From 6f041b291bd25915c8cb756bf6076f0fe6a7b7f2 Mon Sep 17 00:00:00 2001
From: Toni Uhlig <matzeton@googlemail.com>
Date: Mon, 10 Jun 2019 11:57:58 +0200
Subject: get VAD root for win10 1803

---
 KMemDriver/Driver.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'KMemDriver/Driver.c')

diff --git a/KMemDriver/Driver.c b/KMemDriver/Driver.c
index 12af90d..dcf19c6 100644
--- a/KMemDriver/Driver.c
+++ b/KMemDriver/Driver.c
@@ -587,6 +587,16 @@ NTSTATUS UpdatePPEPIfRequired(IN HANDLE wantedPID,
 			if (!NT_SUCCESS(status)) {
 				KDBG("ObOpenObjectByPointer failed with 0x%X\n", status);
 			}
+			else {
+				PEPROCESS pep = *lastPEP;
+				PMM_AVL_TABLE avltable = (PMM_AVL_TABLE)((ULONG_PTR *)pep + 0x628);
+				KDBG("VAD-ROOT.....: 0x%p\n", avltable->BalancedRoot);
+				KDBG("NODE-HINT....: 0x%p\n", avltable->NodeHint);
+				KDBG("NMBR-OF-ELEMs: %d\n", avltable->NumberGenericTableElements);
+				KDBG("FLAGS........: 0x%p\n", *((UINT32 *)pep + 0x304));
+				KDBG("VSIZE........: %d\n", *((UINT64 *)pep + 0x338));
+				KDBG("IMAGEFILENAME: %.*s\n", 15, ((const char *)pep + 0x450));
+			}
 		}
 	}
 	return status;
-- 
cgit v1.2.3