MiUnmapViewOfSection?

P

Patrick

Sysnative Staff
Joined
Jun 7, 2012
Posts
4,618
Hi friends,

Recently in a PAGE_FAULT_IN_NONPAGED_AREA (50) dump I was perusing, I saw the following in the stack:

Code: 
0: kd> kv
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffff880`06fbe688 fffff800`02d5752b : 00000000`00000050 fffffa00`0659b0c8 00000000`00000000 fffff880`06fbe7f0 : nt!KeBugCheckEx
fffff880`06fbe690 fffff800`02cd8d2e : 00000000`00000000 fffffa00`0659b0c8 fffff680`00339000 00000000`00353402 : nt! ?? ::FNODOBFM::`string'+0x43781
fffff880`06fbe7f0 fffff800`02de1a5c : 00000000`671ff000 fffffa80`0659b050 fffff880`06fbea30 fffff800`02dc68a6 : nt!KiPageFault+0x16e (TrapFrame @ fffff880`06fbe7f0)
fffff880`06fbe980 fffff800`02d510c5 : fffffa80`04499680 00000003`00000000 00000000`0061b402 fffffa00`0659b0c8 : nt!MiEmptyPageAccessLog+0xdc
fffff880`06fbe9f0 fffff800`02ff51c1 : fffffa80`07ff0450 00000000`00000000 00000000`00000000 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x3aa06
fffff880`06fbeb10 fffff800`02ff55c3 : 0000007f`00000000 00000000`67120000 fffffa80`00000001 fffffa80`0659b010 : nt![COLOR=#ff0000][U][B]MiUnmapViewOfSection[/B][/U][/COLOR]+0x1b1
fffff880`06fbebd0 fffff800`02cd9e93 : 00000000`00000000 00000000`671221b4 fffffa80`04499680 00000000`0ecfc900 : nt!NtUnmapViewOfSection+0x5f
fffff880`06fbec20 00000000`76f615ba : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`06fbec20)
00000000`11c4e4e8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x76f615ba

We can see that there are some virtual memory routines being called, but what the heck is MiUnmapViewOfSection?

I know that NtUnmapViewOfSection is called if the parameters might be from either a user-mode source or a kernel-mode source. And I know that ZwUnmapViewOfSection is called to inform the routine that the parameters come from a trusted, kernel-mode source. That way the parameters don't need validation before being used.

What's the Mi prefix???
 
You can find the full list of these prefixes in Windows Internals. In edition 5, it's page 72-73 (I don't have a copy of edition 6 on me, but it's presumably similar)

Anyway, if you look at the list, you'll see Lsa (Local Security Authority); Mm (Memory manager); Nt (Nt system services).

But no Mi. Why? You'll need to read the previous paragraph:

"...either the first letter of the prefix followed by an i "for internal", or the full prefix followed by a p (for private)."

So, Mi should be an internal Memory Manager function.

Richard
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top