ZwQueryVirtualMemory routine

The ZwQueryVirtualMemory routine determines the state, protection, and type of a region of pages within the virtual address space of the subject process.

Syntax


NTSTATUS ZwQueryVirtualMemory(
  _In_      HANDLE                   ProcessHandle,
  _In_opt_  PVOID                    BaseAddress,
  _In_      MEMORY_INFORMATION_CLASS MemoryInformationClass,
  _Out_     PVOID                    MemoryInformation,
  _In_      SIZE_T                   MemoryInformationLength,
  _Out_opt_ PSIZE_T                  ReturnLength
);

Parameters

ProcessHandle [in]

A handle for the process in whose context the pages to be queried reside. Use the ZwCurrentProcess macro to specify the current process.

BaseAddress [in, optional]

The base address of the region of pages to be queried. This value is rounded down to the next host-page- address boundary.

MemoryInformationClass [in]

The memory information class about which to retrieve information. Currently, the only supported MEMORY_INFORMATION_CLASS value is MemoryBasicInformation.

MemoryInformation [out]

A pointer to a buffer that receives the specified information. The format and content of the buffer depend on the specified information class specified in the MemoryInformationClass parameter. When the value MemoryBasicInformation is passed to MemoryInformationClass, the MemoryInformationClass parameter value is a MEMORY_BASIC_INFORMATION.

MemoryInformationLength [in]

Specifies the length in bytes of the memory information buffer.

ReturnLength [out, optional]

An optional pointer which, if specified, receives the number of bytes placed in the memory information buffer.

Return value

Returns STATUS_SUCCESS if the call is successful. If the call fails, possible error codes include the following:

Return codeDescription
STATUS_INVALID_PARAMETER

The specified base address is outside the range of accessible addresses.

STATUS_ACCESS_DENIED

The caller had insufficient access rights to perform the requested action.

STATUS_INFO_LENGTH_MISMATCH

The MemoryInformation buffer is larger than MemoryInformationLength.

STATUS_INVALID_INFO_CLASS

A value other than MemoryBasicInformation was passed to the MemoryInformationClass parameter.

 

Remarks

ZwQueryVirtualMemory determines the state of the first page within the region and then scans subsequent entries in the process address map from the base address upward until either the entire range of pages has been scanned or until a page with a non-matching set of attributes is encountered. The region attributes, the length of the region of pages with matching attributes, and an appropriate status value are returned.

If the entire region of pages does not have a matching set of attributes, then the ReturnLength parameter value can be used to compute the address and length of the region of pages that was not scanned.

NtQueryVirtualMemory and ZwQueryVirtualMemory are two versions of the same Windows Native System Services routine.

For calls from kernel-mode drivers, the NtXxx and ZwXxx versions of a Windows Native System Services routine can behave differently in the way that they handle and interpret input parameters. For more information about the relationship between the NtXxx and ZwXxx versions of a routine, see Using Nt and Zw Versions of the Native System Services Routines.

Requirements

Target platform

Universal

Version

Available starting with Windows 10.

Header

Ntifs.h

Library

NtosKrnl.lib

DLL

NtosKrnl.exe

See also

POWER_PLATFORM_INFORMATION
Using Nt and Zw Versions of the Native System Services Routines

 

 

Send comments about this topic to Microsoft

Anzeigen: