A new option in PTfinder version 0.2.02 controls the alignment factor. When searching a Windows 2000 image for processes and threads this doubles the speed!
Among the documented criteria for searching processes and threads is the alignment. Until now I assumed an alignment on 8-byte boundaries. The sought-afterr data structures are kept in the non-paged pool. The documentation of the allocator routine ExAllocatePoolWithTag says:
Memory allocations of less than PAGE_SIZE are not necessarily page-aligned but are aligned on an 8-byte boundary.
However in Windows 2000 the relevant structures are aligned on a paragraph boundary, that is 16 bytes. So half of all comparisons performed by PTfinder must fail.
In order to speed up processing I added an option named --align n. It still defaults to the safe but slower alignment of 8 bytes. Issue --align 16 to set an alignment of 16 bytes. This roughly cuts the number of comparisons and the execution time in half.
I've had another idea, which turned out to be contraproductive: PTfinder searches each memory page to the last byte. This isn't necessary. Quoting the already mentioned documentation:
Memory allocations of PAGE_SIZE or less do not cross page boundaries.
So my idea was to end searching a page as soon as the structure could not fit in the remaining part. On Windows 2000 this would save 24 comparisons per page at an alignment factor of 16 bytes. But the necessary calculations almost consumed all the saved time. After all the performance gain was negligible.
The updated version of PTfinder is now available for download.
