mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
730 lines
22 KiB
730 lines
22 KiB
/*++
|
|
|
|
Copyright (c) 1992 Microsoft Corporation
|
|
|
|
Module Name:
|
|
|
|
wsle.c
|
|
|
|
Abstract:
|
|
|
|
WinDbg Extension Api
|
|
|
|
Author:
|
|
|
|
Lou Perazzoli (LouP) 14-Mar-1994
|
|
|
|
Environment:
|
|
|
|
User Mode.
|
|
|
|
--*/
|
|
|
|
|
|
#include "precomp.h"
|
|
#pragma hdrstop
|
|
|
|
#define PACKET_MAX_SIZE 4000
|
|
#define NUMBER_OF_WSLE_TO_READ 1000 // ((PACKET_MAX_SIZE/sizeof(MMWSLE))-1)
|
|
|
|
USHORT
|
|
GetPfnRefCount(
|
|
IN ULONG64 PageFrameNumber
|
|
);
|
|
|
|
DECLARE_API( wsle )
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Dumps all wsles for process.
|
|
|
|
Arguments:
|
|
|
|
args - Address Flags
|
|
|
|
Return Value:
|
|
|
|
None
|
|
|
|
--*/
|
|
|
|
{
|
|
ULONG Result;
|
|
ULONG Flags;
|
|
ULONG index;
|
|
ULONG64 WorkingSet;
|
|
ULONG64 WsleBase;
|
|
ULONG64 Va;
|
|
ULONG64 Wsle;
|
|
ULONG next;
|
|
ULONG j;
|
|
ULONG k;
|
|
PCHAR WsleArray;
|
|
ULONG64 WsleStart;
|
|
ULONG ReadCount;
|
|
ULONG result;
|
|
ULONG found;
|
|
ULONG64 PteAddress;
|
|
ULONG SizeofWsle;
|
|
ULONG64 Quota, HashTable;
|
|
ULONG FirstFree, FirstDynamic, LastEntry, NextSlot, LastInitializedWsle;
|
|
ULONG NonDirectCount, HashTableSize;
|
|
PCHAR pc;
|
|
|
|
Flags = 0;
|
|
WorkingSet = 0;
|
|
Flags = (ULONG) GetExpression(args);
|
|
pc = strchr(args, ' ');
|
|
WorkingSet = pc ? GetExpression(pc) : 0;
|
|
|
|
if (WorkingSet == 0) {
|
|
if (TargetMachine == IMAGE_FILE_MACHINE_I386) {
|
|
WorkingSet = GetPointerValue("nt!MmWorkingSetList");
|
|
}
|
|
else if (TargetMachine == IMAGE_FILE_MACHINE_IA64) {
|
|
WorkingSet = (ULONG64)0x6FC00a02000;
|
|
}
|
|
else if (TargetMachine == IMAGE_FILE_MACHINE_AMD64) {
|
|
WorkingSet = (ULONG64)0xFFFFF70000082000;
|
|
}
|
|
else {
|
|
dprintf ("No default WSL for target machine %x\n", TargetMachine);
|
|
return E_INVALIDARG;
|
|
}
|
|
}
|
|
|
|
if (GetFieldValue(WorkingSet, "nt!_MMWSL", "Quota", Quota)) {
|
|
dprintf("%08p: Unable to get contents of WSL\n",WorkingSet );
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
if (GetTypeSize("nt!_MMWSL") == 0) {
|
|
dprintf("Type MMWSL not found.\n");
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
GetFieldValue(WorkingSet,"nt!_MMWSL","FirstDynamic", FirstDynamic);
|
|
GetFieldValue(WorkingSet,"nt!_MMWSL","FirstFree", FirstFree);
|
|
GetFieldValue(WorkingSet,"nt!_MMWSL","Wsle", Wsle);
|
|
GetFieldValue(WorkingSet,"nt!_MMWSL","LastEntry", LastEntry);
|
|
GetFieldValue(WorkingSet,"nt!_MMWSL","NextSlot", NextSlot);
|
|
GetFieldValue(WorkingSet,"nt!_MMWSL","LastInitializedWsle", LastInitializedWsle);
|
|
GetFieldValue(WorkingSet,"nt!_MMWSL","NonDirectCount", NonDirectCount);
|
|
GetFieldValue(WorkingSet,"nt!_MMWSL","HashTableSize", HashTableSize);
|
|
