Yes. I've looked into that already.
From WinDbg
From WinDbg
Non-Paged PoolSo about the 2nd part, the MmNonPagedPoolStart is actually stored in the PKDDEBBUGGER_DATA64 (KPCR->KdVersionBlock->DebuggerDataList->Flink)
Non-Paged pool region starts immediately after the PFN database. The start of non-paged pool is stored in nt!MmNonPagedPoolStart. MiObtainSystemVa() allocates from this area when called with MiVaNonPagedPool. Allocations in this region are controlled by nt!MiNonPagePoolVaBitmap and the allocation hint is stored at nt!MiNonPagedPoolVaBitMapHint.
From WinDbg
Code: Select all
From kernel driver
kd> ? MmNonPagedPoolStart
Evaluate expression: -2103791316 = 829ab12c
kd> ? poi(MmNonPagedPoolStart)
Evaluate expression: -2079322112 = 84101000
Code: Select all
So we got 2 pieces of data pointing to the same value and that would be that either 0x829ab2c or 0x84101000 would be the start of something.//listEntry->MmNonPagedPoolStart is 0x829ab12c that is pointing to 0x84101000From WinDbg
Code: Select all
So it seems like 0x84101000 is the beginning of something and not a _POOL_DESCRIPTOR since the first field is supposed to be the PoolType and that it looks more like a bitfield. What structure could it be?kd> db 0x84101000
84101000 ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff
...
84101070 ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff
kd> db 0x829ab12c
829ab12c 00 10 10 84 00 f0 8f 02-ff e4 02 00 00 fc 07 00
829ab13c 00 10 10 84 00 00 00 80-00 00 00 00 01 00 00 00
829ab14c 88 30 40 c0 00 00 00 00-00 00 00 00 00 00 00 00
829ab15c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
...
829ab19c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
