Go Back   Exetools > General > General Discussion


Thread Tools Display Modes
Old 10-03-2009, 19:55
Posts: n/a
QueryWorkingSet/NtQueryVirtualMemory missing pages?

Hi everybody.

Since it's been such a long time since I contributed anything to the community, I've been working on a new tool lately. Part of this tool's contract is to create, for an arbitrary remote process, a memory map similar to that produced by Olly.

For the most part it works great, using functions from Toolhelp, Kernel32 and PSAPI, but I'm finding that QueryWorkingSet (which seems to directly abstract NtQueryVirtualMemory) is not returning the data I'd expect. Supposing I invoke this on a suspended process running under WinDbg (or Olly), so I can compare the results, the page-list returned looks convincing enough but is actually missing chunks here and there which WinDbg is happy enough to list (using !vadump). The ones I've noticed are of type MEM_IMAGE, part of loaded PEs, but there may well be other problem areas.

I would post some evidence but I can't see it being too useful, given that QueryWorkingSet is being invoked in the only way possible. For the record, I'm testing under Vista SP2 as Administrator, opening the process with PROCESS_ALL_ACCESS.

Does anybody have any experience with this? In the meanwhile I'm going to trial a brute-force approach using VirtualQueryEx, but I'm not too optimistic about the performance, particularly given that the app's .NET.


Ps. Big thanks to ahmadmansoor for inviting me to the board
Reply With Quote
Old 10-05-2009, 05:00
Posts: n/a
So as it turns out, enumerating user-space pages using VirtualQueryEx isn't prohibitive at all. For a typical process it takes roughly ten times as long as a single call to QueryWorkingSet, but that's well within the bounds of practicality. On my modest machine the operation takes somewhere in the order of 1ms in native code, and 100ms for .NET with interop.

Still, if anyone has any ideas why NtQueryVirtualMemory is being so uncooperative, it would be enlightening.

Reply With Quote
Old 10-05-2009, 23:18
Posts: n/a
Okay, so to put this one to bed, the gotcha is in the definition of 'working set'. Entirely my misunderstanding, but it turns out that this function only returns those memory addresses that are currently paged into the process, and not all mapped pages.

So the blocks that were missing were those that hadn't been referenced recently and had hence been paged out of the working set to make room for more popular regions.

Thanks for listening
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
IDA plugin developer forums/pages/chat? jonwil General Discussion 2 03-18-2021 19:42

All times are GMT +8. The time now is 09:10.

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )