An entry inside a process's VAD table. More...

#include <MMVAD.hh>

Public Types
enum	VadType { VadNone = 0 , VadDevicePhysicalMemory , VadImageMap , VadAwe , VadWriteWatch , VadLargePages , VadRotatePhysical , VadLargePageSection }

Public Member Functions
virtual std::string	tag () const =0

virtual VadStructure	structure () const =0

virtual uint64_t	CommitCharge () const =0

virtual uint64_t	StartingVpn () const =0

virtual uint64_t	EndingVpn () const =0

virtual const FILE_OBJECT *	FileObject () const =0

virtual std::shared_ptr< const MMVAD >	LeftChild () const =0

virtual std::shared_ptr< const MMVAD >	RightChild () const =0

virtual std::shared_ptr< const MMVAD >	Parent () const =0

virtual VadType	Type () const =0

virtual PAGE_PROTECTION	Protection () const =0

virtual const MEMORY_ALLOCATION_TYPE &	Allocation () const =0

virtual bool	Private () const =0

virtual uint64_t	RegionSize () const =0

virtual uint64_t	StartingAddress () const =0

virtual uint64_t	EndingAddress () const =0

virtual guest_ptr< void >	ptr () const =0

virtual bool	locked () const =0

virtual std::vector< std::shared_ptr< const MMVAD > >	VadTreeInOrder () const =0

virtual uint64_t	FirstPrototypePte () const =0

virtual uint64_t	LastContiguousPte () const =0

virtual std::shared_ptr< const MMVAD >	search (uint64_t virtual_address) const =0
	Search for the MMVAD entry for the given address in children.

virtual	~MMVAD ()=default

Detailed Description

An entry inside a process's VAD table.

All pages with an MMVAD instance are guaranteed to have the same page protection, type, and point to the same mapped file (if applicable).

Member Enumeration Documentation

◆ VadType

enum introvirt::windows::nt::MMVAD::VadType

Enumerator
VadNone
VadDevicePhysicalMemory
VadImageMap
VadAwe
VadWriteWatch
VadLargePages
VadRotatePhysical
VadLargePageSection

Constructor & Destructor Documentation

◆ ~MMVAD()

virtual introvirt::windows::nt::MMVAD::~MMVAD ( )

virtualdefault

Member Function Documentation

◆ Allocation()

virtual const MEMORY_ALLOCATION_TYPE & introvirt::windows::nt::MMVAD::Allocation ( ) const

pure virtual

Returns: The allocation type of the region.

◆ CommitCharge()

virtual uint64_t introvirt::windows::nt::MMVAD::CommitCharge ( ) const

pure virtual

◆ EndingAddress()

virtual uint64_t introvirt::windows::nt::MMVAD::EndingAddress ( ) const

pure virtual

Returns: The last address of the region [((EndingVpn() + 1) << 12) - 1];

◆ EndingVpn()

virtual uint64_t introvirt::windows::nt::MMVAD::EndingVpn ( ) const

pure virtual

Returns: The last page number in the region.

◆ FileObject()

virtual const FILE_OBJECT * introvirt::windows::nt::MMVAD::FileObject ( ) const

pure virtual

Returns: The the backing FILE_OBJECT, if VadType is PhysicalFileMapped. Otherwise NULL.

◆ FirstPrototypePte()

virtual uint64_t introvirt::windows::nt::MMVAD::FirstPrototypePte ( ) const

pure virtual

◆ LastContiguousPte()

virtual uint64_t introvirt::windows::nt::MMVAD::LastContiguousPte ( ) const

pure virtual

◆ LeftChild()

virtual std::shared_ptr< const MMVAD > introvirt::windows::nt::MMVAD::LeftChild ( ) const

pure virtual

Returns: The left MMVAD child or null.

◆ locked()

virtual bool introvirt::windows::nt::MMVAD::locked ( ) const

pure virtual

◆ Parent()

virtual std::shared_ptr< const MMVAD > introvirt::windows::nt::MMVAD::Parent ( ) const

pure virtual

Returns: The parent MMVAD or null.

◆ Private()

virtual bool introvirt::windows::nt::MMVAD::Private ( ) const

pure virtual

Returns: True if the memory is considered private

◆ Protection()

virtual PAGE_PROTECTION introvirt::windows::nt::MMVAD::Protection ( ) const

pure virtual

Returns: The protection of the region.

◆ ptr()

virtual guest_ptr< void > introvirt::windows::nt::MMVAD::ptr ( ) const

pure virtual

◆ RegionSize()

virtual uint64_t introvirt::windows::nt::MMVAD::RegionSize ( ) const

pure virtual

Returns: The size, in bytes, of the region.

◆ RightChild()

virtual std::shared_ptr< const MMVAD > introvirt::windows::nt::MMVAD::RightChild ( ) const

pure virtual

Returns: The right MMVAD child or null.

◆ search()

virtual std::shared_ptr< const MMVAD > introvirt::windows::nt::MMVAD::search ( uint64_t virtual_address ) const

pure virtual

Search for the MMVAD entry for the given address in children.

Parameters

virtual_address The address to search for

Returns: The matching MMVAD entry, or nullptr.

◆ StartingAddress()

virtual uint64_t introvirt::windows::nt::MMVAD::StartingAddress ( ) const

pure virtual

Returns: The starting address of the region (equivalent to StartingVpn() << 12).

◆ StartingVpn()

virtual uint64_t introvirt::windows::nt::MMVAD::StartingVpn ( ) const

pure virtual

Returns: The starting page number.

◆ structure()

virtual VadStructure introvirt::windows::nt::MMVAD::structure ( ) const

pure virtual

Returns: The type of structure being used by this MMVAD

◆ tag()

virtual std::string introvirt::windows::nt::MMVAD::tag ( ) const

pure virtual

Returns: The four-byte pool tag before the structure

◆ Type()

virtual VadType introvirt::windows::nt::MMVAD::Type ( ) const

pure virtual

Returns: The region type.

◆ VadTreeInOrder()

virtual std::vector< std::shared_ptr< const MMVAD > > introvirt::windows::nt::MMVAD::VadTreeInOrder ( ) const

pure virtual

The documentation for this class was generated from the following file:

/home/runner/work/IntroVirt/IntroVirt/include/introvirt/windows/kernel/nt/types/MMVAD.hh

Public Types

Public Member Functions

Detailed Description

Member Enumeration Documentation

◆ VadType

Constructor & Destructor Documentation

◆ ~MMVAD()

Member Function Documentation

◆ Allocation()

◆ CommitCharge()

◆ EndingAddress()

◆ EndingVpn()

◆ FileObject()

◆ FirstPrototypePte()

◆ LastContiguousPte()

◆ LeftChild()

◆ locked()

◆ Parent()

◆ Private()

◆ Protection()

◆ ptr()

◆ RegionSize()

◆ RightChild()

◆ search()

◆ StartingAddress()

◆ StartingVpn()

◆ structure()

◆ tag()

◆ Type()

◆ VadTreeInOrder()