QueryWorkingSet/NtQueryVirtualMemory missing pages?

Hi everybody.

Since it's been such a long time since I contributed anything to the community, I've been working on a new tool lately. Part of this tool's contract is to create, for an arbitrary remote process, a memory map similar to that produced by Olly.

For the most part it works great, using functions from Toolhelp, Kernel32 and PSAPI, but I'm finding that QueryWorkingSet (which seems to directly abstract NtQueryVirtualMemory) is not returning the data I'd expect. Supposing I invoke this on a suspended process running under WinDbg (or Olly), so I can compare the results, the page-list returned looks convincing enough but is actually missing chunks here and there which WinDbg is happy enough to list (using !vadump). The ones I've noticed are of type MEM_IMAGE, part of loaded PEs, but there may well be other problem areas.

I would post some evidence but I can't see it being too useful, given that QueryWorkingSet is being invoked in the only way possible. For the record, I'm testing under Vista SP2 as Administrator, opening the process with PROCESS_ALL_ACCESS.

Does anybody have any experience with this? In the meanwhile I'm going to trial a brute-force approach using VirtualQueryEx, but I'm not too optimistic about the performance, particularly given that the app's .NET.

Cheers
Admiral

Ps. Big thanks to ahmadmansoor for inviting me to the board