[Vrtule]

Hello,

Currently, I digging into Virtual Address Descriptors (VADs). I have noticed that certain types of VADs represent certain types of "structures" in process virtual adress space. For example, reserved and commited memory and standard memory mapped files are represented by VADs of type VadNone. Pages of AWE mappings are represented by VadAwe descriptor. And VadImageMap is used for memory regions where PE images (EXEs, DLLs) are mapped. I have also seen VadLargePageSection in use and plan to do some experiments with large pages.

I've coded a small application and driver in order to display VAD contents in more convenient way (I have no problem with sharing it, source code included. Unfortunatelly, comments are in Czech).

I have problems with VadRotatePhysical descriptors. It seems that they are not used anywhere and Google told me nothing too. Does anybody have an idea, for what purpose this type of VAD is used?

EDIT: typo

[kmd]

Does anybody have an idea, for what purpose this type of VAD is used

indicates vad has been deleted..

Code: Select all

                    // This Virtual Address Descriptor has been deleted.   
                    //   
                    // Free all the physical pages that this VAD might be   
                    // mapping.   
                    //   
           
                    if (Vad->u.VadFlags.VadType == VadRotatePhysical) {   
                        Status = MiUnmapViewOfSection (Process,   
                                                       CapturedBase,   
                                                       UNMAP_ADDRESS_SPACE_HELD | UNMAP_ROTATE_PHYSICAL_OK);    

check NtFreeVirtualMemory from wrk.

[Vrtule]

indicates vad has been deleted..

I dno't think so. The code suggests to me that VadRotatePhysical represents pages of some special kind of physical memory section. Maybe something like VadDevicePhysicalMemory.

I seem to be unable to find where VadRotatePhysical VADs are created. I have gone through the whole WRK source code I believe. But VadRotatePhysical is presnet in if statements only, not in assignments.

[Brock]

Code: Select all

typedef enum _MI_VAD_TYPE
{
         VadNone = 0,
         VadDevicePhysicalMemory = 1,
         VadImageMap = 2,
         VadAwe = 3,
         VadWriteWatch = 4,
         VadLargePages = 5,
         VadRotatePhysical = 6,
         VadLargePageSection = 7
} MI_VAD_TYPE;

From what I see the types are clear... released/freed and then deleted.

[Vrtule]

Code: Select all

if (Vad->u.VadFlags.VadType == VadRotatePhysical) {   
                        Status = MiUnmapViewOfSection (Process,   
                                                       CapturedBase,   

This seems to me as the rotate physical VAD represents some sort of section. However, I am unable to find, where the kernel assigns VadRotatePhysical to the VadType field in MMVAD_XXX strtucture.

Other types (members of MI_VAD_TYPE structure) are clear for me.

[holly]

i have found some information in Windows Internals about rotate VADS( chapter9).
it says:in order to quickly allow different views of memory to be mapped into a process,and to support the different cache attributes, the MM implememts rotate VADs,which allow video drivers to transfer data directly by using the GPU and to rotate unneeded memory in and out of the process view pages on demand.
But they dont analyze it in depth.
Hope this can help you.

[Vrtule]

holly: I found this article in Windows Internals few days ago. But thanks anyway. To speak the truth, Windows Internals contains only a few pages about VADs and they don't go too deep.

I found that this type of VADs is used from Windows Vista. However, I am still not able to determine how to create such a VAD...