我使用 ReadProcessMemory 函数从地址空间读取数据。我尝试从所有具有 MEM_PRIVATE 类型的块中读取。但是当该块具有 PAGE_GUARD 保护时,我得到错误(函数返回 0),为什么?
谢谢大家。
问问题
931 次
2 回答
5
A page that has PAGE_GUARD protection is guaranteed to not be accessible. Any access to it generates a page fault, reflected back into the process that owns the page as a STATUS_GUARD_PAGE_VIOLATION exception. This feature is used heavily in Windows to detect and recover from the condition this site is named for.
The last two pages of the stack of a thread are guard pages. When a program recursively blows up, consumes all the stack space and triggers the exception, the operating system remaps those pages to make them usable as emergency stack space and re-raises a STATUS_STACK_OVERFLOW exception. Which allows the program to deal with the heart attack. A brief message and program termination is the usual outcome.
Tripping the page guard exception is a one-shot affair, once you do there is no guard anymore. Clearly it is very, very important that only the code in the process trips it. There's no scenario where you poking around into the address space of another process and tripping the exception it is ever going to come to good end. Beyond the process have no idea what happened, and thus never being able to respond to the exception properly, it also removes the safety-hatch. If you poke one of the stack guard pages then you'd instantly terminate the program.
Should be obvious by now, you are intentionally restricted from accessing these pages by using ReadProcessMemory(). Nothing good can possibly happen when you do. The return value tells you "nothing to see here, move on".
于 2014-03-12T21:50:10.003 回答
2
我对保护页不是很熟悉,但我可以猜到:
保护页是故意无效的内存地址,旨在在被访问时触发事件——即使是读取也是如此。
例如,堆栈可能会使用它来动态地为堆栈分配更多内存——或者只是为了检测堆栈溢出并抛出异常,而不是崩溃或潜在地覆盖堆或其他线程的内存。
在任何情况下,它实际上都不是一个有效的内存页,所以没有什么可读取的。
于 2014-03-12T21:07:32.293 回答