#1
|
|||
|
|||
QueryWorkingSet/NtQueryVirtualMemory missing pages?
Hi everybody.
Since it's been such a long time since I contributed anything to the community, I've been working on a new tool lately. Part of this tool's contract is to create, for an arbitrary remote process, a memory map similar to that produced by Olly. For the most part it works great, using functions from Toolhelp, Kernel32 and PSAPI, but I'm finding that QueryWorkingSet (which seems to directly abstract NtQueryVirtualMemory) is not returning the data I'd expect. Supposing I invoke this on a suspended process running under WinDbg (or Olly), so I can compare the results, the page-list returned looks convincing enough but is actually missing chunks here and there which WinDbg is happy enough to list (using !vadump). The ones I've noticed are of type MEM_IMAGE, part of loaded PEs, but there may well be other problem areas. I would post some evidence but I can't see it being too useful, given that QueryWorkingSet is being invoked in the only way possible. For the record, I'm testing under Vista SP2 as Administrator, opening the process with PROCESS_ALL_ACCESS. Does anybody have any experience with this? In the meanwhile I'm going to trial a brute-force approach using VirtualQueryEx, but I'm not too optimistic about the performance, particularly given that the app's .NET. Cheers Admiral Ps. Big thanks to ahmadmansoor for inviting me to the board |
#2
|
|||
|
|||
So as it turns out, enumerating user-space pages using VirtualQueryEx isn't prohibitive at all. For a typical process it takes roughly ten times as long as a single call to QueryWorkingSet, but that's well within the bounds of practicality. On my modest machine the operation takes somewhere in the order of 1ms in native code, and 100ms for .NET with interop.
Still, if anyone has any ideas why NtQueryVirtualMemory is being so uncooperative, it would be enlightening. Admiral |
#3
|
|||
|
|||
Okay, so to put this one to bed, the gotcha is in the definition of 'working set'. Entirely my misunderstanding, but it turns out that this function only returns those memory addresses that are currently paged into the process, and not all mapped pages.
So the blocks that were missing were those that hadn't been referenced recently and had hence been paged out of the working set to make room for more popular regions. Thanks for listening Admiral |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
IDA plugin developer forums/pages/chat? | jonwil | General Discussion | 2 | 03-18-2021 19:42 |