UC_MEM_READ_PROT | Potential bug on memory allocation permissions

[stonerhash]

Hello,

I have an allocated memory with READ_WRITE permissions and doing sequential reads and writes within the range. I have observed in some read/writes within the allocated memory I am getting an UC_MEM_READ_PROT (not all) which I handle with an invalid memory hook . This is very strange since other nearby read/writes are executed successfully. The faulty access is of type UC_MEM_READ_PROT. Can you help me understand the reason behind this error?

Thank

[stonerhash]

After further troubleshooting I concluded to the following. The allocated memory took place through ZwMapViewOfSection and the protection rights were set to 0x4 (PAGE_READWRITE). However on common.py. PERM_MEM_READ = 0x02 PERM_MEM_WRITE = 0x04 with PERM_MEM_RW = PERM_MEM_READ | PERM_MEM_WRITE = 0x6

On Winnt.h PERM_READWRITE = 0x4 which is in contrast with common.py which is PERM_MEM_WRITE only.

I am not sure if I am understanding correctly what is going on but by patching the code accordingly I fixed the issue.

Waiting for your thoughts?

[stonerhash]

I forgot to mention what the patch was to include "win_perms_to_emu_perms" as defined in kernel32.py to ntoskrnl.py and use it in ZwMapViewOfSection with the Win32Protect variable

[williballenthin]

hey @stonerhash thanks for opening an issue here. I think there's a good chance that you've found the bug and have a fix. Would you consider opening a PR here so that we can incorporate your changes?

[stonerhash]

Please check PR #226 https://github.com/mandiant/speakeasy/pull/226

[williballenthin]

fixed in #226