NtMapViewOfSection - NtDoc

Native API online documentation, based on the System Informer (formerly Process Hacker) phnt headers 
#ifndef _NTMMAPI_H
//
// Sections
//
#if (PHNT_MODE != PHNT_MODE_KERNEL)

/**
 * The NtMapViewOfSection routine maps a view of a section into the virtual address space of a subject process.
 *
 * \param SectionHandle A handle to an existing section object.
 * \param ProcessHandle A handle to the object that represents the process that the view should be mapped into. The handle must have been opened with PROCESS_VM_OPERATION access.
 * \param BaseAddress A pointer to a variable that receives the base address of the view. If the value is not NULL, the view is allocated starting at the specified virtual address rounded down to the next 64-kilobyte address boundary.
 * \param ZeroBits The number of high-order address bits that must be zero in the base address of the section view. The value of this parameter must be less than 21 and is used only if BaseAddress is NULL.
 * \param CommitSize Specifies the size, in bytes, of the initially committed region of the view. CommitSize is meaningful only for page-file backed sections and is rounded up to the nearest multiple of PAGE_SIZE.
 * \param SectionOffset A pointer to a variable that receives the offset, in bytes, from the beginning of the section to the view. 
 * \param ViewSize A pointer to a variable that specifies the size of the view in bytes. If the initial value is zero, NtMapViewOfSection maps a view of the section that starts at SectionOffset and continues to the end of the section. 
 * \param InheritDisposition A value that specifies how the view is to be shared with child processes. 
 * \param AllocationType Specifies the type of allocation to be performed for the specified region of pages. The valid flags are MEM_RESERVE, MEM_TOP_DOWN, MEM_LARGE_PAGES, MEM_DIFFERENT_IMAGE_BASE_OK and MEM_REPLACE_PLACEHOLDER. Although MEM_COMMIT is not allowed, it is implied unless MEM_RESERVE is specified. 
 * \param PageProtection Specifies the page protection to be applied to the mapped view. Not used with SEC_IMAGE, must be set to PAGE_READONLY for SEC_IMAGE_NO_EXECUTE. For non-image sections, the value must be compatible with the section's page protection from NtCreateSection.
 * \return NTSTATUS Successful or errant status.
 * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-zwmapviewofsection
 */
NTSYSCALLAPI
NTSTATUS
NTAPI
NtMapViewOfSection(
    _In_ HANDLE SectionHandle,
    _In_ HANDLE ProcessHandle,
    _Inout_ _At_(*BaseAddress, _Readable_bytes_(*ViewSize) _Writable_bytes_(*ViewSize) _Post_readable_byte_size_(*ViewSize)) PVOID *BaseAddress,
    _In_ ULONG_PTR ZeroBits,
    _In_ SIZE_T CommitSize,
    _Inout_opt_ PLARGE_INTEGER SectionOffset,
    _Inout_ PSIZE_T ViewSize,
    _In_ SECTION_INHERIT InheritDisposition,
    _In_ ULONG AllocationType,
    _In_ ULONG PageProtection
    );

#endif
#endif

View code on GitHub
#ifndef _NTZWAPI_H

NTSYSCALLAPI
NTSTATUS
NTAPI
ZwMapViewOfSection(
    _In_ HANDLE SectionHandle,
    _In_ HANDLE ProcessHandle,
    _Inout_ _At_(*BaseAddress, _Readable_bytes_(*ViewSize) _Writable_bytes_(*ViewSize) _Post_readable_byte_size_(*ViewSize)) PVOID *BaseAddress,
    _In_ ULONG_PTR ZeroBits,
    _In_ SIZE_T CommitSize,
    _Inout_opt_ PLARGE_INTEGER SectionOffset,
    _Inout_ PSIZE_T ViewSize,
    _In_ SECTION_INHERIT InheritDisposition,
    _In_ ULONG AllocationType,
    _In_ ULONG PageProtection
    );

#endif

View code on GitHub
// wdm.h

NTSYSAPI NTSTATUS ZwMapViewOfSection(
  [in]                HANDLE          SectionHandle,
  [in]                HANDLE          ProcessHandle,
  [in, out]           PVOID           *BaseAddress,
  [in]                ULONG_PTR       ZeroBits,
  [in]                SIZE_T          CommitSize,
  [in, out, optional] PLARGE_INTEGER  SectionOffset,
  [in, out]           PSIZE_T         ViewSize,
  [in]                SECTION_INHERIT InheritDisposition,
  [in]                ULONG           AllocationType,
  [in]                ULONG           Win32Protect
);

View the official Windows Driver Kit DDI reference

NtDoc

No description available.

Edit description on GitHub

Windows Driver Kit DDI reference (nf-wdm-zwmapviewofsection)

Description

The ZwMapViewOfSection routine maps a view of a section into the virtual address space of a subject process.

Parameters

SectionHandle [in]

Handle to a section object. This handle is created by a successful call to ZwCreateSection or ZwOpenSection.

ProcessHandle [in]

Handle to the object that represents the process that the view should be mapped into. Use the ZwCurrentProcess macro to specify the current process. The handle must have been opened with PROCESS_VM_OPERATION access.

BaseAddress [in, out]

Pointer to a variable that receives the base address of the view. If the value of this parameter is not NULL, the view is allocated starting at the specified virtual address rounded down to the next 64-kilobyte address boundary.

