The ldrmodules plugin compares module information from the three PEB lists (in the process memory) with the information from a data structure residing in the kernel memory known as VADs (Virtual Address Descriptors). The memory manager uses VADs to keep track of whichvirtual addresses in the process memory that are reserved (or free). The VAD is a binary tree structure that stores information about the virtually contiguous memory regions in the process memory. For each process, the memory manager maintains a set of VADs and each VAD node describes a virtually contiguous memory region. If the process memory region contains a memory-mapped file (such as an executable, DLL), then the VAD node stores ...