Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 10-03-2009, 19:55
Admiral
 
Posts: n/a
QueryWorkingSet/NtQueryVirtualMemory missing pages?

Hi everybody.

Since it's been such a long time since I contributed anything to the community, I've been working on a new tool lately. Part of this tool's contract is to create, for an arbitrary remote process, a memory map similar to that produced by Olly.

For the most part it works great, using functions from Toolhelp, Kernel32 and PSAPI, but I'm finding that QueryWorkingSet (which seems to directly abstract NtQueryVirtualMemory) is not returning the data I'd expect. Supposing I invoke this on a suspended process running under WinDbg (or Olly), so I can compare the results, the page-list returned looks convincing enough but is actually missing chunks here and there which WinDbg is happy enough to list (using !vadump). The ones I've noticed are of type MEM_IMAGE, part of loaded PEs, but there may well be other problem areas.

I would post some evidence but I can't see it being too useful, given that QueryWorkingSet is being invoked in the only way possible. For the record, I'm testing under Vista SP2 as Administrator, opening the process with PROCESS_ALL_ACCESS.

Does anybody have any experience with this? In the meanwhile I'm going to trial a brute-force approach using VirtualQueryEx, but I'm not too optimistic about the performance, particularly given that the app's .NET.

Cheers
Admiral

Ps. Big thanks to ahmadmansoor for inviting me to the board
Reply With Quote
  #2  
Old 10-05-2009, 05:00
Admiral
 
Posts: n/a
So as it turns out, enumerating user-space pages using VirtualQueryEx isn't prohibitive at all. For a typical process it takes roughly ten times as long as a single call to QueryWorkingSet, but that's well within the bounds of practicality. On my modest machine the operation takes somewhere in the order of 1ms in native code, and 100ms for .NET with interop.

Still, if anyone has any ideas why NtQueryVirtualMemory is being so uncooperative, it would be enlightening.

Admiral
Reply With Quote
  #3  
Old 10-05-2009, 23:18
Admiral
 
Posts: n/a
Okay, so to put this one to bed, the gotcha is in the definition of 'working set'. Entirely my misunderstanding, but it turns out that this function only returns those memory addresses that are currently paged into the process, and not all mapped pages.

So the blocks that were missing were those that hadn't been referenced recently and had hence been paged out of the working set to make room for more popular regions.

Thanks for listening
Admiral
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IDA plugin developer forums/pages/chat? jonwil General Discussion 2 03-18-2021 19:42


All times are GMT +8. The time now is 03:45.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )