 0x2cb000
0x7645b000 0x223cd000 0x1000 0x2cc000
0x76460000 0x1e3d2000 0x1000 0x2cd000
0x76461000 0x1e103000 0x1000 0x2ce000
0x764af000 0x20636000 0x1000 0x2cf000
0x764b1000 0x23ef8000 0x1000 0x2d0000
0x764b3000 0x0bded000 0x1000 0x2d1000
0x764b7000 0x1f730000 0x1000 0x2d2000
0x764e0000 0x208e6000 0x1000 0x2d3000 <-- first byte after end
--SNIP--
The file itself, advapi32.dll, is 0xa0000 bytes (well, in memory).
dlllist shows:
Base Size LoadCount Path
---------- ---------- ---------- ----
0x76440000 0xa0000 0xffff C:\Windows\system32\ADVAPI32.dll
0x76440000 through to 0x764dffff is 0x9FFFF bytes long.
However, memmap is only showing 0x13000 bytes.
The 0x13000 isn't big enough to hold the 0xa0000 bytes of the file.
My question is, why isn't the whole range (0x76440000 through to
0x764dffff) shown in memmap?
Is it the case that the VAD node is responsible for the whole range, but
simply not all the pages in that range are in use which is why they're
missing from the memmap output?
Or is there something that I'm missing?
Any comments greatly appreciated!
Adam
[Attachment #5 (text/html)]
<div dir="ltr"><div><div><div><div><div><div><div><div><div><div>Hi \
all,<br><br></div>System is Win7SP1x86.<br></div><div>pagefile is \
OFF.<br></div><div><br></div>Consider this VAD node (from vadinfo):<br><br>VAD node @ \
0x85e076d0 Start 0x76440000 End 0x764dffff Tag Vad <br>Flags: CommitCharge: 5, \
Protection: 7, VadType: 2<br>Protection: PAGE_EXECUTE_WRITECOPY<br>Vad Type: \
VadImageMap<br>ControlArea @853ab1e0 Segment 8f6eba98<br>NumberOfSectionReferences: \
1 NumberOfPfnReferences: 120<br>NumberOfMappedViews: \
32 NumberOfUserReferences: 33<br>Control Flags: Accessed: 1, File: 1, \
Image: 1<br>FileObject @853ab898, Name: \
\Device\HarddiskVolume1\Windows\System32\advapi32.dll<br>First prototype PTE: \
8f6ebac8 Last contiguous PTE: fffffffc<br>Flags2: Inherit: 1<br><br></div>My \
understanding is that this VAD node is tracking the pages from 0x76440000 through to \
0x764dffff.<br><br></div>When I look at the output of memmap for this process and \
this range I see:<br></div>--SNIP--<br>0x76228000 0x1f04c000 0x1000 \
0x2c1000<br>0x76440000 0x20670000 0x1000 0x2c2000 <-- \
start<br>0x76441000 0x0b728000 0x1000 0x2c3000<br>0x76451000 \
0x233a8000 0x1000 0x2c4000<br>0x76454000 0x1f5ab000 \
0x1000 0x2c5000<br>0x76455000 0x2336c000 0x1000 \
0x2c6000<br>0x76456000 0x1f6ed000 0x1000 0x2c7000<br>0x76457000 \
0x1f6ae000 0x1000 0x2c8000<br>0x76458000 0x2346f000 \
0x1000 0x2c9000<br>0x76459000 0x1e48b000 0x1000 \
0x2ca000<br>0x7645a000 0x21fcc000 0x1000 0x2cb000<br>0x7645b000 \
0x223cd000 0x1000 0x2cc000<br>0x76460000 0x1e3d2000 \
0x1000 0x2cd000<br>0x76461000 0x1e103000 0x1000 \
0x2ce000<br>0x764af000 0x20636000 0x1000 0x2cf000<br>0x764b1000 \
0x23ef8000 0x1000 0x2d0000<br>0x764b3000 0x0bded000 \
0x1000 0x2d1000<br>0x764b7000 0x1f730000 0x1000 \
0x2d2000<br>0x764e0000 0x208e6000 0x1000 0x2d3000 <-- first \
byte after end<br></div>--SNIP--<br><br></div><div>The file itself, advapi32.dll, is \
0xa0000 bytes (well, in memory).<br>dlllist shows:<br>Base \
Size LoadCount Path<br>---------- ---------- ---------- ----<br>0x76440000 \
0xa0000 0xffff C:\Windows\system32\ADVAPI32.dll<br></div><div><br>0x76440000 \
through to 0x764dffff is 0x9FFFF bytes long.<br></div><div>However, memmap is only \
showing 0x13000 bytes.<br><br></div><div>The 0x13000 isn't big enough to hold the \
0xa0000 bytes of the file.<br></div><div><br></div><div>My question is, why isn't \
the whole range (0x76440000 through to 0x764dffff) shown in \
memmap?<br></div><div><br></div>Is it the case that the VAD node is responsible for \
the whole range, but simply not all the pages in that range are in use which is why \
they're missing from the memmap output?<br><br></div>Or is there something that \
I'm missing?<br><br></div>Any comments greatly \
appreciated!<br><br></div>Adam<br></div>
_______________________________________________
Vol-users mailing list
Vol-users@volatilesystems.com
http://lists.volatilesystems.com/mailman/listinfo/vol-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic