NtQueryVirtualMemory issue/fix

Question

NtQueryVirtualMemory issue/fix

med0x2e opened this issue 4 years ago · 3 comments

Hi,

I've been trying to get NtQueryVirtualMemory to work in a sample x64 PoC with the current generated NQVM prototype; the call to NQVM keep failing with "0xc0000005" error code.

the current generated prototype:

NTSTATUS status = NtQueryVirtualMemory(hProcess, (PVOID)p_addr, MemoryBasicInformation, &memInfo, sizeof(memInfo), &retBytes);
		
EXTERN_C NTSTATUS NtQueryVirtualMemory(
	IN HANDLE ProcessHandle,
	IN PVOID BaseAddress,
	IN MEMORY_INFORMATION_CLASS MemoryInformationClass,
	OUT PVOID MemoryInformation,
	IN ULONG MemoryInformationLength, <====
	OUT PULONG ReturnLength OPTIONAL);

I had to change the "MemoryInformationLength" type to ULONG_PTR (unsigned long long) to get it working;

NTSTATUS status = NtQueryVirtualMemory(hProcess, (PVOID)p_addr, MemoryBasicInformation, &memInfo, sizeof(memInfo), &retBytes);
		

EXTERN_C NTSTATUS NtQueryVirtualMemory(
	IN HANDLE ProcessHandle,
	IN PVOID BaseAddress,
	IN MEMORY_INFORMATION_CLASS MemoryInformationClass,
	OUT PVOID MemoryInformation,
	IN ULONG_PTR MemoryInformationLength, <<====
	OUT PULONG ReturnLength OPTIONAL);

OS: Windows 10
Build Number: 18363

Answer 1 · 2020-12-27T23:06:19.000Z

Thanks for the feedback @med0x2e. I've changed the types for MemoryInformationLength and ReturnLength to SIZE_T and PSIZE_T as per documentation here. Let me know if this causes issues, thanks!

Answer 2 · 2020-12-28T08:27:34.000Z

Tested your fix & worked as well.

Thanks :)

Answer 3 · 2020-12-28T15:09:53.000Z

Glad it worked; thanks for reporting this issue!