/*++ Copyright (c) 1989 Microsoft Corporation Module Name: queryvm.c Abstract: This module contains the routines which implement the NtQueryVirtualMemory service. Author: Lou Perazzoli (loup) 21-Aug-1989 Revision History: --*/ #include "mi.h" extern POBJECT_TYPE IoFileObjectType; NTSTATUS MiGetWorkingSetInfo ( IN PMEMORY_WORKING_SET_INFORMATION WorkingSetInfo, IN ULONG Length, IN PEPROCESS Process ); MMPTE MiCaptureSystemPte ( IN PMMPTE PointerProtoPte, IN PEPROCESS Process ); #if DBG PEPROCESS MmWatchProcess; VOID MmFooBar(VOID); #endif // DBG ULONG MiQueryAddressState ( IN PVOID Va, IN PMMVAD Vad, IN PEPROCESS TargetProcess, OUT PULONG ReturnedProtect ); #ifdef ALLOC_PRAGMA #pragma alloc_text(PAGE,NtQueryVirtualMemory) #pragma alloc_text(PAGE,MiQueryAddressState) #pragma alloc_text(PAGELK,MiGetWorkingSetInfo) #endif NTSTATUS NtQueryVirtualMemory ( IN HANDLE ProcessHandle, IN PVOID BaseAddress, IN MEMORY_INFORMATION_CLASS MemoryInformationClass, OUT PVOID MemoryInformation, IN ULONG MemoryInformationLength, OUT PULONG ReturnLength OPTIONAL ) /*++ Routine Description: This function provides the capability to determine the state, protection, and type of a region of pages within the virtual address space of the subject process. The state of the first page within the region is determined and then subsequent entries in the process address map are scanned from the base address upward until either the entire range of pages has been scanned or until a page with a nonmatching set of attributes is encountered. The region attributes, the length of the region of pages with matching attributes, and an appropriate status value are returned. If the entire region of pages does not have a matching set of attributes, then the returned length parameter value can be used to calculate the address and length of the region of pages that was not scanned. Arguments: ProcessHandle - An open handle to a process object. BaseAddress - The base address of the region of pages to be queried. This value is rounded down to the next host-page- address boundary. MemoryInformationClass - The memory information class about which to retrieve information. MemoryInformation - A pointer to a buffer that receives the specified information. The format and content of the buffer depend on the specified information class. MemoryBasicInformation - Data type is PMEMORY_BASIC_INFORMATION. MEMORY_BASIC_INFORMATION Structure ULONG RegionSize - The size of the region in bytes beginning at the base address in which all pages have identical attributes. ULONG State - The state of the pages within the region. State Values State Values MEM_COMMIT - The state of the pages within the region is committed. MEM_FREE - The state of the pages within the region is free. MEM_RESERVE - The state of the pages within the region is reserved. ULONG Protect - The protection of the pages within the region. Protect Values Protect Values PAGE_NOACCESS - No access to the region of pages is allowed. An attempt to read, write, or execute within the region results in an access violation (i.e., a GP fault). PAGE_EXECUTE - Execute access to the region of pages is allowed. An attempt to read or write within the region results in an access violation. PAGE_READONLY - Read-only and execute access to the region of pages is allowed. An attempt to write within the region results in an access violation. PAGE_READWRITE - Read, write, and execute access to the region of pages is allowed. If write access to the underlying section is allowed, then a single copy of the pages are shared. Otherwise, the pages are shared read-only/copy-on-write. PAGE_GUARD - Read, write, and execute access to the region of pages is allowed; however, access to the region