alukaduo09
commented
4 months ago Closed alukaduo09 closed 3 months ago
alukaduo09
commented
4 months ago 
ufrisk
commented
4 months ago Did you ask on the discord channel about this? Or maybe there was someone else?
The VADs is not an 1:1 match unfortunately to VirtualQueryEx.
alukaduo09
commented
4 months ago Did you ask on the discord channel about this? Or maybe there was someone else?
The VADs is not an 1:1 match unfortunately to VirtualQueryEx.
I haven't used Discord because I can't access your channel. It prompts me with "Unable to accept invite".
How can I get the correct size of the memory block?
Incorrect memory block size can lead to missing data being copied, causing code to access out-of-bounds memory.
ufrisk
commented
3 months ago The discord should work I think, try this one:
And as mentioned, unfortunately there isn't quite an 1:1 mapping between VMMDLL_Map_GetVadU and VirtualQueryEx. In general DMA and memory forensics won't give you perfect results, but results should be fairly close to the true values at least.
The cPages returned from the process page table obtained by me is not correct. Shifting cPages << 12 does not yield the correct size. I also observed the API VMMDLL_Map_GetVadU, and many of the memory pages' end addresses inside it are incorrect.