Windows 7 x86 Kernel Virtual Address Layout

Hi, everyone. I’m new to windows kernel and got a question about win7 kernel address space: KASLR and non-paged pool. I noticed that kernel modules could be loaded after nt!MmNonPagedPoolStart. Does it means some loader mappings are mixed with non-paged pool? I want to find some x86 kernel address layout information but only find a x64 one: https://www.codemachine.com/article_x64kvas.html

Could you give me some introduction about x86 KVAS? Thanks very much.

Find some answers.
Using the cmkd tools from codemachine on win7x86.
kd> !cmkd.kvas

Start End Length ( MB) Count Type

000 80000000 803fffff 400000 ( 4) 2 BootLoaded
001 80400000 807fffff 400000 ( 4) 2 SystemPtes
002 80800000 81dfffff 1600000 ( 22) 11 BootLoaded
003 81e00000 81ffffff 200000 ( 2) 1 SystemCache
004 82000000 823fffff 400000 ( 4) 2 SystemPtes
005 82400000 825fffff 200000 ( 2) 1 SystemCache
006 82600000 82dfffff 800000 ( 8) 4 BootLoaded
007 82e00000 82ffffff 200000 ( 2) 1 DriverImages
008 83000000 83bfffff c00000 ( 12) 6 BootLoaded
009 83c00000 84ffffff 1400000 ( 20) 10 PfnDatabase
010 85000000 88dfffff 3e00000 ( 62) 31 NonPagedPool
011 88e00000 897fffff a00000 ( 10) 5 DriverImages
012 89800000 89ffffff 800000 ( 8) 4 BootLoaded
013 8a000000 8a1fffff 200000 ( 2) 1 PagedPool
014 8a200000 8a7fffff 600000 ( 6) 3 SystemCache
015 8a800000 8a9fffff 200000 ( 2) 1 PagedPool
016 8aa00000 8affffff 600000 ( 6) 3 SystemCache
017 8b000000 8b3fffff 400000 ( 4) 2 SystemPtes
018 8b400000 8c7fffff 1400000 ( 20) 10 SystemCache
019 8c800000 8c9fffff 200000 ( 2) 1 PagedPool
020 8ca00000 8cdfffff 400000 ( 4) 2 SystemCache
021 8ce00000 8cffffff 200000 ( 2) 1 SystemPtes
022 8d000000 8d5fffff 600000 ( 6) 3 SystemCache
023 8d600000 8d7fffff 200000 ( 2) 1 PagedPool
024 8d800000 8dffffff 800000 ( 8) 4 SystemCache
025 8e000000 8e3fffff 400000 ( 4) 2 DriverImages
026 8e400000 8e5fffff 200000 ( 2) 1 SystemCache
027 8e600000 8e7fffff 200000 ( 2) 1 SystemPtes
028 8e800000 8e9fffff 200000 ( 2) 1 SystemCache
029 8ea00000 8ebfffff 200000 ( 2) 1 DriverImages
030 8ec00000 8f9fffff e00000 ( 14) 7 PagedPool
031 8fa00000 8fdfffff 400000 ( 4) 2 SystemCache
032 8fe00000 90ffffff 1200000 ( 18) 9 PagedPool
033 91000000 911fffff 200000 ( 2) 1 SystemCache
034 91200000 919fffff 800000 ( 8) 4 PagedPool
035 91a00000 91dfffff 400000 ( 4) 2 SystemCache
036 91e00000 91ffffff 200000 ( 2) 1 DriverImages
037 92000000 92bfffff c00000 ( 12) 6 SessionGlobalSpace
038 92c00000 92ffffff 400000 ( 4) 2 SystemPtes
039 93000000 931fffff 200000 ( 2) 1 PagedPool
040 93200000 933fffff 200000 ( 2) 1 SystemCache
