!pte (display page-level address and entries)
Description of the '!pte' command in HyperDbg.
Last updated
Description of the '!pte' command in HyperDbg.
Last updated
!pte
!pte [VirtualAddress (hex)] [pid ProcessId (hex)]
Displays the PML4E, PDPTE, PDE, PTE for the specified address.
[VirtualAddress (hex)]
The virtual address of where we want to read its page-level entries.
[pid ProcessId (hex)] (optional)
The Process Id of where you want to convert the address based on it.
In the , the pid (parameter) is ignored. If you want to view another process memory, use the '' command to switch to another process memory layout.
The following command shows the page-level entries nt!ExAllocatePoolWithTag.
The following command shows the page-level entries nt!ExAllocatePoolWithTag+5.
The following command shows the page-level entries fffff80040f00c28.
The following command shows the page-level entries fffff8003ad6f010. Note that some entries might have a large PDE and no PTE.
This function works by calling DeviceIoControl with IOCTL = IOCTL_DEBUGGER_READ_PAGE_TABLE_ENTRIES_DETAILS, you have to send it in the following structure.
You should only fill the VirtualAddress of the above structure when the IOCTL returns from the kernel, other parts of this structure are filled with valid entry virtual addresses and the entry value itself.
If you want to convert based on another process memory layout, then put its process ID. Otherwise, put the current process id on it. ProcessId is ignored in debugger mode.
You can map the value to each entry's structure (Look at Intel SDM for more information).
Also, the structures are available in MemoryMapper.h but they might be outdated.
If the VirtualAddress and Value of entry for PDE and PTE from the kernel IOCTL are the same, the entry has a LARGE PDE and doesn't have PTE.
This command is guaranteed to keep debuggee in a halt state (in Debugger Mode); thus, nothing will change during its execution.
None
None