Hi Everyone,
I am sorry that this is such a simple question but I would like to know the meaning of Win32Protect member of NtMapViewOfSection() function.
I am trying to use this function and then I call NtReadVirtualMemory() to see if I can read but I am failing with c0000005 (STATUS_ACCESS_VIOLATION).
I am assuming that I did not get it correctly so I would like to ask you how to set up. For example, if I want to read it later, what protection should I give?
Thank you.
YEH
This parameter describes page-level protection, i.e. whether it is RW, RO or execute. Please note that this parameter has to be compatible with access mode that you have specified when you opened a file handle - for example, if it was RO you cannot successfully map the target file for RW access…
Anton Bassov
Thank you very much for your reply.
Sorry to bother you again but I would like to double check if this is fine.
rv = NtOpenFile ( &file, FILE_EXECUTE | SYNCHRONIZE, &oa, &iosb,
FILE_SHARE_READ, FILE_SYNCHRONOUS_IO_NONALERT );
rv = NtCreateSection(§ion, SECTION_ALL_ACCESS, &oa, 0, PAGE_EXECUTE, SEC_IMAGE, file);
rv = NtMapViewOfSection(section, process, addr, 0, 0, &ofs, &sz, 1, 0, PAGE_EXECUTE_READWRITE);
I have omitted error checking and initialization routines because they are not quite important for my question.
So I have done the above, I am calling NtReadVirtualMemory() to read one byte to see if I can read from it but it fails there.
Is there anything I am doing wrong.
Thank you very much in adavance.
YEH
It is hard to say anything - you make 3 function calls, but somehow fail to tell us about the return values that you get. For example, if you have specified an invalid path and your call to NtCreateFile() failed, you just have no chance to make any subsequent call successfully.
Just a a couple of observations about the last call. First, I am quite suspicious of ‘addr’ parameter - I am not sure it is a pointer, and if it is, I am not sure the value of a pointee is appropriate. Second, IIRC, 0 is not defined as a valid AllocationType parameter. In any case, you should provide us with the return status of every call that you make…
Anton Bassov
>execute. Please note that this parameter has to be compatible with access mode
that you have specified when you opened a file handle
More so. Section object cannot have more rights that the file object it is
build over - actually, the only purpose of the section object is to keep these
rights, together with the pointer to MmCa data memory area which is 1-per-FCB
and does the rest of work.
In turn, page mappings cannot have more rights that a section object.
–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
> Just a a couple of observations about the last call. First, I am quite
suspicious of
‘addr’ parameter
Virtual address hint I think.
Disassemble kernel32!MapViewOfFile to study the parameters to
NtMapViewOfSection
–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
> Virtual address hint I think.
The question is whether this hint is valid…
Disassemble kernel32!MapViewOfFile to study the parameters to NtMapViewOfSection
IIRC, win32 always specifies NULL for this parameter, thus letting the OS decide where to map pages…
Anton Bassov