Monday, 12 August 2013


I've found a Minidump, in which I finally show the !pte extension, with this example a driver has attempted to execute a non-executable region of memory. Basically, a device driver has referenced a invalid memory address.

The first parameter is the virtual address which was referenced by the device driver. The !pte shows the mapping between the virtual and physical memory address, the PDE is the address of the Page Directory Entry. 

I've highlighted the PTE Status bits and Protection bits, and here is where I will explain what the currenty set bits mean:

D (Dirty) - The page has been written to previously. 

A (Accessed) - The page has been read.

K (Kernel Mode) - The page has a Kernel Mode owner.

W - The page is writtable and able to written to.

E - The page is executable.

V - The page is valid, and has a physical page corresponding to it.

There are a few other PTE bits, which are not with this current example, although, I'll quickly explain them here:

C = Copy on Write (explained here)

G = Global; address translation will apply to all processes.

L = Large Page (not set means a Small Page).

Please note, that with many x86 systems which do not support the hardware execute/non-execute bit, the E may still be displayed.

There wasn't much information within the dump file, so with this example, I'll recommend running Driver Verifier.

No comments:

Post a Comment