Debugging Tools for Windows |
!vad扩展显示一个或多个虚拟地址详细的虚拟地址描述符(virtual address descriptor (VAD))。
Windows NT 4.0 | Kdextx86.dll |
Windows 2000 | Kdextx86.dll |
Windows XP和之后 | Kdexts.dll |
使用!process命令可以找到任何进程的VAD的根地址。
下面是!vad扩展的示例:
VAD level start end commit
82741bf8 ( 1) 78000 78045 8 Mapped Exe EXECUTE_WRITECOPY
824ef368 ( 2) 7f6f0 7f7ef 0 Mapped EXECUTE_READ
824bc2f8 ( 0) 7ffb0 7ffd3 0 Mapped READONLY
8273e508 ( 2) 7ffde 7ffde 1 Private EXECUTE_READWRITE
82643fc8 ( 1) 7ffdf 7ffdf 1 Private EXECUTE_READWRITE
Total VADs: 5 average level: 2 maximum depth: 2
kd> !vad 824bc2f8 1
VAD @ 824bc2f8
Start VPN: 7ffb0 End VPN: 7ffd3 Control Area: 827f1208
First ProtoPte: e1008500 Last PTE e100858c Commit Charge 0 (0.)
Secured.Flink 0 Blink 0 Banked/Extend: 0 Offset 0
ViewShare NoChange READONLY
SecNoChange
关于虚拟地址描述符的信息,查看Mark Russinovich 和David Solomon 编写的Microsoft Windows Internals。