kd> dt _SEGMENT_OBJECT 0xFFFFF8A003654620
nt!_SEGMENT_OBJECT
+0x000 BaseAddress : 0x00000000`00000001 Void
+0x008 TotalNumberOfPtes : 0
+0x010 SizeOfSegment : _LARGE_INTEGER 0x0
+0x018 NonExtendedPtes : 0
+0x01c ImageCommitment : 0
+0x020 ControlArea : 0xfffff880`05d018c0 _CONTROL_AREA
+0x028 Subsection : 0xfffff8a0`0011dea0 _SUBSECTION
+0x030 MmSectionFlags : 0x00000000`0000b000 _MMSECTION_FLAGS
+0x038 MmSubSectionFlags : 0x00000010`000108a0 _MMSUBSECTION_FLAGS
kd> dx -id 0,0,fffffa8000c40b00 -r1 ((ntkrnlmp!_SUBSECTION *)0xfffff8a00011dea0)
((ntkrnlmp!_SUBSECTION *)0xfffff8a00011dea0) : 0xfffff8a00011dea0 [Type: _SUBSECTION *]
[+0x000] ControlArea : 0xfffffa800146e6e0 [Type: _CONTROL_AREA *]
[+0x008] SubsectionBase : 0x4a00000000000b [Type: _MMPTE *]
[+0x010] NextSubsection : 0x0 [Type: _SUBSECTION *]
[+0x018] PtesInSubsection : 0xb000 [Type: unsigned long]
[+0x020] UnusedPtes : 0x10000000 [Type: unsigned long]
[+0x020] GlobalPerSessionHead : 0x10000000 [Type: _MM_AVL_TABLE *]
[+0x028] u [Type: <unnamed-tag>]
[+0x02c] StartingSector : 0x0 [Type: unsigned long]
[+0x030] NumberOfFullSectors : 0xa [Type: unsigned long]
kd> dx -id 0,0,fffffa8000c40b00 -r1 ((ntkrnlmp!_CONTROL_AREA *)0xfffffa800146e6e0)
((ntkrnlmp!_CONTROL_AREA *)0xfffffa800146e6e0) : 0xfffffa800146e6e0 [Type: _CONTROL_AREA *]
[+0x000] Segment : 0xfffff8a00011dea0 [Type: _SEGMENT *]
[+0x008] DereferenceList [Type: _LIST_ENTRY]
[+0x018] NumberOfSectionReferences : 0x1 [Type: unsigned __int64]
[+0x020] NumberOfPfnReferences : 0x4 [Type: unsigned __int64]
[+0x028] NumberOfMappedViews : 0x1 [Type: unsigned __int64]
[+0x030] NumberOfUserReferences : 0x2 [Type: unsigned __int64]
[+0x038] u [Type: <unnamed-tag>]
[+0x03c] FlushInProgressCount : 0x0 [Type: unsigned long]
[+0x040] FilePointer [Type: _EX_FAST_REF]
[+0x048] ControlAreaLock : 0 [Type: long]
[+0x04c] ModifiedWriteCount : 0x0 [Type: unsigned long]
[+0x04c] StartingFrame : 0x0 [Type: unsigned long]
[+0x050] WaitList : 0x0 [Type: _MI_CONTROL_AREA_WAIT_BLOCK *]
[+0x058] u2 [Type: <unnamed-tag>]
[+0x068] LockedPages : 0x1 [Type: unsigned __int64]
[+0x070] ViewList [Type: _LIST_ENTRY]
kd> dx -id 0,0,fffffa8000c40b00 -r1 (*((ntkrnlmp!_EX_FAST_REF *)0xfffffa800146e720))
(*((ntkrnlmp!_EX_FAST_REF *)0xfffffa800146e720)) [Type: _EX_FAST_REF]
[+0x000] Object : 0xfffffa8001422d08 [Type: void *]
[+0x000 ( 3: 0)] RefCnt : 0x8 [Type: unsigned __int64]
[+0x000] Value : 0xfffffa8001422d08 [Type: unsigned __int64]
kd> dt _file_object FFFFFA8001422D00
nt!_FILE_OBJECT
+0x000 Type : 0n5
+0x002 Size : 0n216
+0x008 DeviceObject : 0xfffffa80`01db77d0 _DEVICE_OBJECT
+0x010 Vpb : 0xfffffa80`01bcb880 _VPB
+0x018 FsContext : 0xfffff8a0`01b38c70 Void
+0x020 FsContext2 : 0xfffff8a0`01b38e60 Void
+0x028 SectionObjectPointer : 0xfffffa80`01454308 _SECTION_OBJECT_POINTERS
+0x030 PrivateCacheMap : (null)
+0x038 FinalStatus : 0n0
+0x040 RelatedFileObject : (null)
+0x048 LockOperation : 0 ''
+0x049 DeletePending : 0 ''
+0x04a ReadAccess : 0x1 ''
+0x04b WriteAccess : 0 ''
+0x04c DeleteAccess : 0 ''
+0x04d SharedRead : 0x1 ''
+0x04e SharedWrite : 0 ''
+0x04f SharedDelete : 0x1 ''
+0x050 Flags : 0x44042
+0x058 FileName : _UNICODE_STRING "\Users\ADMIN~1.ADM\AppData\Local\Temp\Loli.dll"
+0x068 CurrentByteOffset : _LARGE_INTEGER 0x0
+0x070 Waiters : 0
+0x074 Busy : 0
+0x078 LastLock : (null)
+0x080 Lock : _KEVENT
+0x098 Event : _KEVENT
+0x0b0 CompletionContext : (null)
+0x0b8 IrpListLock : 0
+0x0c0 IrpList : _LIST_ENTRY [ 0xfffffa80`01422dc0 - 0xfffffa80`01422dc0 ]
+0x0d0 FileObjectExtension : (null) 值得注意的是_file_object的值怎么来的
PFILE_OBJECT pFileObj = (PFILE_OBJECT)((Value >> 4) << 4);