drwrap and NtMapViewOfSection

[Jan Newger]

Hi,

I'm currently using the drwrap extension to wrap calls to ntdll!NtMapViewOfSection.

What I'm aiming for is to get the base address at which a shared memory section was mapped, i.e., I'm grabbing the 2nd parameter in the post-call event:

NTSTATUS ZwMapViewOfSection(
  _In_     HANDLE SectionHandle,
  _In_     HANDLE ProcessHandle,
  _Inout_  PVOID *BaseAddress,
  _In_     ULONG_PTR ZeroBits,
  _In_     SIZE_T CommitSize,
  _Inout_  PLARGE_INTEGER SectionOffset,
  _Inout_  PSIZE_T ViewSize,
  _In_     SECTION_INHERIT InheritDisposition,
  _In_     ULONG AllocationType,
  _In_     ULONG Win32Protect
);

However, any address I get back points to inaccessible memory (checked with windbg).

Is this a side-effect of DR, or is it more likely that I have a bug in my code? Could it be due to the Wow64 layer? OS is win7 x64, but my client is 32-bit.

Tanks!

[Derek Bruening]

This should work just fine.  Did you mean the 3rd parameter?  Dr. Memory among other tools does this exact monitoring (although by watching the actual system call rather than the wrapper).

--
You received this message because you are subscribed to the Google Groups "DynamoRIO Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dynamorio-use...@googlegroups.com.
To post to this group, send email to dynamor...@googlegroups.com.
Visit this group at http://groups.google.com/group/dynamorio-users.
For more options, visit https://groups.google.com/d/optout.

[Jan Newger]

Yes the 3rd, but since drwrap counts starting from zero I was referring to the 2nd parameter.

[Jan Newger]

It does work now, it was an error in my code. Sorry for the confusion ;-)