1

I want to allocate a specific 512MB page which is MEM_FREE, and I want to change that page to MEM_RESERVE and PAGE_NOACCESS.

Hence, with Windbg, I found a page and I called to NtAllocateVirtualMemory on that page address with PAGE_RESERVED and PAGE_NOACCESS.

After this call - I didn't notice that the page got PAGE_NOACCESS flag(with !address command), but I couldn't change a memory address inside that page - (I got memory access error for eb command). So the operation succeeded because I couldn't change the memory.

  1. Do you have an idea why I don't see in windbg PAGE_NOACCESS for that page after change it's permissions?

Next Step, I called to VirtualQuery on that free page, and the function failed with error 998 (Invalid access to memory location)

  1. Finally I want to identify free pages and reveal their size. Do you have an idea how can I get this information it VirtualQuery fails?

Thanks in Advance!

1337
  • 317
  • 1
  • 9

1 Answers1

4

MEM_RESERVE reserves a range of addresses in the VAD tree. It doesn't commit pages that can have protection applied to them. Read the description of the PAGE_* constants. The phrase "committed region of pages" is written repeatedly. The Protect parameter of NtAllocateVirtualMemory says it applies to a "committed region of pages". Similarly flProtect of VirtualAllocEx is valid when "the pages are being committed".

Here's a Python script the commits a page of memory that's protected with PAGE_NOACCESS. Then it attempts to read the first byte, which of course raises an access violation exception.

test.py:

from ctypes import *

MEM_COMMIT = 0x1000
PAGE_NOACCESS = 1

VirtualAlloc = WinDLL('kernel32').VirtualAlloc
VirtualAlloc.restype = c_void_p

addr = VirtualAlloc(None, 4096, MEM_COMMIT, PAGE_NOACCESS)
array = (c_char * 4096).from_address(addr)
array[0] # access violation

demo:

(test) C:\>cdb -xi ld python test.py

Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: python test.py
Symbol search path is: symsrv*symsrv.dll*C:\Symbols*
    http://msdl.microsoft.com/download/symbols
Executable search path is:
(d70.d08): Break instruction exception - code 80000003 (first chance)
ntdll!LdrpDoDebuggerBreak+0x30:
00000000`77b78700 cc              int     3
0:000> g

(d70.d08): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
python34!PyBytes_FromStringAndSize+0x70:
00000000`64bd5cc0 0fb601          movzx   eax,byte ptr [rcx]
                                              ds:00000000`00190000=??
0:000> !address 190000
Usage:                  <unclassified>
Allocation Base:        00000000`00190000
Base Address:           00000000`00190000
End Address:            00000000`00191000
Region Size:            00000000`00001000
Type:                   00020000        MEM_PRIVATE
State:                  00001000        MEM_COMMIT
Protect:                00000001        PAGE_NOACCESS
Eryk Sun
  • 33,190
  • 5
  • 92
  • 111