GetFieldValue(WorkingSet,"nt!_MMWSL","HashTable", HashTable);
|
|
|
|
dprintf ("\nWorking Set @ %8p\n", WorkingSet);
|
|
|
|
dprintf (" Quota: %8I64lx FirstFree: %8lx FirstDynamic: %8lx\n",
|
|
Quota,
|
|
FirstFree,
|
|
FirstDynamic);
|
|
|
|
dprintf (" LastEntry %8lx NextSlot: %8lx LastInitialized %8lx\n",
|
|
LastEntry,
|
|
NextSlot,
|
|
LastInitializedWsle);
|
|
|
|
dprintf (" NonDirect %8lx HashTable: %8p HashTableSize: %8lx\n",
|
|
NonDirectCount,
|
|
HashTable,
|
|
HashTableSize);
|
|
|
|
if (Flags == 0) {
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
SizeofWsle = GetTypeSize("nt!_MMWSLE");
|
|
if (SizeofWsle == 0) {
|
|
dprintf("Type _MMWSLE not found.\n");
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
if (Flags == 7) {
|
|
BOOL FirstTime = TRUE;
|
|
|
|
//
|
|
// Check free entries in the working set list.
|
|
//
|
|
|
|
WsleArray = VirtualAlloc (NULL,
|
|
(LastInitializedWsle + 1) * SizeofWsle,
|
|
MEM_RESERVE | MEM_COMMIT,
|
|
PAGE_READWRITE);
|
|
|
|
//
|
|
// Copy the working set list over to the debugger.
|
|
//
|
|
|
|
if (WsleArray == NULL) {
|
|
dprintf("Unable to get allocate memory of %ld bytes\n",
|
|
(LastInitializedWsle + 1) * SizeofWsle);
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
dprintf("\nVirtual Address Age Locked ReferenceCount\n");
|
|
WsleStart = Wsle;
|
|
|
|
for (j = 0;
|
|
j <= LastInitializedWsle;
|
|
j += NUMBER_OF_WSLE_TO_READ) {
|
|
|
|
if ( CheckControlC() ) {
|
|
VirtualFree (WsleArray,0,MEM_RELEASE);
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
ReadCount = (LastInitializedWsle + 1 - j ) > NUMBER_OF_WSLE_TO_READ ?
|
|
NUMBER_OF_WSLE_TO_READ :
|
|
LastInitializedWsle + 1 - j;
|
|
|
|
ReadCount *= SizeofWsle;
|
|
|
|
//
|
|
// Enough to read and forget - KD will cache the data
|
|
//
|
|
if ( !ReadMemory( WsleStart + j*SizeofWsle,
|
|
WsleArray + j*SizeofWsle,
|
|
ReadCount,
|
|
&result) ) {
|
|
dprintf("Unable to get Wsle table block - "
|
|
"address %lx - count %lu - page %lu\n",
|
|
WsleStart + j*SizeofWsle, ReadCount, j);
|
|
VirtualFree (WsleArray,0,MEM_RELEASE);
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
for (k=0; k<ReadCount/SizeofWsle; k++) {
|
|
GetFieldValue(WsleStart + (j+k)*SizeofWsle, "nt!_MMWSLE", "u1.e1.Valid", WsleArray[j+k]);
|
|
}
|
|
|
|
dprintf(".");
|
|
}
|
|
dprintf("\r");
|
|
|
|
//
|
|
// Walk the array looking for bad free entries.
|
|
//
|
|
|
|
for (j = 0;
|
|
j <= LastInitializedWsle;
|
|
j += 1) {
|
|
ULONG Valid, Age, LockedInWs, LockedInMemory;
|
|
ULONG64 WsleToread = WsleStart + j*SizeofWsle, Long;
|
|
|
|
if ( CheckControlC() ) {
|
|
dprintf("j= %x\n",j);
|
|
VirtualFree (WsleArray,0,MEM_RELEASE);
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
|
|
GetFieldValue(WsleToread, "nt!_MMWSLE", "u1.e1.Valid", Valid);
|
|
|
|
if (Valid == 0) {
|
|
|
|
//
|
|
// Locate j in the array.