041 93400000 935fffff 200000 ( 2) 1 DriverImages
042 93600000 939fffff 400000 ( 4) 2 SystemCache
043 93a00000 93dfffff 400000 ( 4) 2 SystemPtes
044 93e00000 93ffffff 200000 ( 2) 1 PagedPool
045 94000000 941fffff 200000 ( 2) 1 SystemCache
046 94200000 943fffff 200000 ( 2) 1 SystemPtes
047 94400000 949fffff 600000 ( 6) 3 SystemCache
048 94a00000 94bfffff 200000 ( 2) 1 PagedPool
049 94c00000 951fffff 600000 ( 6) 3 SystemCache
050 95200000 953fffff 200000 ( 2) 1 SystemPtes
051 95400000 959fffff 600000 ( 6) 3 SystemCache
052 95a00000 95bfffff 200000 ( 2) 1 DriverImages
053 95c00000 961fffff 600000 ( 6) 3 SystemPtes
054 96200000 963fffff 200000 ( 2) 1 SystemCache
055 96400000 965fffff 200000 ( 2) 1 SystemPtes
056 96600000 967fffff 200000 ( 2) 1 SystemCache
057 96800000 969fffff 200000 ( 2) 1 SystemPtes
058 96a00000 96bfffff 200000 ( 2) 1 PagedPool
059 96c00000 979fffff e00000 ( 14) 7 SystemCache
060 97a00000 97bfffff 200000 ( 2) 1 SystemPtes
061 97c00000 97dfffff 200000 ( 2) 1 PagedPool
062 97e00000 97ffffff 200000 ( 2) 1 SystemPtes
063 98000000 983fffff 400000 ( 4) 2 SystemCache
064 98400000 985fffff 200000 ( 2) 1 Unused
065 98600000 987fffff 200000 ( 2) 1 SystemPtes
066 98800000 98bfffff 400000 ( 4) 2 PagedPool
067 98c00000 a0bfffff 8000000 ( 128) 64 SystemPtes
068 a0c00000 a0dfffff 200000 ( 2) 1 SystemCache
069 a0e00000 a0ffffff 200000 ( 2) 1 PagedPool
070 a1000000 a17fffff 800000 ( 8) 4 SystemCache
071 a1800000 a1bfffff 400000 ( 4) 2 SystemPtes
072 a1c00000 a2ffffff 1400000 ( 20) 10 SystemCache
073 a3000000 a31fffff 200000 ( 2) 1 PagedPool
074 a3200000 a3bfffff a00000 ( 10) 5 SystemCache
075 a3c00000 a3dfffff 200000 ( 2) 1 SystemPtes
076 a3e00000 a3ffffff 200000 ( 2) 1 Unused
077 a4000000 a45fffff 600000 ( 6) 3 SystemCache
078 a4600000 a4bfffff 600000 ( 6) 3 SystemPtes
079 a4c00000 a4ffffff 400000 ( 4) 2 Unused
080 a5000000 a5bfffff c00000 ( 12) 6 SystemPtes
081 a5c00000 a5ffffff 400000 ( 4) 2 Unused
082 a6000000 a63fffff 400000 ( 4) 2 SystemPtes
083 a6400000 a65fffff 200000 ( 2) 1 Unused
084 a6600000 a73fffff e00000 ( 14) 7 SystemPtes
085 a7400000 bfffffff 18c00000 ( 396) 198 Unused
086 c0000000 c0ffffff 1000000 ( 16) 8 ProcessSpace
087 c1000000 fddfffff 3ce00000 ( 974) 487 Unused
088 fde00000 fe1fffff 400000 ( 4) 2 SessionSpace
089 fe200000 fe3fffff 200000 ( 2) 1 Unused
090 fe400000 ffbfffff 1800000 ( 24) 12 SessionSpace

And according to Windows Internals “Dynamic system virtual address space management” (https://www.oreilly.com/library/view/windows-internals-seventh/9780133986471/ch05a.html)

win7 x86 is dynamically allocating its virtual address space for different use.