Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

VirtualQueryEx on Windows CE 6.0

16 views
Skip to first unread message

Windows Programmer

unread,
Nov 26, 2009, 8:45:29 PM11/26/09
to
From a Windows CE 6.0 user mode process, I'm trying to get information about
kernel memory using VirtualQueryEx().

The code goes something like this:

hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pidOfNKdotEXE);

if (hProc)
{
rc = VirtualQueryEx(hProc, 0xd0000000, &mbi, sizeof(mbi))

if (!rc)
{
print GetLastError();
}

CloseHandle(hProc);
}

The address is valid in the address space of the kernel but GetLastError
returns 0x80070057 (E_INVALIDARG). Is this by design or a bug? Is there a
workaround for user mode process to do this? Barring that, will
VirtualQuery(0xd0000000) work if called within a kernel-mode driver?

Thanks in advance!

Luca Calligaris [eMVP]

unread,
Nov 27, 2009, 2:55:14 AM11/27/09
to
Maybe the problem is not VirtualQuery but OpenPorcess: I doubt a user mode
process can call OpenProcess on nk.exe: this would allow any process to
call, for example, WriteProcessMemory and corrupt kernel memory which would
lead to some security issues.


--
Luca Calligaris (MVP-Windows Embedded)
l.calliga...@eurotech.it.nospam
www.eurotech.it


"Windows Programmer" <win...@programmer.com> ha scritto nel messaggio
news:OHfYONwb...@TK2MSFTNGP04.phx.gbl...

Windows Programmer

unread,
Nov 27, 2009, 8:35:41 AM11/27/09
to
Ciao Luca,

Good point. But, OpenProcess is returning a process handle. I don't doubt
it could be a security issue and maybe that's what VirtualQueryEx is
actually complaining about rather than the address. Just looking for some
confirmation as well as a suitable workaround (like doing it in kernel mode
driver - would it work there?).

Regards

"Luca Calligaris [eMVP]" <luca.callig...@eurotech.com.nospam> wrote
in message news:ejdqqbzb...@TK2MSFTNGP05.phx.gbl...

KMOS

unread,
Nov 28, 2009, 1:53:16 PM11/28/09
to

If you tried to build a DEBUG mode image, it will probably show this message
"ValidateArgs: Arg 1 invalid pointer 0xd0000000"
And then take a look at ValidateArgs function in
private\winceos\coreos\nk\kernel\apicall.c
About line 1140, there is a code piece for user mode pointer verification.

// validate the ptr is a valid user ptr
if (fUMode && !IsValidUsrPtr ((LPCVOID)pArgs[idx],
pSizeArgs[idx], dwCurSig & ARG_O_BIT)) {
DEBUGMSG (1, (L"ValidateArgs: Arg %u invalid pointer
0x%08x\r\n", idx, pArgs[idx]));
return ERROR_INVALID_PARAMETER;
}

The definition of IsValidUsrPtr is in public\common\oak\inc\vmlayout.h, so
it is obviously any User Mode pointer that above 2G (0x80000000) will
definitely be NO NO to kernel. And back to your question, a kernel mode DLL
should be fine with pointer above 2GB.

"Windows Programmer" <win...@programmer.com> wrote in message
news:u$X8Ea2bK...@TK2MSFTNGP02.phx.gbl...

Windows Programmer

unread,
Nov 29, 2009, 2:02:16 AM11/29/09
to
Unfortunately not building my own OS. I did see the code in vm.c (same
directory) but nothing in there to suggest why it would fail.

Thanks for your research. Looks pretty conclusive!


"KMOS" <kmos_i...@rocketmail.com> wrote in message
news:#IZxMwFc...@TK2MSFTNGP05.phx.gbl...

KMOS

unread,
Nov 30, 2009, 1:08:56 PM11/30/09
to
If you even have a chance to set a BP in VMQuery (in vm.c), you will find it
never being called when address is greater than 2GB from user application.
Most of the API calls are PSL call and the ObjectCall (in apicall.c) is the
dispatching function for PSL calls; that might also be the reason kernel do
the user mode pointer validation here.

"Windows Programmer" <win...@programmer.com> wrote in message

news:eTQwjHMc...@TK2MSFTNGP04.phx.gbl...

0 new messages