I'm working on software to check the integrity of the Windows kernel.
In particular, I need to verify portions of kernel module images
against the files from which they are loaded. I can traverse the list
of loaded modules to find out the load address of each module. But when I
go to examine the in-memory image of each module, I want to be sure I
won't crash the system if the module is unexpectedly unloaded. How do I
ensure the images aren't unloaded while I'm examining them? If I had
handles to the section objects associated with the modules, I could
presumably increase the reference count. But I haven't been able to find
handles associated with the loaded modules. I've used the sysinternals
handle tools as well as !handle in Windbg and not been able to locate
handles to file or section objects which refer to the loaded modules.

Another strategy to avoid crashing the system might be to check each
virtual page before I access it to see if it is backed by RAM or
a file. Does anyone know how to do this? I know MmIsAddressValid()
will tell me whether a virtual page is backed by RAM. How do I tell
if the virtual page represents memory that is simply not paged in?

Thanks

Mark McCormick