Exetools (https://forum.exetools.com/index.php)
-   x64 OS (https://forum.exetools.com/forumdisplay.php?f=44)
-   -   MapViewOfFile and VirtualQuery? (https://forum.exetools.com/showthread.php?t=12895)

Enigma 07-22-2010 14:33

MapViewOfFile and VirtualQuery?
Hi Folks, yesterday had noticed incorrect work of these 2 functions in the x64 application.. Just have not ideas what is wrong there..Please advise...

1. VirtualQuery, if I call this function to know the status of the unallocated memory page then it always fails and GetLastError says that something like "Function access to the invalid memory". If I call VirtualQuery to know a status of some allocated memory, then it works well.

What would be the reason that I can't know status of unallocated memory? In usual 32 application this works well and jus return page status as MEM_FREE..?

2. More strange thing with MapViewOfFile function, simple code that I've used for a years in 32bits does not work in 64bits application:
PHP Code:

HANDLE hFilehfMappMap

if (
hFile == INVALID_HANDLE_VALUE) {return 0;} 

hfMap CreateFileMapping(hFileNULLPAGE_READONLY00NULL); 
if (
hfMap == NULL) {return 0;} 

pMap MapViewOfFile(hfMap,FILE_MAP_READ,0,0,0); 

CreateFile and CreateFileMapping are working well, but MapViewOfFile returns null. Debugging MapViewOfFile I noticed that NtMapViewOfSection returns with the status 0xC00000F1 - "Invalid third parameter".. it is more strange..

Can anybody suggest?

Enigma 07-22-2010 17:09

bug with MapViewOfFile is solved. Compiler passed 5th argument as dword instead of qword...

metr0 07-22-2010 18:28

How did you solve that? As it's a SIZE_T shouldn't it be automatically have the correct size?

Enigma 07-22-2010 20:26

I'm using FreePascal, it's compiler is not so smart as C++ compiler, so, FPC passed 5th parameters as dword and generated below asm:

mov rcx, qword prt [rsp + $44]
mov edx, 4
mov r8d, 0
mov r9d, 0
mov dword prt [rsp+$20], ebx
call MapViewOfFile

Kernel does not take this parameter as dword, it takes it as qword, so the data at [rsp+$24] was not empty and kernel thought that 5th parameter is not empty and so failed...

To solve - just change function declaration. Sorry, this is only FPC bug...

But VirtualQuery really works not same as in x86...

gigaman 07-24-2010 01:57

What exactly are you passing into the VirtualQuery call? (all the arguments, I mean, maybe even with the corresponding disassembly)

RaptorFactor 05-17-2011 21:20

I've had no problems using VirtualQuery in my x64 apps, and have not noticed the behavior you are describing (I am able to enumerate free memory blocks fine). I think that either your code is wrong, or your compiler is doing something wrong.

Would you mind posting the relevant snippets of your source code, along with a disassembly of the code generated by the compiler, so we can try and figure out what's going on?

As a reference, here's my memory region enumeration code which works for both native x86 and x64.

All times are GMT +8. The time now is 14:03.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX