Enumerate process' VadRoot AVL tree

Harbanana

Hi,
I'm trying to enumerate a process' VadRoot AVL tree (RTL_AVL_TREE) with no avail. At first I thought RtlEnumerateGenericTableWithoutSplayingAvl should do the trick but it appears that this function only works with an RTL_AVL_TABLE structure (took me 2 hours to even notice these are not the same structures...)
My code looks like this:

void VadRootEnum(PEPROCESS Process) {
    PRTL_AVL_TABLE Table = (PRTL_AVL_TABLE)((uintptr_t)Process + 0x658); // VadRoot Offset
    PMMVAD_SHORT Vad;
    PVOID RestartKey = NULL;

    for (Vad = (PMMVAD_SHORT)RtlEnumerateGenericTableWithoutSplayingAvl(Table, &RestartKey);
        Vad != NULL;
        Vad = (PMMVAD_SHORT)RtlEnumerateGenericTableWithoutSplayingAvl(Table, &RestartKey)) {

        KdPrint((DRIVER_PREFIX "[+] Vad StartingVpn is (0x%p)\n", Vad->StartingVpn));
    }
}

Any idea what am I missing? Does this function should work on an RTL_AVL_TREE and I'm using it wrong?

Peter_Viscarola_(OSR)

Process + 0x658? Really?

I don’t understand why we get such questions here.

Peter

ThatsBerkan

This is undocumented, you wont get any support here.
What are you even trying to achieve/final goal ?

anton_bassov

Process + 0x658?

The OP from SSDT hooking thread seems to have had found a tough competitor for " the question of the month" reward (unless they both happen to be just two different "incarnations" of the same poster, of course). Judging from the OP's grammar and general style, this suggestion is not THAT outlandish as it may seem to be at the first glance....

Anton Bassov

Harbanana

> @ThatsBerkan said:
> This is undocumented, you wont get any support here.
> What are you even trying to achieve/final goal ?

Oh I see. Well at least you were kind enough and didn’t bashed me on my first post here.
I’m pretty new to kernel programming so I wanted to write a mini process explorer for some practice. part of the tool should have been a VAD tree parser, guess I’ll pass that now.

ThatsBerkan

Why not simply enumerate regions returned by NtQueryVirtualMemory ?
It does exactly the same thing, it gets its data from the VADs.

And you can sort of reproduce the "tree view" by grouping every regions with the same ->AllocationBase.

MBond2

'cause that would be a documented and fully supported way to so that neither pokes into undocumented structures nor requires 'learning' about them. There is no reason to ever attempt this in KM - it provides no possible useful information. Now I've written lots of code to do things just because I can. But I never ask for help on that code because the whole fun of writing it is in the figuring out and if someone just tells me it defeats the point

Peter_Viscarola_(OSR)

Well at least you were kind enough and didn’t bashed me

Oh, I see. You expected us to greet you with open arms, because you’re reaching into a structure you do not own, using a constant offset that you determined Gxd-knows-how, to enumerate a list the structure of which you do not definitively know, without holding any locks.

Yes, you’re right. We should have been MUCH nicer.

/rolls eyes

Peter

Geschlechtsteil

> @"Peter_Viscarola_(OSR)" said:
> Process + 0x658? Really?
>
> I don’t understand why we get such questions here.
>
> Peter

Has this offset changed since the release of Windows 11?
I haven't included my PDB Parser yet, so I really would appreciate a reply.

Thanks.

~VR

Peter_Viscarola_(OSR)

A) you’re necroposting.

Could you not figure out from the thread to which you necroposted that we don’t encourage/support/appreciate the idea of reading into structures with random offsets?

Thread locked.

Peter