Tuesday, 19 November 2013

Virtual Address Descriptors (VADs) - !vad

Virtual Address Descriptors can provide useful information about the address space of a specified process. They provide information about the PTE Protection Bits, inheritance of the page and wherever the page is being shared among between processes (section object).

VAD Trees are based upon a programming algorithm called a AVL Tree, an example and explanation of one can be found here on Sysnative


The root of the VAD tree can be found using the !process extension.

The VADs field indicates the number of VADs or nodes within the AVL Tree. The AVL Tree is essentially the VAD Tree.

The far right column indicates the PTE protection bits, and the next column indicates the page state. The last or first arrow (depending on how you look at it), shows the depth of the VAD within the VAD Tree. The Start and End fields indicate the memory range. 

At the bottom of the VAD tree, you'll always see the above line, it indicates the total number of VADs within the VAD Tree and process address space, the average depth and the maximum depth.

We can also get very specific information about a certain VAD, by using the !vad extension with the 1 bit flag set.

The VAD is private to the process's address space and isn't going to be shared, it also enables Reads and Writes to this page. The Control Area is valueless, this is most likely because the page isn't shareable. The VPN (similar to VPN) indicates the Virtual Page Number, and indicates the Upper 20 bits (x86) or the 52-bits (x64) of the beginning and the end of a virtual address.

Data Structure

VADs are technically considered a data structure, and therefore can be formatted as a data structure as shown here:

The LeftChild and RightChild indicate the nodes on the next lower of the VAD Tree. This forms the tree-like structure. Let's apply the data structure to the root of the VAD Tree. 

The VadsProcess applies to the process which the VAD Root corresponds to. The ViewLinks field is a linked list, and most likely refers to the connections between each node within the VAD Tree.


The purpose of using the !vads extension is to quickly gather information about the process's address space, and some the protections implemented. A Windows purpose is, when a thread accessing a address range within a page, it checks the VAD and then creates a PTE using the VAD information. Access Violation exceptions can occur here if the page is reserved but not committed or the range desired falls outside the range of the VAD. So, you may want to check VAD information with Access Violations too. 


Understanding Virtual Address Descriptors 

Page Table (See Inverted Page Table for VPN Use) - Wikipedia 

MSDN - !vad

Code Machine - _MMVAD

OSR Online - Windows NT Virtual Memory (Part II)


  1. if a region of virtual address space is reserved but not committed, so (VAD) is created for it or not?
    please help me out

  2. if a region of virtual address space is reserved but not committed, so virtual address descriptor (VAD) is created for it or not?
    please help me out