causes a "guard region entered" condition to be raised in the subject process. PAGE_NOCACHE - Disable the placement of committed pages into the data cache. ULONG Type - The type of pages within the region. Type Values MEM_PRIVATE - The pages within the region are private. MEM_MAPPED - The pages within the region are mapped into the view of a section. MEM_IMAGE - The pages within the region are mapped into the view of an image section. MemoryInformationLength - Specifies the length in bytes of the memory information buffer. ReturnLength - An optional pointer which, if specified, receives the number of bytes placed in the process information buffer. Return Value: Returns the status TBS Environment: Kernel mode. --*/ { KPROCESSOR_MODE PreviousMode; PEPROCESS TargetProcess; NTSTATUS Status; PMMVAD Vad; BOOLEAN PteIsZero = FALSE; PVOID Va; BOOLEAN Found = FALSE; ULONG TheRegionSize; ULONG NewProtect; ULONG NewState; PVOID FilePointer; MEMORY_BASIC_INFORMATION Info; // // The only supported option is MEMORY_BASIC_INFORMATION, make // sure the user's buffer is large enough for this. // // // Check argument validity. // switch (MemoryInformationClass) { case MemoryBasicInformation: if (MemoryInformationLength < sizeof(MEMORY_BASIC_INFORMATION)) { return STATUS_INFO_LENGTH_MISMATCH; } break; case MemoryWorkingSetInformation: break; case MemoryMappedFilenameInformation: FilePointer = NULL; break; default: return STATUS_INVALID_INFO_CLASS; } PreviousMode = KeGetPreviousMode(); if (PreviousMode != KernelMode) { // // Check arguments. // try { ProbeForWrite(MemoryInformation, MemoryInformationLength, sizeof(ULONG)); if (ARGUMENT_PRESENT(ReturnLength)) { ProbeForWriteUlong(ReturnLength); } } except (EXCEPTION_EXECUTE_HANDLER) { // // If an exception occurs during the probe or capture // of the initial values, then handle the exception and // return the exception code as the status value. // return GetExceptionCode(); } } if (BaseAddress > MM_HIGHEST_USER_ADDRESS) { return STATUS_INVALID_PARAMETER; } if (BaseAddress >= MM_HIGHEST_VAD_ADDRESS) { // // Indicate a reserved area from this point on. // if ( MemoryInformationClass == MemoryBasicInformation ) { try { ((PMEMORY_BASIC_INFORMATION)MemoryInformation)->AllocationBase = (PVOID)((ULONG)MM_HIGHEST_VAD_ADDRESS + 1); ((PMEMORY_BASIC_INFORMATION)MemoryInformation)->AllocationProtect = PAGE_READONLY; ((PMEMORY_BASIC_INFORMATION)MemoryInformation)->BaseAddress = PAGE_ALIGN(BaseAddress); ((PMEMORY_BASIC_INFORMATION)MemoryInformation)->RegionSize = ((ULONG)MM_HIGHEST_USER_ADDRESS + 1) - (ULONG)PAGE_ALIGN(BaseAddress); ((PMEMORY_BASIC_INFORMATION)MemoryInformation)->State = MEM_RESERVE; ((PMEMORY_BASIC_INFORMATION)MemoryInformation)->Protect = PAGE_NOACCESS; ((PMEMORY_BASIC_INFORMATION)MemoryInformation)->Type = MEM_PRIVATE; if (ARGUMENT_PRESENT(ReturnLength)) { *ReturnLength = sizeof(MEMORY_BASIC_INFORMATION); } #if defined(MM_SHARED_USER_DATA_VA) if (PAGE_ALIGN(BaseAddress) == (PVOID)MM_SHARED_USER_DATA_VA) { // // This is the page that is double mapped between // user mode and kernel mode. // ((PMEMORY_BASIC_INFORMATION)MemoryInformation)->Protect = PAGE_READONLY; ((PMEMORY_BASIC_INFORMATION)MemoryInformation)->RegionSize = PAGE_SIZE; ((PMEMORY_BASIC_INFORMATION)MemoryInformation)->State = MEM_COMMIT; } #endif } except (EXCEPTION_EXECUTE_HANDLER) { // // Just return success. // } return STATUS_SUCCESS; } else { return STATUS_INVALID_ADDRESS; } } if ( ProcessHandle == NtCurrentProcess() ) { TargetProcess = PsGetCurrentProcess(); } else { Status = ObReferenceObjectByHandle ( ProcessHandle, PROCESS_QUERY_INFORMATION, PsProcessType, PreviousMode, (PVOID *)&TargetProcess, NULL ); if (!NT_SUCCESS(Status)) { return Status; } } if (MemoryInformationClass == MemoryWorkingSetInformation) { MmLockPagableSectionByHandle(ExPageLockHandle); Status = MiGetWorkingSetInfo (MemoryInformation, MemoryInformationLength, TargetProcess); MmUnlockPagableImageSection(ExPageLockHandle); if ( ProcessHandle != NtCurrentProcess() ) { ObDereferenceObject (TargetProcess); } try { if (ARGUMENT_PRESENT(ReturnLength)) { *ReturnLength = ((((PMEMORY_WORKING_SET_INFORMATION) MemoryInformation)->NumberOfEntries - 1) * sizeof(ULONG)) + sizeof(MEMORY_WORKING_SET_INFORMATION); } } except (EXCEPTION_EXECUTE_HANDLER) { } return STATUS_SUCCESS; } // // If the specified process is not the current process, attach // to the specified process. // KeAttachProcess (&TargetProcess->Pcb); // // Get working set mutex and block APCs. // LOCK_WS_AND_ADDRESS_SPACE (TargetProcess); // // Make sure the address space was not deleted, if so, return an error. // if (TargetProcess->AddressSpaceDeleted != 0) { UNLOCK_WS (TargetProcess); UNLOCK_ADDRESS_SPACE (TargetProcess); KeDetachProcess(); if ( ProcessHandle != NtCurrentProcess() ) { ObDereferenceObject (TargetProcess); } return STATUS_PROCESS_IS_TERMINATING; } // // Locate the VAD that contiains the base address or the VAD // which follows the base address. // Vad = TargetProcess->VadRoot; for (;;) { if (Vad == (PMMVAD)NULL) { break; } if ((BaseAddress >= Vad->StartingVa) && (BaseAddress <= Vad->EndingVa)) { Found = TRUE; break; } if (BaseAddress < Vad->StartingVa) { if (Vad->LeftChild == (PMMVAD)NULL) { break; } Vad = Vad->LeftChild; } else { if (BaseAddress < Vad->EndingVa) { break; } if (Vad->RightChild == (PMMVAD)NULL) { break; } Vad = Vad->RightChild; } } if (!Found) { // // There is no virtual address allocated at the base // address. Return the size of the hole starting at // the base address. // if (Vad == NULL) { TheRegionSize = ((ULONG)MM_HIGHEST_VAD_ADDRESS + 1) - (ULONG)PAGE_ALIGN(BaseAddress); } else { if (Vad->StartingVa < BaseAddress) { // // We are looking at the Vad which occupies the range // just before the desired range. Get the next Vad. // Vad = MiGetNextVad (Vad); if (Vad == NULL) { TheRegionSize = ((ULONG)MM_HIGHEST_VAD_ADDRESS + 1) - (ULONG)PAGE_ALIGN(BaseAddress); } else { TheRegionSize = (ULONG)Vad->StartingVa - (ULONG)PAGE_ALIGN(BaseAddress); } } else { TheRegionSize = (ULONG)Vad->StartingVa - (ULONG)PAGE_ALIGN(BaseAddress); } } UNLOCK_WS (TargetProcess); UNLOCK_ADDRESS_SPACE (TargetProcess); KeDetachProcess(); if ( ProcessHandle != NtCurrentProcess() ) { ObDereferenceObject (TargetProcess); } // // Establish an exception handler and write the information and // returned length. // if ( MemoryInformationClass == MemoryBasicInformation ) { try { ((PMEMORY_BASIC_INFORMATION)MemoryInformation)->AllocationBase = NULL; ((PMEMORY_BASIC_INFORMATION)MemoryInformation)->AllocationProtect = 0; ((PMEMORY_BASIC_INFORMATION)MemoryInformation)->BaseAddress = PAGE_ALIGN(BaseAddress); ((PMEMORY_BASIC_INFORMATION)MemoryInformation)->RegionSize = TheRegionSize; ((PMEMORY_BASIC_INFORMATION)MemoryInformation)->State = MEM_FREE; ((PMEMORY_BASIC_INFORMATION)MemoryInformation)->Protect = PAGE_NOACCESS; ((PMEMORY_BASIC_INFORMATION)MemoryInformation)->Type = 0; if (ARGUMENT_PRESENT(ReturnLength)) { *ReturnLength = sizeof(MEMORY_BASIC_INFORMATION); } } except (EXCEPTION_EXECUTE_HANDLER) { // // Just return success. // } return STATUS_SUCCESS; } return STATUS_INVALID_ADDRESS; } // // Found a vad. // Va = PAGE_ALIGN(BaseAddress); Info.BaseAddress = Va; // // There is a page mapped at the base address. // if (Vad->u.VadFlags.PrivateMemory) { Info.Type = MEM_PRIVATE; } else if (Vad->u.VadFlags.ImageMap == 0) { Info.Type = MEM_MAPPED; if ( MemoryInformationClass == MemoryMappedFilenameInformation ) { if (Vad->ControlArea) { FilePointer = Vad->ControlArea->FilePointer; } if ( !FilePointer ) { FilePointer = (PVOID)1; } else { ObReferenceObject(FilePointer); } } } else { Info.Type = MEM_IMAGE; } Info.State = MiQueryAddressState (Va, Vad, TargetProcess, &Info.Protect); Va = (PVOID)((PCHAR)Va + PAGE_SIZE); while (Va <= Vad->EndingVa) { NewState = MiQueryAddressState (Va, Vad, TargetProcess, &NewProtect); if ((NewState != Info.State) || (NewProtect != Info.Protect)) { // // The state for this address does not match, calculate // size and return. // break; } Va = (PVOID)((ULONG)Va + PAGE_SIZE); } // end while Info.RegionSize = ((ULONG)Va - (ULONG)Info.BaseAddress); Info.AllocationBase = Vad->StartingVa; Info.AllocationProtect = MI_CONVERT_FROM_PTE_PROTECTION ( Vad->u.VadFlags.Protection); // // A range has been found, release the mutexes, deattach from the // target process and return the information. // UNLOCK_WS (TargetProcess); UNLOCK_ADDRESS_SPACE (TargetProcess); KeDetachProcess(); if ( ProcessHandle != NtCurrentProcess() ) { ObDereferenceObject (TargetProcess); } #if DBG if (MmDebug & MM_DBG_SHOW_NT_CALLS) { if ( !MmWatchProcess ) { DbgPrint("queryvm base %lx allocbase %lx protect %lx size %lx\n", Info.BaseAddress, Info.AllocationBase, Info.AllocationProtect, Info.RegionSize); DbgPrint(" state %lx protect %lx type %lx\n", Info.State, Info.Protect, Info.Type); } } #endif //DBG if ( MemoryInformationClass == MemoryBasicInformation ) { try { *(PMEMORY_BASIC_INFORMATION)MemoryInformation = Info; if (ARGUMENT_PRESENT(ReturnLength)) { *ReturnLength = sizeof(MEMORY_BASIC_INFORMATION); } } except (EXCEPTION_EXECUTE_HANDLER) { } return STATUS_SUCCESS; } // // Try to return the name of the file that is mapped. // if ( !FilePointer ) { return STATUS_INVALID_ADDRESS; } else if ( FilePointer == (PVOID)1 ) { return STATUS_FILE_INVALID; } // // We have a referenced pointer to the file. Call ObQueryNameString // and get the file name // Status = ObQueryNameString( FilePointer, MemoryInformation, MemoryInformationLength, ReturnLength ); ObDereferenceObject(FilePointer); return Status; } ULONG MiQueryAddressState ( IN PVOID Va, IN PMMVAD Vad, IN PEPROCESS TargetProcess, OUT PULONG ReturnedProtect ) /*++ Routine Description: Arguments: Return Value: Returns the state (MEM_COMMIT, MEM_RESERVE, MEM_PRIVATE). Environment: Kernel mode. Working set lock and address creation lock held. --*/ { PMMPTE PointerPte; PMMPTE PointerPde; MMPTE CapturedProtoPte; PMMPTE ProtoPte; ULONG PteIsZero; ULONG State; ULONG Protect; #ifdef LARGE_PAGES if (Vad->u.VadFlags.LargePages) { *ReturnedProtect = MI_CONVERT_FROM_PTE_PROTECTION ( Vad->u.VadFlags.Protection); return MEM_COMMIT; } #endif //LARGE_PAGES PointerPde = MiGetPdeAddress (Va); PointerPte = MiGetPteAddress (Va); ASSERT ((Vad->StartingVa <= Va) && (Vad->EndingVa >= Va)); PteIsZero = TRUE; if (MiDoesPdeExistAndMakeValid(PointerPde, TargetProcess, FALSE)) { // // A PTE exists at this address, see if it is zero. // if (PointerPte->u.Long != 0) { PteIsZero = FALSE; // // There is a non-zero PTE at this address, use // it to build the information block. // if (MiIsPteDecommittedPage (PointerPte)) { Protect = 0; State = MEM_RESERVE; } else { State = MEM_COMMIT; if (Vad->u.VadFlags.PhysicalMapping == 1) { // // Physical mapping, there is no corresponding // PFN element to get the page protection from. // Protect = MI_CONVERT_FROM_PTE_PROTECTION ( Vad->u.VadFlags.Protection); } else { Protect = MiGetPageProtection (PointerPte, TargetProcess); if ((PointerPte->u.Soft.Valid == 0) && (PointerPte->u.Soft.Prototype == 1) && (Vad->u.VadFlags.PrivateMemory == 0) && (Vad->ControlArea != (PCONTROL_AREA)NULL)) { // // Make sure protoPTE is