Update README.md

VollRagm · Jan 31, 2022 · 2d65e59 · 2d65e59
1 parent db8b31c
commit 2d65e59
Showing 1 changed file with 5 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -1,10 +1,10 @@
 # PTView
 This utility allows you to inspect a Windows processes Page Tables live.
-You can browse through them in a GUI and dump the physical pages they point to, as well a translate virtual to physical addresses and get the virtual address to a PTE.
+You can browse through them in a GUI and dump the physical pages they point to, as well as translate virtual to physical addresses and get the virtual address to a PTE.
 
 ## Usage
 You will have to load the driver before running the client.
-I recommend loading the Driver normally in testmode, but it can be mapped as well, just make sure the first argument is the driver base and the second argument is NULL.
+I recommend loading the Driver normally in test mode, but it can be mapped as well, just make sure the first argument is the driver base and the second argument is NULL.
 After opening the client, select a process and start browsing its page tables!
 
 ## Key features
@@ -21,13 +21,13 @@ After opening the client, select a process and start browsing its page tables!
  1. **Dump the PML4 itself over its auto-entry (self-reference):**  
 
 Every PML4 keeps an entry that has the PML4's address as PFN itself. This entry is at a fixed index, that Windows nowadays sets randomly during boot.
-If this entry is selected the PDPT actually is the PML4 itself again. If you select it in the PDPT again, the PD also is the PML4 again. If you continue that until the end, the PT will be the PML4, and you will be able to use the PML4 auto-entry to dump the PML4 itself, or get it's virtual address.
+If this entry is selected the PDPT actually is the PML4 itself again. If you select it in the PDPT again, the PD also is the PML4 again. If you continue that until the end, the PT will be the PML4, and you will be able to use the PML4 auto-entry to dump the PML4 itself or get its virtual address.
 Note that this address only is valid in the selected processes context.
 
 ![PML4 auto-entry selected](https://i.imgur.com/qUI7WDO.png) 
 
  2. **Watch Windows Memory manager map pages, that have been paged out to disk:**  
 
-Get the virtual address of a unused loaded module in the process. Enter it in the Virtual Address textbox and translate it.
-Chances are that the PTE of that VA, or the subsequent PTE's PFNs are 0x0. 
+Get the virtual address of an unused loaded module in the process. Enter it in the Virtual Address textbox and translate it.
+Chances are that the PTE of that VA or the subsequent PTE's PFNs is 0x0. 
 Now access the virtual address using a Debugger or Memory viewer, like Cheat Engine, and you will see how it raises a page fault, causing Windows Memory Manager to map the pages live.