NtFlushVirtualMemory - NtDoc

Native API online documentation, based on the System Informer (formerly Process Hacker) phnt headers 
#ifndef _NTMMAPI_H
//
// Virtual memory
//
#if (PHNT_MODE != PHNT_MODE_KERNEL)

/**
 * The NtFlushVirtualMemory routine flushes the instruction cache for a specified process.
 *
 * \param ProcessHandle A handle to the process whose instruction cache is to be flushed.
 * \param BaseAddress A pointer to the base address of the region of memory to be flushed.
 * \param RegionSize A pointer to a variable that specifies the size of the region to be flushed.
 * \param IoStatus A pointer to an IO_STATUS_BLOCK structure that receives the status of the flush operation.
 * \return NTSTATUS Successful or errant status.
 */
NTSYSCALLAPI
NTSTATUS
NTAPI
NtFlushVirtualMemory(
    _In_ HANDLE ProcessHandle,
    _Inout_ PVOID *BaseAddress,
    _Inout_ PSIZE_T RegionSize,
    _Out_ PIO_STATUS_BLOCK IoStatus
    );

#endif
#endif

View code on GitHub
#ifndef _NTZWAPI_H

NTSYSCALLAPI
NTSTATUS
NTAPI
ZwFlushVirtualMemory(
    _In_ HANDLE ProcessHandle,
    _Inout_ PVOID *BaseAddress,
    _Inout_ PSIZE_T RegionSize,
    _Out_ PIO_STATUS_BLOCK IoStatus
    );

#endif

View code on GitHub
// ntifs.h

NTSYSAPI NTSTATUS ZwFlushVirtualMemory(
  [in]      HANDLE           ProcessHandle,
  [in, out] PVOID            *BaseAddress,
  [in, out] PSIZE_T          RegionSize,
  [out]     PIO_STATUS_BLOCK IoStatus
);
View the official Windows Driver Kit DDI reference

NtDoc

No description available.

Edit description on GitHub

Windows Driver Kit DDI reference (nf-ntifs-zwflushvirtualmemory)

ZwFlushVirtualMemory function

Description

The ZwFlushVirtualMemory routine flushes a range of virtual addresses within the virtual address space of a specified process which map to a data file back out to the data file if they have been modified.

Parameters

ProcessHandle [in]

An open handle for the process in whose context the pages to be flushed reside. Use the NtCurrentProcess macro, defined in Ntddk.h, to specify the current process.

BaseAddress [in, out]

A pointer to the base address of the virtual address range.

On entry, this parameter specifies a pointer to the initial value of the base address of the region of pages to flush.

On return, this parameter provides a pointer to a variable that will receive the base address of the flushed region.

RegionSize [in, out]

The size, in bytes, of the virtual address range.

On entry, this parameter specifies a pointer to the initial value of the size in bytes of the region of pages to flush to disk. This argument is rounded up to the next host-page-size boundary by the ZwFlushVirtualMemory. If this value is specified as zero, the mapped range from the base address to the end of the range is flushed.

On return, this parameter specifies a pointer to a variable that will receive the actual size in bytes of the flushed region of pages.

IoStatus [out]

A pointer to an IO_STATUS_BLOCK structure. This structure is where the value of the I/O status for the last attempted I/O operation is stored on output.

Return value

ZwFlushVirtualMemory returns either STATUS_SUCCESS or an error status code. Possible error status codes include the following:

Return code Description
STATUS_ACCESS_DENIED The specified ProcessHandle parameter was not a valid process handle.
STATUS_INSUFFICIENT_RESOURCES Additional resources required by this function were not available.
STATUS_INVALID_PARAMETER_2 The BaseAddress specified was an invalid address within the virtual address space or the RegionSize was invalid.
STATUS_INVALID_HANDLE The specified ProcessHandle parameter was not a valid process handle.
STATUS_NOT_MAPPED_VIEW No virtual address space descriptor could be located for the supplied BaseAddress.
STATUS_PROCESS_IS_TERMINATING The process and the associated virtual address space was deleted.
STATUS_FILE_LOCK_CONFLICT The file system encountered a locking conflict.

Remarks

This routine accepts, as input parameters, a range of addresses in virtual memory that map a data file. If any memory in this range has been modified since the file was copied to memory, the routine flushes this memory back to the data file.

For more information about memory management support for kernel-mode drivers, see Memory Management for Windows Drivers.

[!NOTE] If the call to the ZwFlushVirtualMemory function occurs in user mode, you should use the name "NtFlushVirtualMemory" instead of "ZwFlushVirtualMemory".

For calls from kernel-mode drivers, the Nt*Xxx* and Zw*Xxx* versions of a Windows Native System Services routine can behave differently in the way that they handle and interpret input parameters. For more information about the relationship between the Nt*Xxx* and Zw*Xxx* versions of a routine, see Using Nt and Zw Versions of the Native System Services Routines.

See also

ZwAllocateVirtualMemory

View the official Windows Driver Kit DDI reference

Edit description on GitHub

NTinternals.net (undocumented.ntinternals.net)

This function is documented in Windows Driver Kit.

NtFlushVirtualMemory flushes mapped section view to file.

ProcessHandle

HANDLE of process containing mapped view of section to flush.

*BaseAddress

Pointer to PVOID value containing address of memory area to flush.
On output this value is rounded to Page Size (0x1000).

NumberOfBytesToFlush

Pointer to ULONG value specifying length of area to flush. On output this value is rounded up to Page Size (0x1000).

IoStatusBlock

Pointer to IO_STATUS_BLOCK structure. After call Information member contains the same value as NumberOfBytesToFlush parameter.

WARNING: Two (or more) memory pages mapped in different calls of NtMapViewOfSection cannot be flushed in one function call, even if both has the same SECTION as a source.

Documented by

See also

Edit description on GitHub