.Ok, so after long effort and lots of typedefs im able to recursively walk the VAD tree without problems. When i walk the vad tree i get the VPN addresses for each node in the tree such as follows:
Virtual Address. 00100000, Phys Addr: 00000000
MMVAD NODE RANGE: 00000010 - 00000033
- Parent Link: 00000000
- Control Area: 81bc8288
The virtual address start in this case is the low MMVAD node range << 16 to give 0x00100000 as a starting address. When i use MmGetPhysicalAddress on that address however, i am returned a NULL value in the PHYSICAL_ADDRESS structures low part. This shouldn't be i would think.
Additionally to test if the process had that address mapped, i loaded up kd and monitored the driver, setting the process context to the context of the process in question. I then attempted to run a "dt int virtualAddr" command to see if i could access something from that VAD space, but kd gives me Memory read errors.
I guess my question is, am I missing a step somewhere. I walked the VAD tree using the !VAD command in kd to verify that im getting the right vad values, so this is all rather confusing.
To put what im trying to do into context, the end goal of what im doing is to extract the full VAD virtual address space per vad node and write them to disk.
Any help is appreciated.
~Thanks
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}