committed. // ProtoPte = MiGetProtoPteAddress(Vad,Va); CapturedProtoPte = MiCaptureSystemPte (ProtoPte, TargetProcess); if (CapturedProtoPte.u.Long == 0) { State = MEM_RESERVE; Protect = 0; } } } } } } if (PteIsZero) { // // There is no PDE at this address, the template from // the VAD supplies the information unless the VAD is // for an image file. For image files the individual // protection is on the prototype PTE. // // // Get the default protection information. // State = MEM_RESERVE; Protect = 0; if (Vad->u.VadFlags.PhysicalMapping == 1) { // // Must be banked memory, just return reserved. // NOTHING; } else if ((Vad->u.VadFlags.PrivateMemory == 0) && (Vad->ControlArea != (PCONTROL_AREA)NULL)) { // // This VAD refers to a section. Even though the PTE is // zero, the actual page may be committed in the section. // ProtoPte = MiGetProtoPteAddress(Vad,Va); CapturedProtoPte = MiCaptureSystemPte (ProtoPte, TargetProcess); if (CapturedProtoPte.u.Long != 0) { State = MEM_COMMIT; if (Vad->u.VadFlags.ImageMap == 0) { Protect = MI_CONVERT_FROM_PTE_PROTECTION ( Vad->u.VadFlags.Protection); } else { // // This is an image file, the protection is in the // prototype PTE. // Protect = MiGetPageProtection (&CapturedProtoPte, TargetProcess); } } } else { // // Get the protection from the corresponding VAD. // if (Vad->u.VadFlags.MemCommit) { State = MEM_COMMIT; Protect = MI_CONVERT_FROM_PTE_PROTECTION ( Vad->u.VadFlags.Protection); } } } *ReturnedProtect = Protect; return State; } NTSTATUS MiGetWorkingSetInfo ( IN PMEMORY_WORKING_SET_INFORMATION WorkingSetInfo, IN ULONG Length, IN PEPROCESS Process ) { PMDL Mdl; PMEMORY_WORKING_SET_INFORMATION Info; PMEMORY_WORKING_SET_BLOCK Entry; PMEMORY_WORKING_SET_BLOCK LastEntry; PMMWSLE Wsle; PMMWSLE LastWsle; ULONG WsSize; PMMPTE PointerPte; PMMPFN Pfn1; NTSTATUS status; // // Allocate an MDL to map the request. // Mdl = ExAllocatePoolWithTag (NonPagedPool, sizeof(MDL) + sizeof(ULONG) + BYTES_TO_PAGES (Length) * sizeof(ULONG), ' mM'); if (Mdl == NULL) { return(STATUS_INSUFFICIENT_RESOURCES); } // // Initialize MDL for request. // MmInitializeMdl(Mdl, WorkingSetInfo, Length); try { MmProbeAndLockPages (Mdl, KeGetPreviousMode(), IoWriteAccess); } except (EXCEPTION_EXECUTE_HANDLER) { ExFreePool (Mdl); return GetExceptionCode(); } Info = MmGetSystemAddressForMdl (Mdl); if (PsGetCurrentProcess() != Process) { KeAttachProcess (&Process->Pcb); } LOCK_WS (Process); status = STATUS_SUCCESS; if (Process->AddressSpaceDeleted != 0) { status = STATUS_PROCESS_IS_TERMINATING; } WsSize = Process->Vm.WorkingSetSize; Info->NumberOfEntries = WsSize; if ((WsSize * sizeof(ULONG)) >= Length) { status = STATUS_INFO_LENGTH_MISMATCH; } if (status != STATUS_SUCCESS) { UNLOCK_WS (Process); KeDetachProcess (); MmUnlockPages (Mdl); ExFreePool (Mdl); return status; } Wsle = MmWsle; LastWsle = &MmWsle[MmWorkingSetList->LastEntry]; Entry = &Info->WorkingSetInfo[0]; LastEntry = (PMEMORY_WORKING_SET_BLOCK)( (PCHAR)Info + (Length & (~(sizeof(ULONG) - 1)))); do { if (Wsle->u1.e1.Valid == 1) { Entry->VirtualPage = Wsle->u1.e1.VirtualPageNumber; PointerPte = MiGetPteAddress (Wsle->u1.VirtualAddress); ASSERT (PointerPte->u.Hard.Valid == 1); Pfn1 = MI_PFN_ELEMENT (PointerPte->u.Hard.PageFrameNumber); Entry->Shared = Pfn1->u3.e1.PrototypePte; if (Pfn1->u3.e1.PrototypePte == 0) { Entry->Protection = Pfn1->OriginalPte.u.Soft.Protection; } else { if (Wsle->u1.e1.SameProtectAsProto == 1) { Entry->Protection = Pfn1->OriginalPte.u.Soft.Protection; } else { Entry->Protection = Wsle->u1.e1.Protection; } } Entry += 1; } Wsle += 1; }while ((Entry < LastEntry) && (Wsle <= LastWsle)); UNLOCK_WS (Process); KeDetachProcess (); MmUnlockPages (Mdl); ExFreePool (Mdl); return STATUS_SUCCESS; }