Exetools  

Go Back   Exetools > General > x64 OS

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 07-22-2010, 14:33
Enigma Enigma is offline
Developer
 
Join Date: Oct 2009
Posts: 30
Rept. Given: 0
Rept. Rcvd 23 Times in 8 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 7 Posts
Enigma Reputation: 23
MapViewOfFile and VirtualQuery?

Hi Folks, yesterday had noticed incorrect work of these 2 functions in the x64 application.. Just have not ideas what is wrong there..Please advise...

1. VirtualQuery, if I call this function to know the status of the unallocated memory page then it always fails and GetLastError says that something like "Function access to the invalid memory". If I call VirtualQuery to know a status of some allocated memory, then it works well.

What would be the reason that I can't know status of unallocated memory? In usual 32 application this works well and jus return page status as MEM_FREE..?

2. More strange thing with MapViewOfFile function, simple code that I've used for a years in 32bits does not work in 64bits application:
PHP Code:
HANDLE hFilehfMappMap

hFile CreateFile(name,GENERIC_READ GENERIC_WRITE,FILE_SHARE_READ,0,OPEN_EXISTING,0,0); 
if (
hFile == INVALID_HANDLE_VALUE) {return 0;} 

hfMap CreateFileMapping(hFileNULLPAGE_READONLY00NULL); 
if (
hfMap == NULL) {return 0;} 

pMap MapViewOfFile(hfMap,FILE_MAP_READ,0,0,0); 
CreateFile and CreateFileMapping are working well, but MapViewOfFile returns null. Debugging MapViewOfFile I noticed that NtMapViewOfSection returns with the status 0xC00000F1 - "Invalid third parameter".. it is more strange..

Can anybody suggest?
Reply With Quote
  #2  
Old 07-22-2010, 17:09
Enigma Enigma is offline
Developer
 
Join Date: Oct 2009
Posts: 30
Rept. Given: 0
Rept. Rcvd 23 Times in 8 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 7 Posts
Enigma Reputation: 23
bug with MapViewOfFile is solved. Compiler passed 5th argument as dword instead of qword...
Reply With Quote
  #3  
Old 07-22-2010, 18:28
metr0 metr0 is offline
Friend
 
Join Date: Apr 2009
Posts: 65
Rept. Given: 19
Rept. Rcvd 11 Times in 5 Posts
Thanks Given: 2
Thanks Rcvd at 2 Times in 2 Posts
metr0 Reputation: 11
How did you solve that? As it's a SIZE_T shouldn't it be automatically have the correct size?
Reply With Quote
  #4  
Old 07-22-2010, 20:26
Enigma Enigma is offline
Developer
 
Join Date: Oct 2009
Posts: 30
Rept. Given: 0
Rept. Rcvd 23 Times in 8 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 7 Posts
Enigma Reputation: 23
I'm using FreePascal, it's compiler is not so smart as C++ compiler, so, FPC passed 5th parameters as dword and generated below asm:

mov rcx, qword prt [rsp + $44]
mov edx, 4
mov r8d, 0
mov r9d, 0
mov dword prt [rsp+$20], ebx
call MapViewOfFile

Kernel does not take this parameter as dword, it takes it as qword, so the data at [rsp+$24] was not empty and kernel thought that 5th parameter is not empty and so failed...

To solve - just change function declaration. Sorry, this is only FPC bug...

But VirtualQuery really works not same as in x86...
Reply With Quote
  #5  
Old 07-24-2010, 01:57
gigaman gigaman is offline
Friend
 
Join Date: Jun 2002
Posts: 87
Rept. Given: 0
Rept. Rcvd 3 Times in 2 Posts
Thanks Given: 0
Thanks Rcvd at 14 Times in 11 Posts
gigaman Reputation: 4
What exactly are you passing into the VirtualQuery call? (all the arguments, I mean, maybe even with the corresponding disassembly)
Reply With Quote
  #6  
Old 05-17-2011, 21:20
RaptorFactor RaptorFactor is offline
Friend
 
Join Date: May 2011
Posts: 5
Rept. Given: 0
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
RaptorFactor Reputation: 2
I've had no problems using VirtualQuery in my x64 apps, and have not noticed the behavior you are describing (I am able to enumerate free memory blocks fine). I think that either your code is wrong, or your compiler is doing something wrong.

Would you mind posting the relevant snippets of your source code, along with a disassembly of the code generated by the compiler, so we can try and figure out what's going on?

As a reference, here's my memory region enumeration code which works for both native x86 and x64.
https://code.google.com/p/hadesmem/source/browse/trunk/Include/Memory/HadesMemory/Region.hpp
https://code.google.com/p/hadesmem/source/browse/trunk/Src/Memory/Memory/Region.cpp
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT +8. The time now is 19:49.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )