第一部分：
1: kd> g
Breakpoint 42 hit
nt!MiSessionAddProcess:
80ab2fbe 55????????????? push??? ebp
1: kd> kc
?#
00 nt!MiSessionAddProcess
01 nt!MmCreateProcessAddressSpace
02 nt!PspCreateProcess
03 nt!NtCreateProcessEx
04 nt!_KiSystemService
05 SharedUserData!SystemCallStub
06 ntdll!NtCreateProcessEx
07 kernel32!CreateProcessInternalW
08 kernel32!CreateProcessW
09 winlogon!StartSystemProcess
0a winlogon!ExecSystemProcesses
0b winlogon!WinMain
0c winlogon!WinMainCRTStartup

#define SESSION_GLOBAL(_Session)??? (_Session->GlobalVirtualAddress)

第二部分：
1: kd> x nt!MmSessionSpace
80bf0048????????? nt!MmSessionSpace = 0xbf7f0000
1: kd> dx -r1 ((ntkrnlmp!_MM_SESSION_SPACE *)0xbf7f0000)
((ntkrnlmp!_MM_SESSION_SPACE *)0xbf7f0000)???????????????? : 0xbf7f0000 [Type: _MM_SESSION_SPACE *]
??? [+0x000] GlobalVirtualAddress : 0xf79b1000 [Type: _MM_SESSION_SPACE *]

0xf79b1000

1: kd> dx -r1 ((ntkrnlmp!_MM_SESSION_SPACE *)0xbf7f0000)
((ntkrnlmp!_MM_SESSION_SPACE *)0xbf7f0000)???????????????? : 0xbf7f0000 [Type: _MM_SESSION_SPACE *]
??? [+0x000] GlobalVirtualAddress : 0xf79b1000 [Type: _MM_SESSION_SPACE *]
??? [+0x004] ReferenceCount?? : 0x2 [Type: unsigned long]
??? [+0x008] u??????????????? [Type: __unnamed]
??? [+0x00c] SessionId??????? : 0x0 [Type: unsigned long]
??? [+0x010] ProcessList????? [Type: _LIST_ENTRY]
??? [+0x018] LastProcessSwappedOutTime : {0} [Type: _LARGE_INTEGER]
??? [+0x020] SessionPageDirectoryIndex : 0x7b44e [Type: unsigned long]
??? [+0x024] NonPagablePages? : 0x10 [Type: unsigned long]
??? [+0x028] CommittedPages?? : 0x3e [Type: unsigned long]
??? [+0x02c] PagedPoolStart?? : 0xbc000000 [Type: void *]
??? [+0x030] PagedPoolEnd???? : 0xbc3fffff [Type: void *]
??? [+0x034] PagedPoolBasePde : 0xc0300bc0 [Type: _MMPTE *]
??? [+0x038] Color??????????? : 0x37 [Type: unsigned long]
??? [+0x03c] ProcessOutSwapCount : 0x0 [Type: unsigned long]
??? [+0x040] SessionPoolAllocationFailures [Type: unsigned long [4]]
??? [+0x050] ImageList??????? [Type: _LIST_ENTRY]
??? [+0x058] LocaleId???????? : 0x409 [Type: unsigned long]
??? [+0x05c] AttachCount????? : 0x0 [Type: unsigned long]
??? [+0x060] AttachEvent????? [Type: _KEVENT]
??? [+0x070] LastProcess????? : 0x0 [Type: _EPROCESS *]
??? [+0x074] ProcessReferenceToSession : 2 [Type: long]
??? [+0x078] WsListEntry????? [Type: _LIST_ENTRY]
??? [+0x080] Lookaside??????? [Type: _GENERAL_LOOKASIDE [26]]
??? [+0xd80] Session????????? [Type: _MMSESSION]
??? [+0xdc0] PagedPoolMutex?? [Type: _KGUARDED_MUTEX]
??? [+0xde0] PagedPoolInfo??? [Type: _MM_PAGED_POOL_INFO]
??? [+0xe00] Vm?????????????? [Type: _MMSUPPORT]
??? [+0xe60] Wsle???????????? : 0xbf400038 [Type: _MMWSLE *]
??? [+0xe64] Win32KDriverUnload : 0xbf8aaad0 [Type: void (*)(_DRIVER_OBJECT *)]
??? [+0xe68] PagedPool??????? [Type: _POOL_DESCRIPTOR]
??? [+0x1e98] PageTables?????? : 0x89579e00 [Type: _MMPTE *]
??? [+0x1e9c] ImageLoadingCount : 0 [Type: long]
??? [+0x1ea0] Debug??????????? [Type: unsigned long [56]]
??? [+0x1f80] Debug2?????????? [Type: _MM_SESSION_MEMORY_COUNTERS [8]]

第三部分：
1: kd> dt nt!MmSessionPoolSize
0x400000
1: kd> dt nt!MiSessionPoolStart
0xbc000000
1: kd> dt nt!MiSessionViewStart
0xbc400000

1: kd> lm
start?? ??? ?end?????? ??? ??? ?module name
bf800000 bfa9a000? ??? ?win32k??? ??? ?(private pdb symbols)? j:\retail-checked\sys\win32k.pdb

1: kd> dt nt!MiSessionImageStart
0xbf800000

BOOLEAN
MmInitSystem (
??? IN ULONG Phase,
??? IN PLOADER_PARAMETER_BLOCK LoaderBlock
??? )
{

??????? //
??????? // Initialize some global session variables.
??????? //

??????? MmSessionSpace = (PMM_SESSION_SPACE)((ULONG_PTR)MmSessionBase + MmSessionSize - MmSessionImageSize - MI_SESSION_SPACE_STRUCT_SIZE);

MmSessionSpace=0xbc000000+0x4000000-0x800000-0x10000=0xbf7f0000

1: kd> dt nt!MmSessionBase
0xbc000000
1: kd> dt nt!MmSessionSize
0x4000000
1: kd> dt nt!MmSessionImageSize
0x800000
#define MI_SESSION_SPACE_STRUCT_SIZE MM_ALLOCATION_GRANULARITY
#define MM_ALLOCATION_GRANULARITY ((ULONG)0x10000)

?Virtual memory layout of session space when loaded down from 0xC0000000.

? Note that the sizes of mapped views, paged pool and images are registry
? tunable on 32-bit systems (if NOT booted /3GB, as 3GB has very limited
? address space).

???????????????? +------------------------------------+
??????? C0000000 |??????????????????????????????????? |
???????????????? | win32k.sys, video drivers and any? |
???????????????? | rebased NT4 printer drivers.?????? |
???????????????? |??????????????????????????????????? |
???????????????? |???????????? (8MB)????????????????? |
???????????????? |??????????????????????????????????? |
???????????????? +------------------------------------+
??????? BF800000 |??????????????????????????????????? |
???????????????? |?? MM_SESSION_SPACE & Session WSLs? |
???????????????? |????????????? (4MB)???????????????? |
???????????????? |??????????????????????????????????? |
???????????????? +------------------------------------+
??????? BF400000 |??????????????????????????????????? |
???????????????? |?? Mapped views for this session??? |
???????????????? |???? (20MB by default, but is?????? |
???????????????? |????? registry configurable)??????? |
???????????????? |??????????????????????????????????? |
???????????????? +------------------------------------+
??????? BE000000 |??????????????????????????????????? |
???????????????? |?? Paged pool for this session????? |
???????????????? |???? (16MB by default, but is?????? |
???????????????? |????? registry configurable)??????? |
???????????????? |??????????????????????????????????? |
??????? BD000000 +------------------------------------+

第四部分：函數返回后

1: kd> dx -r1 (*((ntkrnlmp!_LIST_ENTRY *)0xbf7f0010))?? ??? ??? ??? ?
(*((ntkrnlmp!_LIST_ENTRY *)0xbf7f0010))???????????????? [Type: _LIST_ENTRY]
??? [+0x000] Flink??????????? : 0x895ea304 [Type: _LIST_ENTRY *]
??? [+0x004] Blink??????????? : 0x89544304 [Type: _LIST_ENTRY *]
1: kd> dx -r1 ((ntkrnlmp!_LIST_ENTRY *)0x895ea304)
((ntkrnlmp!_LIST_ENTRY *)0x895ea304)???????????????? : 0x895ea304 [Type: _LIST_ENTRY *]
??? [+0x000] Flink??????????? : 0x895140d4 [Type: _LIST_ENTRY *]
??? [+0x004] Blink??????????? : 0xf79b1010 [Type: _LIST_ENTRY *]
1: kd> dx -r1 ((ntkrnlmp!_LIST_ENTRY *)0x89544304)
((ntkrnlmp!_LIST_ENTRY *)0x89544304)???????????????? : 0x89544304 [Type: _LIST_ENTRY *]
??? [+0x000] Flink??????????? : 0xf79b1010 [Type: _LIST_ENTRY *]
??? [+0x004] Blink??????????? : 0x895140d4 [Type: _LIST_ENTRY *]