|
|
//
|
|
|
|
found = FALSE;
|
|
for (k = 0;
|
|
k <= LastInitializedWsle;
|
|
k += 1) {
|
|
ULONG k_Valid;
|
|
ULONG64 k_Long;
|
|
|
|
k_Valid = WsleArray[k];
|
|
|
|
if (k_Valid == 0) {
|
|
GetFieldValue(WsleStart + k*SizeofWsle, "nt!_MMWSLE", "u1.Long", k_Long);
|
|
if ((ULONG) (k_Long >> MM_FREE_WSLE_SHIFT) == j) {
|
|
found = TRUE;
|
|
#if 0
|
|
dprintf(" free entry located @ index %ld. %lx %ld. %lx\n",
|
|
j, WsleArray[j].u1.Long,k,WsleArray[k]);
|
|
#endif
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
if (!found) {
|
|
|
|
if (FirstFree == j) {
|
|
// dprintf("first index found\n");
|
|
} else {
|
|
|
|
GetFieldValue(WsleToread, "nt!_MMWSLE", "u1.VirtualAddress", Long);
|
|
dprintf(" free entry not located @ index %ld. %p\n",
|
|
j, Long);
|
|
}
|
|
}
|
|
}
|
|
else {
|
|
ULONG PteValid;
|
|
|
|
GetFieldValue(WsleToread, "nt!_MMWSLE", "u1.VirtualAddress", Long);
|
|
Va = Long;
|
|
PteAddress = DbgGetPteAddress (Va);
|
|
|
|
if (!GetFieldValue(PteAddress,
|
|
"nt!_MMPTE",
|
|
"u.Hard.Valid",
|
|
PteValid) ) {
|
|
|
|
if (PteValid == 0) {
|
|
dprintf(" cannot find valid PTE for WS index %d, VA %p\n",
|
|
j, Long);
|
|
}
|
|
else {
|
|
ULONG64 PageFrameNumber;
|
|
USHORT ReferenceCount;
|
|
|
|
GetFieldValue( PteAddress,
|
|
"nt!_MMPTE",
|
|
"u.Hard.PageFrameNumber",
|
|
PageFrameNumber);
|
|
ReferenceCount = GetPfnRefCount (PageFrameNumber);
|
|
GetFieldValue(WsleToread, "nt!_MMWSLE", "u1.e1.Age", Age);
|
|
GetFieldValue(WsleToread, "nt!_MMWSLE", "u1.e1.LockedInWs", LockedInWs);
|
|
GetFieldValue(WsleToread, "nt!_MMWSLE", "u1.LockedInMemory", LockedInMemory);
|
|
|
|
|
|
dprintf("%16p %2u %8ld %8ld\n",
|
|
Long, Age,
|
|
(LockedInWs |
|
|
LockedInMemory) ? 1 : 0,
|
|
ReferenceCount);
|
|
}
|
|
}
|
|
else {
|
|
dprintf(" cannot find valid PDE for WS index %d, VA %p\n",
|
|
j, Long);
|
|
}
|
|
}
|
|
}
|
|
|
|
VirtualFree (WsleArray,0,MEM_RELEASE);
|
|
|
|
} else {
|
|
ULONG64 nextLong;
|
|
|
|
next = FirstFree;
|
|
WsleBase = Wsle;
|
|
|
|
while (next != (ULONG) WSLE_NULL_INDEX) {
|
|
if (CheckControlC()) {
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
if ( GetFieldValue( WsleBase + SizeofWsle*next,
|
|
"nt!_MMWSLE",
|
|
"u1.VirtualAddress",
|
|
nextLong) ) {
|
|
dprintf("%08p: Unable to get contents of wsle\n",
|
|
WsleBase+SizeofWsle*next );
|
|
return E_INVALIDARG;
|
|
}
|
|
dprintf("index %8lx value %8p\n", next, nextLong);
|
|
next = (ULONG) (nextLong >> MM_FREE_WSLE_SHIFT);
|
|
}
|
|
}
|
|
return S_OK;
|
|
}
|
|
|
|
typedef struct _MMSECTION_FLAGS {
|
|
unsigned BeingDeleted : 1;
|
|
unsigned BeingCreated : 1;
|
|
unsigned BeingPurged : 1;
|
|
unsigned NoModifiedWriting : 1;
|
|
|
|
unsigned FailAllIo : 1;
|
|
unsigned Image : 1;
|
|
unsigned Based : 1;
|
|
unsigned File : 1;
|
|
|
|
unsigned Networked : 1;
|
|
unsigned NoCache : 1;
|
|
unsigned PhysicalMemory : 1;
|
|
unsigned CopyOnWrite : 1;
|
|
|
|
unsigned Reserve : 1; // not a spare bit!
