added some verified VAD structures + native offset enum

author: Toni Uhlig <matzeton@googlemail.com> 2019-06-12 08:18:37 +0200
committer: Toni Uhlig <matzeton@googlemail.com> 2019-06-12 08:18:37 +0200
commit: 8e3b75262111fc344e1dee5028662f2f0766b171 (patch)
tree: 90e01925425a06653dfeb92bc0d24b3b845cb3de /KMemDriver
parent: 6f041b291bd25915c8cb756bf6076f0fe6a7b7f2 (diff)
2 files changed, 86 insertions, 8 deletions
diff --git a/KMemDriver/Driver.c b/KMemDriver/Driver.c
index dcf19c6..c3d3fa7 100644
--- a/KMemDriver/Driver.c
+++ b/KMemDriver/Driver.c
@@ -589,8 +589,8 @@ NTSTATUS UpdatePPEPIfRequired(IN HANDLE wantedPID,
 			}
 			else {
 				PEPROCESS pep = *lastPEP;
-				PMM_AVL_TABLE avltable = (PMM_AVL_TABLE)((ULONG_PTR *)pep + 0x628);
-				KDBG("VAD-ROOT.....: 0x%p\n", avltable->BalancedRoot);
+				PMM_AVL_TABLE avltable = (PMM_AVL_TABLE)((ULONG_PTR *)pep + VAD_TREE_1803);
+				KDBG("VAD-ROOT.....: 0x%p\n", GET_VAD_ROOT(avltable));
 				KDBG("NODE-HINT....: 0x%p\n", avltable->NodeHint);
 				KDBG("NMBR-OF-ELEMs: %d\n", avltable->NumberGenericTableElements);
 				KDBG("FLAGS........: 0x%p\n", *((UINT32 *)pep + 0x304));
diff --git a/KMemDriver/Native.h b/KMemDriver/Native.h
index 232a0d7..3bbd430 100644
--- a/KMemDriver/Native.h
+++ b/KMemDriver/Native.h
@@ -2,6 +2,12 @@
 
 #include <ntddk.h>
 
+#define GET_VAD_ROOT(Table) Table->BalancedRoot
+
+typedef enum native_offsets {
+	VAD_TREE_1803 = 0x628
+} native_offsets;
+
 typedef struct _PEB_LDR_DATA
 {
 	ULONG Length;
@@ -81,6 +87,9 @@ typedef struct _KLDR_DATA_TABLE_ENTRY {
 	PVOID PatchInformation;
 } KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY;
 
+#pragma warning(disable : 4214 4201)
+#pragma pack(push, 1)
+
 typedef struct _MM_AVL_NODE // Size=24
 {
 	struct _MM_AVL_NODE * LeftChild; // Size=8 Offset=0
@@ -90,19 +99,88 @@ typedef struct _MM_AVL_NODE // Size=24
 	{
 		struct
 		{
-			INT Red : 1; // Size=8 Offset=0 BitOffset=0 BitCount=1
-		} s1;
+			__int64  Red : 1; // Size=8 Offset=0 BitOffset=0 BitCount=1
+		};
 		struct
 		{
-			INT Balance : 2; // Size=8 Offset=0 BitOffset=0 BitCount=2
-		} s2;
+			__int64  Balance : 2; // Size=8 Offset=0 BitOffset=0 BitCount=2
+		};
 		struct _MM_AVL_NODE * Parent; // Size=8 Offset=0
-	} u1;
+	};
 } MM_AVL_NODE, *PMM_AVL_NODE, *PMMADDRESS_NODE;
 
