Crash due to wrong prototype for NtAllocateVirtualMemoryEx

[michaelweiser]

I've been seeing crashes in the NtAllocateVirtualMemoryEx hook as can be seen here: (please excuse the German UI, the debug machine was not mine)

It looked like a call-by-value with a large operand to me and pointed me towards the __inout MEM_EXTENDED_PARAMETER Parameters argument to the function. Since I've never seen such a large structure being passed by value in any API I dug a bit and found this alternative usage much more in line with my experience: dotnet/runtime#12779

After changing the prototype to use a pointer like so, the crashes went away:

    __inout  MEM_EXTENDED_PARAMETER *Parameters,

See also: https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc2

This also jives with Parameters being an array of MEM_EXTENDED_PARAMETERs defined by last argument ParameterCount.

[michaelweiser]

The hook for NtMapViewOfSectionEx might also be affected by this.

[kevoreilly]

Thanks a lot!