|
|
unsigned Commit : 1;
|
|
unsigned FloppyMedia : 1;
|
|
unsigned WasPurged : 1;
|
|
|
|
unsigned UserReference : 1;
|
|
unsigned GlobalMemory : 1;
|
|
unsigned DeleteOnClose : 1;
|
|
unsigned FilePointerNull : 1;
|
|
|
|
unsigned DebugSymbolsLoaded : 1;
|
|
unsigned SetMappedFileIoComplete : 1;
|
|
unsigned CollidedFlush : 1;
|
|
unsigned NoChange : 1;
|
|
|
|
unsigned HadUserReference : 1;
|
|
unsigned ImageMappedInSystemSpace : 1;
|
|
unsigned UserWritable : 1;
|
|
unsigned Accessed : 1;
|
|
|
|
unsigned GlobalOnlyPerSession : 1;
|
|
unsigned Rom : 1;
|
|
unsigned filler : 2;
|
|
} MMSECTION_FLAGS;
|
|
|
|
typedef struct _MMSUBSECTION_FLAGS {
|
|
unsigned ReadOnly : 1;
|
|
unsigned ReadWrite : 1;
|
|
unsigned CopyOnWrite : 1;
|
|
unsigned GlobalMemory: 1;
|
|
unsigned Protection : 5;
|
|
unsigned LargePages : 1;
|
|
unsigned StartingSector4132 : 10; // 2 ** (42+12) == 4MB*4GB == 16K TB
|
|
unsigned SectorEndOffset : 12;
|
|
} MMSUBSECTION_FLAGS;
|
|
|
|
DECLARE_API( ca )
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Dumps a control area.
|
|
|
|
Arguments:
|
|
|
|
args - Address Flags
|
|
|
|
Return Value:
|
|
|
|
None
|
|
|
|
--*/
|
|
|
|
{
|
|
LARGE_INTEGER StartingSector;
|
|
ULONG64 ControlAreaVa;
|
|
ULONG64 SubsectionVa;
|
|
ULONG ControlAreaSize;
|
|
ULONG LargeControlAreaSize;
|
|
ULONG SubsectionSize;
|
|
ULONG SubsectionCount;
|
|
ULONG64 Segment;
|
|
ULONG64 FileObject;
|
|
ULONG NumberOfSubsections;
|
|
MMSECTION_FLAGS ControlAreaFlags;
|
|
MMSUBSECTION_FLAGS SubsectionFlags;
|
|
LOGICAL MappedDataFile;
|
|
LOGICAL PrintedSomething;
|
|
|
|
ControlAreaVa = GetExpression(args);
|
|
|
|
dprintf("\n");
|
|
dprintf("ControlArea @%08p\n", ControlAreaVa);
|
|
|
|
ControlAreaSize = GetTypeSize("nt!_CONTROL_AREA");
|
|
if (ControlAreaSize == 0) {
|
|
dprintf("Type CONTROL_AREA not found.\n");
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
InitTypeRead(ControlAreaVa, nt!_CONTROL_AREA);
|
|
|
|
Segment = ReadField(Segment);
|
|
NumberOfSubsections = (ULONG)ReadField(NumberOfSubsections);
|
|
FileObject = ReadField(FilePointer);
|
|
|
|
dprintf (" Segment: %08p Flink %8p Blink %8p\n",
|
|
Segment,
|
|
ReadField(DereferenceList.Flink),
|
|
ReadField(DereferenceList.Blink));
|
|
|
|
dprintf (" Section Ref %8lx Pfn Ref %8lx Mapped Views %8lx\n",
|
|
(ULONG) ReadField(NumberOfSectionReferences),
|
|
(ULONG) ReadField(NumberOfPfnReferences),
|
|
(ULONG) ReadField(NumberOfMappedViews));
|
|
|
|
dprintf (" User Ref %8lx Subsections %8lx Flush Count %8lx\n",
|
|
(ULONG) ReadField(NumberOfUserReferences),
|
|
NumberOfSubsections,
|
|
(USHORT) ReadField(FlushInProgressCount));
