Deputation
commented
2 years ago What you're saying is correct, kernel memory starts at pml4 index 255.
Pagewalkr however is built to scan the entirety of the paging tables in the kernel's CR3, this includes eventual payloads / rootkits that could manually insert pml4 entries and map memory at pml4 indexes < 255.
guttir14
Doesn't pml4 index for kernel memory start at 255 (https://github.com/Deputation/pagewalkr/blob/master/pagewalkr/main.cpp#L36)? or do page tables work different in context of ntoskrnl.exe?