get VAD root for win10 1803

2 files changed, 37 insertions, 1 deletions

diff --git a/KMemDriver/Driver.c b/KMemDriver/Driver.c
index 12af90d..dcf19c6 100644
--- a/KMemDriver/Driver.c
+++ b/KMemDriver/Driver.c
@@ -587,6 +587,16 @@ NTSTATUS UpdatePPEPIfRequired(IN HANDLE wantedPID,
 			if (!NT_SUCCESS(status)) {
 				KDBG("ObOpenObjectByPointer failed with 0x%X\n", status);
 			}
+			else {
+				PEPROCESS pep = *lastPEP;
+				PMM_AVL_TABLE avltable = (PMM_AVL_TABLE)((ULONG_PTR *)pep + 0x628);
+				KDBG("VAD-ROOT.....: 0x%p\n", avltable->BalancedRoot);
+				KDBG("NODE-HINT....: 0x%p\n", avltable->NodeHint);
+				KDBG("NMBR-OF-ELEMs: %d\n", avltable->NumberGenericTableElements);
+				KDBG("FLAGS........: 0x%p\n", *((UINT32 *)pep + 0x304));
+				KDBG("VSIZE........: %d\n", *((UINT64 *)pep + 0x338));
+				KDBG("IMAGEFILENAME: %.*s\n", 15, ((const char *)pep + 0x450));
+			}
 		}
 	}
 	return status;
diff --git a/KMemDriver/Native.h b/KMemDriver/Native.h
index e421bda..232a0d7 100644
--- a/KMemDriver/Native.h
+++ b/KMemDriver/Native.h
@@ -79,4 +79,30 @@ typedef struct _KLDR_DATA_TABLE_ENTRY {
 	ULONG CheckSum;
 	PVOID LoadedImports;
 	PVOID PatchInformation;
-} KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY;
\ No newline at end of file
+} KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY;
+
+typedef struct _MM_AVL_NODE // Size=24
+{
+	struct _MM_AVL_NODE * LeftChild; // Size=8 Offset=0
+	struct _MM_AVL_NODE * RightChild; // Size=8 Offset=8
+
+	union // Size=8
+	{
+		struct
+		{
+			INT Red : 1; // Size=8 Offset=0 BitOffset=0 BitCount=1
+		} s1;
+		struct
+		{
+			INT Balance : 2; // Size=8 Offset=0 BitOffset=0 BitCount=2
+		} s2;
+		struct _MM_AVL_NODE * Parent; // Size=8 Offset=0
+	} u1;
+} MM_AVL_NODE, *PMM_AVL_NODE, *PMMADDRESS_NODE;
+
+typedef struct _RTL_AVL_TREE // Size=8
+{
+	PMM_AVL_NODE BalancedRoot;
+	void * NodeHint;
+	UINT64 NumberGenericTableElements;
+} RTL_AVL_TREE, *PRTL_AVL_TREE, MM_AVL_TABLE, *PMM_AVL_TABLE;
\ No newline at end of file