|
|
|
|
dprintf (" File Object %08p ModWriteCount%7lx System Views %8lx\n",
|
|
FileObject,
|
|
(USHORT) ReadField(ModifiedWriteCount),
|
|
(USHORT) ReadField(NumberOfSystemCacheViews));
|
|
|
|
dprintf (" WaitForDel %8p\n",
|
|
ReadField(WaitingForDeletion));
|
|
|
|
GetFieldValue(ControlAreaVa, "nt!_CONTROL_AREA", "u.LongFlags", ControlAreaFlags);
|
|
|
|
dprintf (" Flags (%lx) ", ControlAreaFlags);
|
|
|
|
if (ControlAreaFlags.BeingDeleted) { dprintf("BeingDeleted "); }
|
|
if (ControlAreaFlags.BeingCreated) { dprintf("BeingCreated "); }
|
|
if (ControlAreaFlags.BeingPurged) { dprintf("BeingPurged "); }
|
|
if (ControlAreaFlags.NoModifiedWriting) { dprintf("NoModifiedWriting "); }
|
|
|
|
if (ControlAreaFlags.FailAllIo) { dprintf("FailAllIo "); }
|
|
if (ControlAreaFlags.Image) { dprintf("Image "); }
|
|
if (ControlAreaFlags.Based) { dprintf("Based "); }
|
|
if (ControlAreaFlags.File) { dprintf("File "); }
|
|
|
|
if (ControlAreaFlags.Networked) { dprintf("Networked "); }
|
|
if (ControlAreaFlags.NoCache) { dprintf("NoCache "); }
|
|
if (ControlAreaFlags.PhysicalMemory) { dprintf("PhysicalMemory "); }
|
|
if (ControlAreaFlags.CopyOnWrite) { dprintf("CopyOnWrite "); }
|
|
|
|
if (ControlAreaFlags.Reserve) { dprintf("Reserve "); }
|
|
if (ControlAreaFlags.Commit) { dprintf("Commit "); }
|
|
if (ControlAreaFlags.FloppyMedia) { dprintf("FloppyMedia "); }
|
|
if (ControlAreaFlags.WasPurged) { dprintf("WasPurged "); }
|
|
|
|
if (ControlAreaFlags.UserReference) { dprintf("UserReference "); }
|
|
if (ControlAreaFlags.GlobalMemory) { dprintf("GlobalMemory "); }
|
|
if (ControlAreaFlags.DeleteOnClose) { dprintf("DeleteOnClose "); }
|
|
if (ControlAreaFlags.FilePointerNull) { dprintf("FilePointerNull "); }
|
|
|
|
if (ControlAreaFlags.DebugSymbolsLoaded) { dprintf("DebugSymbolsLoaded "); }
|
|
if (ControlAreaFlags.SetMappedFileIoComplete) { dprintf("SetMappedFileIoComplete "); }
|
|
if (ControlAreaFlags.CollidedFlush) { dprintf("CollidedFlush "); }
|
|
if (ControlAreaFlags.NoChange) { dprintf("NoChange "); }
|
|
|
|
if (ControlAreaFlags.HadUserReference) { dprintf("HadUserReference "); }
|
|
if (ControlAreaFlags.ImageMappedInSystemSpace) { dprintf("ImageMappedInSystemSpace "); }
|
|
if (ControlAreaFlags.UserWritable) { dprintf("UserWritable "); }
|
|
if (ControlAreaFlags.Accessed) { dprintf("Accessed "); }
|
|
|
|
if (ControlAreaFlags.GlobalOnlyPerSession) { dprintf("GlobalOnlyPerSession "); }
|
|
if (ControlAreaFlags.Rom) { dprintf("Rom "); }
|
|
dprintf ("\n\n");
|
|
|
|
MappedDataFile = FALSE;
|
|
|
|
//
|
|
// Dump the file object's name if there is one and it's resident.
