Lost in MEMORY_BASIC_INFORMATION (64-bit)

Index > Windows > Lost in MEMORY_BASIC_INFORMATION (64-bit)

Author

Thread

alorent

Joined: 05 Dec 2005
Posts: 221

alorent 09 Jun 2010, 14:34

Hello guys,

I have defined the MEMORY_BASIC_INFORMATION structure in fasm:

Code:

struct MEMORY_BASIC_INFORMATION

BaseAddress       dq 0
AllocationBase    dq 0
AllocationProtect dd 0
RegionSize        dq 0   ; SIZE_T is qword
State             dd 0
Protect           dd 0
Type              dd 0

ends

Code:

mov   eax, sizeof.MEMORY_BASIC_INFORMATION  ; <-- EAX = 28h

The problem is that in Windows, the sizeof MEMORY_BASIC_INFORMATION is 30h! How can that be? I mean, the struct in C is:

Code:

typedef struct _MEMORY_BASIC_INFORMATION {
  PVOID  BaseAddress;
  PVOID  AllocationBase;
  DWORD  AllocationProtect;
  SIZE_T RegionSize;
  DWORD  State;
  DWORD  Protect;
  DWORD  Type;
} MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION;

How is that structure is 8 bytes longer? Is it some kind of "forced" alignment in Windows 64?

Thanks!

09 Jun 2010, 14:34

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20524
Location: In your JS exploiting you and your system

revolution 09 Jun 2010, 14:48

alorent wrote:

Is it some kind of "forced" alignment in Windows 64?

Yes. All C structures for Windows put the elements onto "natural" boundaries. All qwords are aligned to mod 8=0, all dwords are aligned to mod 4=0, all words are aligned to mod 2=0. And the whole structure will be sized to be mod 8=0 also.

09 Jun 2010, 14:48

alorent

Joined: 05 Dec 2005
Posts: 221

alorent 09 Jun 2010, 14:55

Thanks revolution.

I'm not sure if I got you correctly. Is each field in the structure aligned by itselft or the compiler just add "dummy" space at the end of all fields?

Would it be possible to create the above structure in FASM to simulate the expected "format" in Windows? Because at the moment, the defined struct in FASM is not working as expected when is used in functions like VirtualQuery:

Code:

SIZE_T WINAPI VirtualQuery(
  __in_opt  LPCVOID lpAddress,
  __out     PMEMORY_BASIC_INFORMATION lpBuffer,
  __in      SIZE_T dwLength
);

Thanks!

09 Jun 2010, 14:55

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20524
Location: In your JS exploiting you and your system

revolution 09 Jun 2010, 15:02

The C compiler just pads out each item to make it aligned.

Similar to this:

Code:

struct MEMORY_BASIC_INFORMATION

align 8
BaseAddress       dq 0
align 8
AllocationBase    dq 0
align 4
AllocationProtect dd 0
align 8
RegionSize        dq 0   ; SIZE_T is qword
align 4
State             dd 0
align 4
Protect           dd 0
align 4
Type              dd 0
align 8

ends

09 Jun 2010, 15:02

alorent

Joined: 05 Dec 2005
Posts: 221

alorent 09 Jun 2010, 20:27

Thanks revolution.

I think that the last "align 8" is not working as the final size is 30h - 4 (instead of 30h like in C)

Don't you think that a macro to create such type of structures is a must for FASM when coding in Win64? Instead of us taking care of those "align's" for each parameter which just make the code looks ugly? Smile

Thanks!

09 Jun 2010, 20:27

< Last Thread | Next Thread >

Forum Rules:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum