Log in

View Full Version : What is the Flags field in the output of a SoftICE Query command?


Rummy
October 9th, 2004, 20:38
What is the Flags field in the output of a SoftICE Query command? I assume it has information on resident vs. non-resident, protections, etc, but where is it documented? Does it reflect what I get in MEMORY_BASIC_INFORMATION from VirtualQueryEx ? I've searched and can't find anything definitive. Not from the SI guide or ref, not from Nebbett and not from Google. I searched this board too. but there's nothing about what's in the 32-bit Flags output from the Query command. Does anybody know what they are? They're not heap flags because the page I'm Querying isn't part of a heap. It's just a page in the process address space.

I have an allocated page in one of my programs that's supposed to be resident but I'm getting errors because I don't think it is. If I knew exactly what those flags were I would be closer to a solution. Can someone enlighten me please?

Kayaker
October 10th, 2004, 01:45
Hi

This may be the Flags field of the VAD (Virtual Address Descriptor Table), though I'm not sure of its exact significance. The Softice ref gives an example of the output from the QUERY command:

Code:

Context Address Range Flags MMCI PTE Name
csrss 7F2D0000-7F5CFFFF 06000000 FD8AC128 E1191068 Heap #07

Address Range - Start and end address of the linear range.
Flags - Flags from the node structure.
MMCI - Pointer to the memory management structure.
PTE - Structure that contains the ProtoPTEs for the address range.


Knowing PTE's were involved, I looked into the VAD structure. Here is the def from ntifs.h. Notice the ProtoPTE field which is also referenced by Sice.

Code:

typedef struct _VAD_HEADER {
PVOID StartVPN;
PVOID EndVPN;
PVAD_HEADER ParentLink;
PVAD_HEADER LeftLink;
PVAD_HEADER RightLink;
ULONG Flags; /* LSB = CommitCharge */
PVOID ControlArea;
PVOID FirstProtoPte;
PVOID LastPTE;
ULONG Unknown;
LIST_ENTRY Secured;
} VAD_HEADER, *PVAD_HEADER;


There is a full description of walking the VAD tables (which I believe is what Softice QUERY does) in this Memory Management doc by Prasad Dabak. Slightly different structure used. It only describes the Flags as
"The last member in the VAD node is the flags for the address range."
Code:

typedef struct vad {
void *StartingAddress;
void *EndingAddress;
struct vad *ParentLink;
struct vad *LeftLink;
struct vad *RightLink;
DWORD Flags;
}VAD, *PVAD;

http://www.windowsitlibrary.com/Content/356/04/3.html
http://www.windowsitlibrary.com/Content/356/04/4.html

Finally, from the useful RelSoft doc the following structure is described.
Code:

Public Type MM_AVL_TABLE
Root As MMADDRESS_NODE
Flags As Long
NodeHint As Long
NodeFreeHint As Long
End Type
Public Type MMADDRESS_NODE
Parent As Long
LeftChild As MMADDRESS_NODE
RightChild As MMADDRESS_NODE
StartingVpn As Long
EndingVpn As Long
End Type

Root- This field contains the first VAD, in the also called a MmAddressNode.
Flags- This field contains the depth and size of the tree.

http://www.relsoft.net/Articles/Process/mmltoken.html

I can't confirm exactly what the Flags field signifies, but I don't know if knowing would really help you much. I've looked at the QUERY code in Softice and while I can roughly follow it, I can't tell if Sice begins by getting the VadRoot from the EPROCESS structure or what. Maybe someone has more info.

Cheers,
Kayaker

Rummy
October 10th, 2004, 16:23
Thank you, Kayaker, for your very helpful reply. I don't have an ntifs.h file anywhere but I think I know what it is and I'm off to look for it The MMCI and PTE fields also drew my interest but I couldn't tie them in with anything obvious for the Flags. I have most of the "Undocumented" and "Inside" books but in all the places I searched I never looked there. Thanks for the pointers. I have some more reading to do on Virtual Address Descriptors. Hopefully I can figure out what those flags are exactly. I fixed my programming problem by taking a different approach so my need for this Flags knowledge is not as great as it was yesterday. I'm sure it will come up again though and now I have a different level to start from when I start digging. Thanks again.

bilbo
October 12th, 2004, 01:57
Hi, Kayaker, thanks for your in-depth synopsis of an important kernel structure!

Quote:

This may be the Flags field of the VAD (Virtual Address Descriptor Table), though I'm not sure of its exact significance.

Correct!
AddressRange is StartVPN<<0xC - EndVPN<<0xC
Flags is the Flags field
MMCI is the ControlArea field
PTE is FirstProtoPte

Quote:

There is a full description of walking the VAD tables (which I believe is what Softice QUERY does) in this Memory Management doc by Prasad Dabak.

Correct!
Another complete project of VAD tree walking came out by casual googling
at link http://hume.blogdriver.com/diary/hume/inc/W2kmmvad.rar

Quote:

I've looked at the QUERY code in Softice and while I can roughly follow it, I can't tell if Sice begins by getting the VadRoot from the EPROCESS structure or what.

Exactly from VadRoot!

Quote:

Maybe someone has more info.

