FS_Process_MemMap

The memmap per-process directory

The directory memmap exists as a sub-directory in each process directory.

The memmap directory contains two memory maps, one generated from the page tables the CPU uses to translate virtual memory into physical memory and one from the internal operating system virtual address descriptors.

File	Description
pte.txt	Memory map generated from the page tables.
vad.txt	Memory map generated from virtual address descriptors (VADs).

Files pte.txt and vad.txt are read-only.

File: pte.txt

The file pte.txt contains the hardware page table entries retrieved from the page table. The meaning of the different columns are as follows:

#       PID #pages        memory_address_range       rights  tag (module name)
===========================================================================
024e   1744      3 00007ff5bb3f1000-00007ff5bb3f3fff -r--
024f   1744      3 00007ff5bb40c000-00007ff5bb40efff -r--
0250   1744      1 00007ff6378f0000-00007ff6378f0fff -r--    mspaint.exe
0251   1744      2 00007ff6378f1000-00007ff6378f2fff -r-x    mspaint.exe
0252   1744      b 00007ff6378f5000-00007ff6378fffff -r-x    mspaint.exe

File: vad.txt

The file vad.txt contains the virtual address descriptors and their memory ranges. The meaning of the different columns are as follows:

#       PID  addr_vad_object   #pages     commit       memory_address_range        Type  Rights Tag
===================================================================================================
0029   8104 ffffa508508c6490       31        0 0 000001812ddc0000-000001812ddf0fff File  --r--- \Windows\System32\C_949.NLS
002a   8104 ffffa50854dc3670       10        8 0 000001812de00000-000001812de0ffff Heap  p-rw-- HEAP-01
002b   8104 ffffa508508c65d0       11        0 0 000001812de10000-000001812de20fff File  --r--- \Windows\System32\C_874.NLS
002c   8104 ffffa508508c7610       11        0 0 000001812de30000-000001812de40fff File  --r--- \Windows\System32\C_1258.NLS
002d   8104 ffffa508508c7890       31        0 0 000001812de50000-000001812de80fff File  --r--- \Windows\System32\C_936.NLS
002e   8104 ffffa508508c79d0        1        0 0 000001812de90000-000001812de90fff Pf    --r---
002f   8104 ffffa50854dc2db0       10        f 0 000001812dea0000-000001812deaffff Heap  p-rw-- HEAP-02
...
016c   8104 ffffa508508c6ad0       ee        d 0 00007ff6378f0000-00007ff6379ddfff Image ---wxc \Windows\System32\mspaint.exe
016d   8104 ffffa50851c14b40      16b       10 0 00007ffa9bcf0000-00007ffa9be5afff Image ---wxc \Windows\System32\mfc42u.dll
016e   8104 ffffa508508c83d0       54        4 0 00007ffa9d080000-00007ffa9d0d3fff Image ---wxc \Windows\System32\sti.dll
016f   8104 ffffa508508c77f0       d7        5 0 00007ffaa31f0000-00007ffaa32c6fff Image ---wxc \Windows\System32\efswrt.dll

Example

The example below shows the files pte.txt and vad.txt. The file pte.txt is generated by walking the actual page tables the CPU uses. It displays number of pages, address range, access rights and optionally which module the memory belongs to. The file vad.txt is generated by the virtual address descriptors (VADs). Please note that the whole explorer.exe is one single VAD entry with access rights write/execute/copy.

For Developers

The memmap sub-directory is implemented as a built-in native C-code plugin. The plugin source is located in the file m_memmap.c in the vmm project.