|
|
//
|
|
|
|
if (FileObject != 0) {
|
|
ULONG64 FileNameLength;
|
|
ULONG64 FileNameBuffer;
|
|
PUCHAR tempbuffer;
|
|
ULONG result;
|
|
UNICODE_STRING unicodeString;
|
|
|
|
if (GetTypeSize("nt!_FILE_OBJECT") == 0) {
|
|
dprintf("Type FILE_OBJECT not found.\n");
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
InitTypeRead(FileObject, nt!_FILE_OBJECT);
|
|
|
|
FileNameBuffer = ReadField(FileName.Buffer);
|
|
|
|
unicodeString.Length = (USHORT) ReadField(FileName.Length);
|
|
|
|
tempbuffer = LocalAlloc(LPTR, unicodeString.Length);
|
|
|
|
unicodeString.Buffer = (PWSTR)tempbuffer;
|
|
unicodeString.MaximumLength = unicodeString.Length;
|
|
|
|
if (FileNameBuffer == 0) {
|
|
dprintf("\tNo Name for File\n");
|
|
}
|
|
else if (!ReadMemory ( FileNameBuffer,
|
|
tempbuffer,
|
|
unicodeString.Length,
|
|
&result)) {
|
|
dprintf("\tFile Name paged out\n");
|
|
} else {
|
|
dprintf("\tFile: %wZ\n", &unicodeString);
|
|
}
|
|
|
|
LocalFree(tempbuffer);
|
|
|
|
if (ControlAreaFlags.Image == 0) {
|
|
MappedDataFile = TRUE;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Dump the segment information.
|
|
//
|
|
|
|
dprintf("\nSegment @ %08p:\n", Segment);
|
|
|
|
if (MappedDataFile == FALSE) {
|
|
if (GetTypeSize("nt!_SEGMENT") == 0) {
|
|
dprintf("Type SEGMENT not found.\n");
|
|
return E_INVALIDARG;
|
|
}
|
|
InitTypeRead(Segment, nt!_SEGMENT);
|
|
}
|
|
else {
|
|
if (GetTypeSize("nt!_MAPPED_FILE_SEGMENT") == 0) {
|
|
dprintf("Type MAPPED_FILE_SEGMENT not found.\n");
|
|
return E_INVALIDARG;
|
|
}
|
|
InitTypeRead(Segment, nt!_MAPPED_FILE_SEGMENT);
|
|
}
|
|
|
|
dprintf(" ControlArea %08p Total Ptes %8lx NonExtendPtes %8lx\n",
|
|
ReadField(ControlArea),
|
|
(ULONG) ReadField(TotalNumberOfPtes),
|
|
(ULONG) ReadField(NonExtendedPtes));
|
|
|
|
|
|
if (ControlAreaVa != ReadField(ControlArea)) {
|
|
dprintf("SEGMENT is corrupt - bad control area backlink.\n");
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
dprintf(" WriteUserRef %8lx SizeOfSegment %I64x PTE Template %I64X\n",
|
|
(ULONG) ReadField(WritableUserReferences),
|
|
ReadField(SizeOfSegment),
|
|
ReadField(SegmentPteTemplate.u.Long));
|
|
|
|
dprintf(" Committed %8p Extend Info %8p Image Base %8p\n",
|
|
ReadField(NumberOfCommittedPages),
|
|
ReadField(ExtendInfo),
|
|
ReadField(SystemImageBase));
|
|
|
|
dprintf(" Based Addr %8p\n",
|
|
ReadField(BasedAddress));
|
|
|
|
if (MappedDataFile == FALSE) {
|
|
|
|
if (ControlAreaFlags.Image == 1) {
|
|
dprintf(" Image commit %8p Image Info. %8p",
|
|
ReadField(ImageCommitment),
|
|
ReadField(ImageInformation));
|
|
}
|
|
else {
|
|
dprintf(" CreatingProcess %8p FirstMappedVa %8p",
|
|
ReadField(u1.CreatingProcess),
|
|
ReadField(u2.FirstMappedVa));
|
|
}
|
|
|
|
dprintf(" ProtoPtes %08p\n",
|
|
ReadField(PrototypePte));
|
|
}
|
|
|
|
//
|
|
// Dump the subsection(s).