The only stuff I can add here is the meaning of the flags, taken from Windows XP ntoskrnl.pdb. The bits are defined, from the least significant, as
(position:number_of_bits):
Code:

struct _MMVAD_FLAGS {
unsigned long CommitCharge:0:13;
unsigned long PhysicalMapping:13:1;
unsigned long ImageMap:14:1;
unsigned long UserPhysicalPages:15:1;
unsigned long NoChange:16:1;
unsigned long WriteWatch:17:1;
unsigned long Protection:18:5;
unsigned long LargePages:1d:1;
unsigned long MemCommit:1e:1;
unsigned long PrivateMemory:1f:1;
};

A further investigation on the exact meaning of every flag would be very interestings.

Regards, bilbo

JMI
October 12th, 2004, 11:03
Once again Kayaker and our wandering Hobbit have provided indepth information about the inner workings of an obsture segment of Softice internals. Thanks guys.

Regards,

Kayaker
October 13th, 2004, 02:25
Hello Mr. Baggins:

That was very useful info. It appears a bit of bit mapping is in order on those flags, there seem to be only a half dozen or so combinations of Highword values. For reference, the Flags for user processes are consistently 0710000x on Win2k.

There seems to be a small problem with that Vaddump app with version compatibility, and it won't run on my system, but it's nice to have the full source.


I had another look at the QUERY command in Softice trying to find where the hell that [EPROCESS+194h] = VadRoot instruction was. As you may have discovered, you can't confirm it from a static disassembly alone (you can't get there from here).

At the start of the QUERY command, Sice uses a function to get certain variables from the current EPROCESS structure. This is a bit of a global function that's used half a dozen times in Sice code. It gets the current context (KPEB) from a global variable and parses the EPROCESS structure (KPEB in Sice) for various fields to store in an internal structure. It does some of this indirectly, by adding to the EPROCESS address offsets it gets from variables in its data section. You need to be in a process context, not a system context, to see the correct values of these offsets after they are initialized. Some of the data fields seem to be initialized to non-zero as seen in IDA, but this is bogus, they change at runtime.

With some checking I was able to determine Sice gets the following fields:

Directly indexed it gets a bunch of KPROCESS fields including
[EPROCESS+18h] = KPROCESS.DirectoryTableBase

Indirectly indexed (runtime values) it gets
[EPROCESS+194] = VadRoot
[EPROCESS+128] = ObjectTable
[EPROCESS+1B0] = PEB
[EPROCESS+9C] = UniqueProcessId
[EPROCESS+1FC] = ImageFileName

Here's the start of the Softice QUERY command for ntice 4.31, some of the definitions are originals from The Owl.
Code:

:00032A10 c_Query: ; DATA XREF: .data:001112BD
:00032A10 55 push ebp
:00032A11 8B EC mov ebp, esp
:00032A13 BE A2 F7 10 00 mov esi, offset bUserCommand
:00032A18 E8 2C 75 03 00 call pSkipWord
:00032A1D 73 14 jnb short loc_32A33
:00032A1F BB EA F6 0E 00 mov ebx, offset buff_Eprocess
:00032A24 8B 15 FF 16 0F 00 mov EDX, dCurrentContext
; = KPEB = EPROCESS (= KPROCESS)
:00032A2A E8 EA F8 FF FF call Get_EPROCESS_Fields
...


And the start of the function:
:00032319 Get_EPROCESS_Fields proc near
:00032319 60 pusha
:0003231A 89 13 mov [ebx], EDX ; EPROCESS(KPEB)
:0003231C 8D 7A 18 lea edi, [edx+18h] ; KPROCESS.DirectoryTableBase
:0003231F E8 BF B0 03 00 call pMOV_EAX_EDI
:00032324 0F 82 0A 01 00 00 jb loc_32434
:0003232A 89 43 08 mov [ebx+8], eax
:0003232D 8B FA mov edi, EDX
:0003232F 03 3D 76 F7 0E 00 add edi, dword_EF776 ; 194h EPROCESS.VadRoot
:00032335 E8 A9 B0 03 00 call pMOV_EAX_EDI
...


The VadRoot is parsed later on to output to the command window, recognized by the
shl eax, cl
instructions which are the Address Range (*VPN<<0xC) Bilbo mentioned.


Ahh, the fun of exploring YAMS (Yet Another MS Structure...)

Regards,
Kayaker

bilbo
October 15th, 2004, 02:18
Well, I hope not only you and me are interested in this stuff (the same holds for your explanation of Sice Breakpoints Table), anyway I am happy you are giving new stimulus in this board... By the way, I hope we are not violating any rule if we go too deep inside the details, who knows, the world is full of rules...

Quote:

At the start of the QUERY command, Sice uses a function to get certain variables from the current EPROCESS structure. This is a bit of a global function that's used half a dozen times in Sice code.

sub_32319, as you say after...

Quote:

Some of the data fields seem to be initialized to non-zero as seen in IDA, but this is bogus, they change at runtime.

their values are taken during NTICE initialization from OSINFO.DAT (sub_94B40, a real headache!), a collection of all the interesting data for all the Microsoft platforms.

Quote:

Indirectly indexed (runtime values) it gets
[EPROCESS+194] = VadRoot
[EPROCESS+128] = ObjectTable
[EPROCESS+1B0] = PEB
[EPROCESS+9C] = UniqueProcessId
[EPROCESS+1FC] = ImageFileName

For Windows XP SP1:
[EPROCESS+11C] = VadRoot
[EPROCESS+C4] = ObjectTable
[EPROCESS+1B0] = PEB
[EPROCESS+84] = UniqueProcessId
[EPROCESS+174] = ImageFileName

Quote:

Ahh, the fun of exploring YAMS (Yet Another MS Structure...)

Yeah, if they were open-source it would be less fun. isn't it?

Best regards, bilbo