VadRoutines.c File Reference

#include "VadRoutines.h"
#include "VadHelpers.h"

Functions
NTSTATUS	BBProtectVAD (IN PEPROCESS pProcess, IN ULONG_PTR address, IN ULONG prot)
	Change VAD protection flags More...
NTSTATUS	BBUnlinkVAD (IN PEPROCESS pProcess, IN ULONG_PTR address)
	Hide memory from NtQueryVirtualMemory More...
NTSTATUS	BBGetVadType (IN PEPROCESS pProcess, IN ULONG_PTR address, OUT PMI_VAD_TYPE pType)
	Get region VAD type More...
NTSTATUS	BBFindVAD (IN PEPROCESS pProcess, IN ULONG_PTR address, OUT PMMVAD_SHORT *pResult)
	Find VAD that describes target address More...
ULONG	BBConvertProtection (IN ULONG prot, IN BOOLEAN fromPTE)
	Convert protection flags More...

Variables
DYNAMIC_DATA	dynData
ULONG	MmProtectToValue [32]

Function Documentation

ULONG BBConvertProtection	(	IN ULONG	prot,
		IN BOOLEAN	fromPTE
	)

Convert protection flags

Parameters

prot	Protection flags.
fromPTE	If TRUE - convert to PTE protection, if FALSE - convert to Win32 protection

Returns

Resulting protection flags

NTSTATUS BBFindVAD	(	IN PEPROCESS	pProcess,
		IN ULONG_PTR	address,
		OUT PMMVAD_SHORT *	pResult
	)

Find VAD that describes target address

Parameters

pProcess	Target process object
address	Address to find
pResult	Found VAD. NULL if not found

Returns

Status code

NTSTATUS BBGetVadType	(	IN PEPROCESS	pProcess,
		IN ULONG_PTR	address,
		OUT PMI_VAD_TYPE	pType
	)

Get region VAD type

Parameters

pProcess	Target process object
address	Target address
pType	Resulting VAD type

Returns

Status code

NTSTATUS BBProtectVAD	(	IN PEPROCESS	pProcess,
		IN ULONG_PTR	address,
		IN ULONG	prot
	)

Change VAD protection flags

Parameters

pProcess	Target process object
address	Target address
prot	New protection flags

Returns

Status code

NTSTATUS BBUnlinkVAD	(	IN PEPROCESS	pProcess,
		IN ULONG_PTR	address
	)

Hide memory from NtQueryVirtualMemory

Parameters

pProcess	Target process object
address	Target address

Returns

Status code

Variable Documentation

DYNAMIC_DATA dynData

ULONG MmProtectToValue[32]