+union _EX_PUSH_LOCK // Size=8
+{
+	struct
+	{
+		unsigned __int64 Locked : 1; // Size=8 Offset=0 BitOffset=0 BitCount=1
+		unsigned __int64 Waiting : 1; // Size=8 Offset=0 BitOffset=1 BitCount=1
+		unsigned __int64 Waking : 1; // Size=8 Offset=0 BitOffset=2 BitCount=1
+		unsigned __int64 MultipleShared : 1; // Size=8 Offset=0 BitOffset=3 BitCount=1
+		unsigned __int64 Shared : 60; // Size=8 Offset=0 BitOffset=4 BitCount=60
+	};
+	unsigned __int64 Value; // Size=8 Offset=0
+	void * Ptr; // Size=8 Offset=0
+};
+
+struct _MMVAD_FLAGS // Size=4
+{
+	unsigned long VadType : 3; // Size=4 Offset=0 BitOffset=0 BitCount=3
+	unsigned long Protection : 5; // Size=4 Offset=0 BitOffset=3 BitCount=5
+	unsigned long PreferredNode : 6; // Size=4 Offset=0 BitOffset=8 BitCount=6
+	unsigned long NoChange : 1; // Size=4 Offset=0 BitOffset=14 BitCount=1
+	unsigned long PrivateMemory : 1; // Size=4 Offset=0 BitOffset=15 BitCount=1
+	unsigned long Teb : 1; // Size=4 Offset=0 BitOffset=16 BitCount=1
+	unsigned long PrivateFixup : 1; // Size=4 Offset=0 BitOffset=17 BitCount=1
+	unsigned long ManySubsections : 1; // Size=4 Offset=0 BitOffset=18 BitCount=1
+	unsigned long Spare : 12; // Size=4 Offset=0 BitOffset=19 BitCount=12
+	unsigned long DeleteInProgress : 1; // Size=4 Offset=0 BitOffset=31 BitCount=1
+};
+
+struct _MMVAD_FLAGS1 // Size=4
+{
+	unsigned long CommitCharge : 31; // Size=4 Offset=0 BitOffset=0 BitCount=31
+	unsigned long MemCommit : 1; // Size=4 Offset=0 BitOffset=31 BitCount=1
+};
+
+union MMVAD_SHORT_u1 // Size=4
+{
+	unsigned long LongFlags; // Size=4 Offset=0
+	struct _MMVAD_FLAGS VadFlags; // Size=4 Offset=0
+};
+
+union MMVAD_SHORT_u2 // Size=4
+{
+	unsigned long LongFlags1; // Size=4 Offset=0
+	struct _MMVAD_FLAGS1 VadFlags1; // Size=4 Offset=0
+};
+
+typedef struct _MMVAD_SHORT // Size=64
+{
+	union
+	{
+		struct _RTL_BALANCED_NODE VadNode; // Size=24 Offset=0
+		struct _MMVAD_SHORT * NextVad; // Size=8 Offset=0
+	};
+	unsigned long StartingVpn; // Size=4 Offset=24
+	unsigned long EndingVpn; // Size=4 Offset=28
+	unsigned char StartingVpnHigh; // Size=1 Offset=32
+	unsigned char EndingVpnHigh; // Size=1 Offset=33
+	unsigned char CommitChargeHigh; // Size=1 Offset=34
+	unsigned char SpareNT64VadUChar; // Size=1 Offset=35
+	long ReferenceCount; // Size=4 Offset=36
+	union _EX_PUSH_LOCK PushLock; // Size=8 Offset=40
+	union MMVAD_SHORT_u1 u; // Size=4 Offset=48
+	union MMVAD_SHORT_u2 u1; // Size=4 Offset=52
+	struct _MI_VAD_EVENT_BLOCK * EventList; // Size=8 Offset=56
+} MMVAD_SHORT, *PMMVAD_SHORT;
+
 typedef struct _RTL_AVL_TREE // Size=8
 {
 	PMM_AVL_NODE BalancedRoot;
 	void * NodeHint;
 	UINT64 NumberGenericTableElements;
-} RTL_AVL_TREE, *PRTL_AVL_TREE, MM_AVL_TABLE, *PMM_AVL_TABLE;
-\ No newline at end of file
+} RTL_AVL_TREE, *PRTL_AVL_TREE, MM_AVL_TABLE, *PMM_AVL_TABLE;
+
+#pragma pack(pop)
+#pragma warning(default : 4214 4201)
+\ No newline at end of file
author	Toni Uhlig <matzeton@googlemail.com>	2019-06-12 08:18:37 +0200
committer	Toni Uhlig <matzeton@googlemail.com>	2019-06-12 08:18:37 +0200
commit	8e3b75262111fc344e1dee5028662f2f0766b171 (patch)
tree	90e01925425a06653dfeb92bc0d24b3b845cb3de /KMemDriver
parent	6f041b291bd25915c8cb756bf6076f0fe6a7b7f2 (diff)