Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Enumerate process' VadRoot AVL tree

HarbananaHarbanana Member Posts: 2
edited April 28 in NTDEV

Hi,
I'm trying to enumerate a process' VadRoot AVL tree (RTL_AVL_TREE) with no avail. At first I thought RtlEnumerateGenericTableWithoutSplayingAvl should do the trick but it appears that this function only works with an RTL_AVL_TABLE structure (took me 2 hours to even notice these are not the same structures...)
My code looks like this:

void VadRootEnum(PEPROCESS Process) {
    PRTL_AVL_TABLE Table = (PRTL_AVL_TABLE)((uintptr_t)Process + 0x658); // VadRoot Offset
    PMMVAD_SHORT Vad;
    PVOID RestartKey = NULL;

    for (Vad = (PMMVAD_SHORT)RtlEnumerateGenericTableWithoutSplayingAvl(Table, &RestartKey);
        Vad != NULL;
        Vad = (PMMVAD_SHORT)RtlEnumerateGenericTableWithoutSplayingAvl(Table, &RestartKey)) {

        KdPrint((DRIVER_PREFIX "[+] Vad StartingVpn is (0x%p)\n", Vad->StartingVpn));
    }
}

Any idea what am I missing? Does this function should work on an RTL_AVL_TREE and I'm using it wrong?

Post edited by Peter_Viscarola_(OSR) on

Comments

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,963
    edited March 2021

    Process + 0x658? Really?

    I don’t understand why we get such questions here.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • ThatsBerkanThatsBerkan Member Posts: 62
    edited March 2021

    This is undocumented, you wont get any support here.
    What are you even trying to achieve/final goal ?

  • anton_bassovanton_bassov Member MODERATED Posts: 5,281

    Process + 0x658?

    The OP from SSDT hooking thread seems to have had found a tough competitor for " the question of the month" reward (unless they both happen to be just two different "incarnations" of the same poster, of course). Judging from the OP's grammar and general style, this suggestion is not THAT outlandish as it may seem to be at the first glance....

    Anton Bassov

  • HarbananaHarbanana Member Posts: 2
    > @ThatsBerkan said:
    > This is undocumented, you wont get any support here.
    > What are you even trying to achieve/final goal ?

    Oh I see. Well at least you were kind enough and didn’t bashed me on my first post here.
    I’m pretty new to kernel programming so I wanted to write a mini process explorer for some practice. part of the tool should have been a VAD tree parser, guess I’ll pass that now.
  • ThatsBerkanThatsBerkan Member Posts: 62
    edited March 2021

    Why not simply enumerate regions returned by NtQueryVirtualMemory ?
    It does exactly the same thing, it gets its data from the VADs.

    And you can sort of reproduce the "tree view" by grouping every regions with the same ->AllocationBase.

  • MBond2MBond2 Member Posts: 453

    'cause that would be a documented and fully supported way to so that neither pokes into undocumented structures nor requires 'learning' about them. There is no reason to ever attempt this in KM - it provides no possible useful information. Now I've written lots of code to do things just because I can. But I never ask for help on that code because the whole fun of writing it is in the figuring out and if someone just tells me it defeats the point

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,963

    Well at least you were kind enough and didn’t bashed me

    Oh, I see. You expected us to greet you with open arms, because you’re reaching into a structure you do not own, using a constant offset that you determined Gxd-knows-how, to enumerate a list the structure of which you do not definitively know, without holding any locks.

    Yes, you’re right. We should have been MUCH nicer.

    /rolls eyes

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • GeschlechtsteilGeschlechtsteil Member Posts: 1
    > @"Peter_Viscarola_(OSR)" said:
    > Process + 0x658? Really?
    >
    > I don’t understand why we get such questions here.
    >
    > Peter

    Has this offset changed since the release of Windows 11?
    I haven't included my PDB Parser yet, so I really would appreciate a reply.

    Thanks.

    ~VR
  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,963

    A) you’re necroposting.

    B) Could you not figure out from the thread to which you necroposted that we don’t encourage/support/appreciate the idea of reading into structures with random offsets?

    Thread locked.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

This discussion has been closed.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Internals & Software Drivers 7 February 2022 Live, Online
Kernel Debugging 21 March 2022 Live, Online
Developing Minifilters 23 May 2022 Live, Online
Writing WDF Drivers 12 September 2022 Live, Online