|
|
//
|
|
|
|
SubsectionSize = GetTypeSize("nt!_SUBSECTION");
|
|
|
|
if (SubsectionSize == 0) {
|
|
dprintf("Type SUBSECTION not found.\n");
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
LargeControlAreaSize = GetTypeSize("nt!_LARGE_CONTROL_AREA");
|
|
|
|
if (LargeControlAreaSize == 0) {
|
|
dprintf("Type LARGE_CONTROL_AREA not found.\n");
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
if (ControlAreaFlags.GlobalOnlyPerSession) {
|
|
SubsectionVa = ControlAreaVa + LargeControlAreaSize;
|
|
}
|
|
else {
|
|
SubsectionVa = ControlAreaVa + ControlAreaSize;
|
|
}
|
|
|
|
SubsectionCount = 0;
|
|
|
|
do {
|
|
if (CheckControlC()) {
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
InitTypeRead(SubsectionVa, nt!_SUBSECTION);
|
|
|
|
SubsectionCount += 1;
|
|
dprintf("\nSubsection %ld. @ %8p\n", SubsectionCount, SubsectionVa);
|
|
|
|
GetFieldValue(SubsectionVa, "nt!_SUBSECTION", "u.LongFlags", SubsectionFlags);
|
|
StartingSector.LowPart = (ULONG)ReadField(StartingSector);
|
|
StartingSector.HighPart = (LONG)SubsectionFlags.StartingSector4132;
|
|
|
|
dprintf(" ControlArea: %08p Starting Sector %I64X Number Of Sectors %lx\n",
|
|
ReadField(ControlArea),
|
|
StartingSector,
|
|
(ULONG) ReadField(NumberOfFullSectors));
|
|
|
|
dprintf(" Base Pte %08p Ptes In subsect %8lx Unused Ptes %8lx\n",
|
|
ReadField(SubsectionBase),
|
|
(ULONG) ReadField(PtesInSubsection),
|
|
(ULONG) ReadField(UnusedPtes));
|
|
|
|
dprintf(" Flags %8lx Sector Offset %8lx Protection %8lx\n",
|
|
SubsectionFlags,
|
|
SubsectionFlags.SectorEndOffset,
|
|
SubsectionFlags.Protection);
|
|
|
|
|
|
PrintedSomething = FALSE;
|
|
if (SubsectionFlags.ReadOnly) {
|
|
if (PrintedSomething == FALSE) {
|
|
dprintf(" ");
|
|
}
|
|
PrintedSomething = TRUE;
|
|
dprintf("ReadOnly ");
|
|
}
|
|
if (SubsectionFlags.ReadWrite) {
|
|
if (PrintedSomething == FALSE) {
|
|
dprintf(" ");
|
|
}
|
|
PrintedSomething = TRUE;
|
|
dprintf("ReadWrite");
|
|
}
|
|
if (SubsectionFlags.CopyOnWrite) {
|
|
if (PrintedSomething == FALSE) {
|
|
dprintf(" ");
|
|
}
|
|
PrintedSomething = TRUE;
|
|
dprintf("CopyOnWrite ");
|
|
}
|
|
if (SubsectionFlags.GlobalMemory) {
|
|
if (PrintedSomething == FALSE) {
|
|
dprintf(" ");
|
|
}
|
|
PrintedSomething = TRUE;
|
|
dprintf("GlobalMemory ");
|
|
}
|
|
if (SubsectionFlags.LargePages) {
|
|
if (PrintedSomething == FALSE) {
|
|
dprintf(" ");
|
|
}
|
|
PrintedSomething = TRUE;
|
|
dprintf("Large Pages");
|
|
}
|
|
|
|
if (PrintedSomething == TRUE) {
|
|
dprintf("\n");
|
|
}
|
|
|
|
if (MappedDataFile == TRUE) {
|
|
InitTypeRead(SubsectionVa, nt!_MSUBSECTION);
|
|
dprintf(" Flink %08p Blink %08p MappedViews %8x\n",
|
|
ReadField(DereferenceList.Flink),
|
|
ReadField(DereferenceList.Blink),
|
|
(ULONG) ReadField(NumberOfMappedViews));
|
|
|
|
dprintf(" SubsectionDataFlags %8x\n",
|
|
(ULONG) ReadField(u2.LongFlags2));
|
|
}
|
|
|
|
SubsectionVa = ReadField(NextSubsection);
|
|
|
|
} while (SubsectionVa != 0);
|
|
|
|
return S_OK;
|
|
}
|