KiFilterFiberContext/NtPssCaptureVaSpaceBulk.cpp

## NtPssCaptureVaSpaceBulk.cpp
//
// NtPssCaptureVaSpaceBulk 0x013c
// Used for process snapshotting (i.e. PssCaptureSnapshot)
// Returns an array of MEMORY_BASIC_INFORMATION structures representing a process' virtual address space
//

#include <iostream>
#include <windows.h>

// not official name
//
typedef struct
{
	ULONG32 BaseAddress;
	ULONG32 PageCount;
	ULONG64 EndVA;
	MEMORY_BASIC_INFORMATION mbi[48]; // must preallocate or will return STATUS_MORE_ENTRIES
} PSS_VA_SPACE_BULK, * PPSS_VA_SPACE_BULK;

using NtPssCaptureVaSpaceBulk_t = NTSTATUS( NTAPI* )(
	HANDLE ProcessHandle,
	PVOID StartAddress,
	PSS_VA_SPACE_BULK* Buffer,
	ULONG InformationLength,
	PULONG ReturnLength
);

int main( void )
{
	const auto ntdll_va = GetModuleHandleW( L"ntdll.dll" );
	PVOID base = GetModuleHandleW( nullptr );

	const auto NtPssCaptureVaSpaceBulk = ( NtPssCaptureVaSpaceBulk_t ) GetProcAddress( ntdll_va, "NtPssCaptureVaSpaceBulk" );

	if ( NtPssCaptureVaSpaceBulk == nullptr )
		return 1;

	// used if PreviousMode == KernelMode
	//
	PSS_VA_SPACE_BULK pvaspace {
		.BaseAddress = 0x1,
	};

	ULONG return_length = 0;

	auto status = NtPssCaptureVaSpaceBulk(
		( HANDLE ) -1,
		base,
		&pvaspace,
		sizeof ( PSS_VA_SPACE_BULK ),
		&return_length );

	if ( status != 0 )
	{
		std::printf( "Failure (Error Code: 0x%x | Return Length: %ul)\n", status, return_length );
		return 2;
	}

	std::printf( "Page Count: %ul -- End VA: 0x%x\n", pvaspace.PageCount, pvaspace.EndVA );

	for ( size_t i = 0; i < pvaspace.PageCount; ++i )
		std::printf( "(%i) Base Address: 0x%lx\n", i, pvaspace.mbi[ i ].BaseAddress );

	return 0;
}
	//
	// NtPssCaptureVaSpaceBulk 0x013c
	// Used for process snapshotting (i.e. PssCaptureSnapshot)
	// Returns an array of MEMORY_BASIC_INFORMATION structures representing a process' virtual address space
	//

	#include <iostream>
	#include <windows.h>

	// not official name
	//
	typedef struct
	{
	ULONG32 BaseAddress;
	ULONG32 PageCount;
	ULONG64 EndVA;
	MEMORY_BASIC_INFORMATION mbi[48]; // must preallocate or will return STATUS_MORE_ENTRIES
	} PSS_VA_SPACE_BULK, * PPSS_VA_SPACE_BULK;

	using NtPssCaptureVaSpaceBulk_t = NTSTATUS( NTAPI* )(
	HANDLE ProcessHandle,
	PVOID StartAddress,
	PSS_VA_SPACE_BULK* Buffer,
	ULONG InformationLength,
	PULONG ReturnLength
	);

	int main( void )
	{
	const auto ntdll_va = GetModuleHandleW( L"ntdll.dll" );
	PVOID base = GetModuleHandleW( nullptr );

	const auto NtPssCaptureVaSpaceBulk = ( NtPssCaptureVaSpaceBulk_t ) GetProcAddress( ntdll_va, "NtPssCaptureVaSpaceBulk" );

	if ( NtPssCaptureVaSpaceBulk == nullptr )
	return 1;

	// used if PreviousMode == KernelMode
	//
	PSS_VA_SPACE_BULK pvaspace {
	.BaseAddress = 0x1,
	};

	ULONG return_length = 0;

	auto status = NtPssCaptureVaSpaceBulk(
	( HANDLE ) -1,
	base,
	&pvaspace,
	sizeof ( PSS_VA_SPACE_BULK ),
	&return_length );

	if ( status != 0 )
	{
	std::printf( "Failure (Error Code: 0x%x \| Return Length: %ul)\n", status, return_length );
	return 2;
	}

	std::printf( "Page Count: %ul -- End VA: 0x%x\n", pvaspace.PageCount, pvaspace.EndVA );

	for ( size_t i = 0; i < pvaspace.PageCount; ++i )
	std::printf( "(%i) Base Address: 0x%lx\n", i, pvaspace.mbi[ i ].BaseAddress );

	return 0;
	}