[Vol-users] NX/DEP Settings in Windows Memory

Dear all, I was hoping that someone might be able to clear up a query I have wrt Windows memory and how it handles memory pages (specifically information regarding the pages executable permissions). I'm assuming that PAE is in use here. The idea is that we have some page (holding virtual address addr) within a processes address space and wish to know if that page is executable. Within user space, we can use the VADs and obtain executable information via vad.u.VadFlags.Protection - vadinfo.PROTECT_FLAGS allows the returned value (as an int) to be converted into a string representation. Within kernel space, we can use the PTE to determine information regarding the pages exec status - for example: def get_page_nx_bit(addrspace, addr): pdpte = addrspace.get_pdpte(addr) pde = addrspace.get_pde(addr, pdpte) pte = addrspace.get_pte(addr, pde) return pte >> 63 gets the NX bit for the PTE associated with a given page address. Now, in comparing bit 63 of the PTE entries against the VAD protection permissions in user space, I'm noticing the occasional difference. Naively, I'd expected the PTEs to agree with the protection information on the VADs (within user space). Any help or pointers to information resolving the above is very much appreciated. Many thanks, Carl.