ZeroBits [in]

Specifies the number of high-order address bits that must be zero in the base address of the section view. The value of this parameter must be less than 21 and is used only if BaseAddress is NULL—in other words, when the caller allows the system to determine where to allocate the view.

CommitSize [in]

Specifies the size, in bytes, of the initially committed region of the view. CommitSize is meaningful only for page-file backed sections and is rounded up to the nearest multiple of PAGE_SIZE. (For sections that map files, both the data and the image are committed at section-creation time.)

SectionOffset [in, out, optional]

A pointer to a variable that receives the offset, in bytes, from the beginning of the section to the view. If this pointer is not NULL, the offset is rounded down to the next allocation-granularity size boundary.

ViewSize [in, out]

A pointer to a SIZE_T variable. If the initial value of this variable is zero, **ZwMapViewOfSection** maps a view of the section that starts at *SectionOffset* and continues to the end of the section. Otherwise, the initial value specifies the view's size, in bytes. **ZwMapViewOfSection** always rounds this value up to the nearest multiple of PAGE_SIZE before mapping the view.

On return, the value receives the actual size, in bytes, of the view.

InheritDisposition [in]

Specifies how the view is to be shared with child processes. The possible values are:

ViewShare

The view will be mapped into any child processes that are created in the future.

ViewUnmap

The view will not be mapped into child processes.

Drivers should typically specify ViewUnmap for this parameter.

AllocationType [in]

Specifies a set of flags that describes the type of allocation to be performed for the specified region of pages. The valid flags are MEM_RESERVE, MEM_TOP_DOWN, MEM_LARGE_PAGES, MEM_DIFFERENT_IMAGE_BASE_OK and MEM_REPLACE_PLACEHOLDER. Although MEM_COMMIT is not allowed, it is implied unless MEM_RESERVE is specified. For more information about the MEM_XXX flags, see the description of the VirtualAlloc and MapViewOfFile3 routines.

Win32Protect [in]

Specifies the page protection to be applied to the mapped view.

For section objects created with the SEC_IMAGE attribute, the Win32Protect parameter has no effect, and can be set to any valid value such as PAGE_READONLY.

For section objects created with the SEC_IMAGE_NO_EXECUTE attribute, the Win32Protect value must be set to PAGE_READONLY.

For non-image sections, the value of the Win32Protect parameter must be compatible with the section's page protection that was specified when ZwCreateSection was called.

ZwMapViewOfSection sets the cache type of the mapped pages to match the cache type supplied when the section object was created. For example, if ZwCreateSection was called with the SEC_NOCACHE flag, **ZwMapViewOfSection** will map the pages uncached, regardless of whether the Win32Protect parameter includes the PAGE_NOCACHE flag or not.

Return value

ZwMapViewOfSection returns an NTSTATUS value. Possible return values include the following:

Return code Description
STATUS_SUCCESS The routine successfully performed the requested operation.
STATUS_CONFLICTING_ADDRESSES The specified address range conflicts with a range that is already reserved.
STATUS_INVALID_PAGE_PROTECTION The value specified for the Win32Protect parameter is invalid.
STATUS_SECTION_PROTECTION The value specified for the Win32Protect parameter is incompatible with the page protection specified when the section was created.

Remarks

Several different views of a section can be concurrently mapped into the virtual address space of one or more processes.

Do not use ZwMapViewOfSection to map a memory range from \Device\PhysicalMemory into user mode, unless your driver has directly allocated the memory range through MmAllocatePagesForMdlEx or another method guaranteeing that no other system component has mapped the same memory range with a different MEMORY_CACHING_TYPE value.

User applications cannot access \Device\PhysicalMemory directly starting with Windows Server 2003 with Service Pack 1 (SP1) and can access it only if the driver passes a handle to the application.

For more information about section objects, see Section Objects and Views.

If the call to this function occurs in user mode, you should use the name "NtMapViewOfSection" instead of "ZwMapViewOfSection".

For calls from kernel-mode drivers, the NtXxx and ZwXxx versions of a Windows Native System Services routine can behave differently in the way that they handle and interpret input parameters. For more information about the relationship between the NtXxx and ZwXxx versions of a routine, see Using Nt and Zw Versions of the Native System Services Routines.

See also

Using Nt and Zw Versions of the Native System Services Routines

ZwCreateSection

ZwOpenSection

ZwMapViewOfSectionEx

ZwUnmapViewOfSection

MapViewOfFile3

View the official Windows Driver Kit DDI reference

Edit description on GitHub

NTinternals.net (undocumented.ntinternals.net)

This function is documented in Windows Driver Kit.

Function NtMapViewOfSection maps specified part of Section Object into process memory.

SectionHandle

HANDLE to Section Object opened with one or more from SECTION_MAP_EXECUTE, SECTION_MAP_READ, SECTION_MAP_WRITE attributes.

ProcessHandle

HANDLE to Process Object opened with PROCESS_VM_OPERATION access.

*BaseAddress

Pointer to variable receiving virtual address of mapped memory. If this value is not NULL, system tries to allocate memory from specified value.

ZeroBits

Indicates how many high bits must not be set in BaseAddress.

CommitSize

Size of initially committed memory, in bytes.

SectionOffset

Pointer to begin of mapped block in section. This value must be rounded up to X64K block size (0x10000 on X86).

ViewSize

Pointer to size of mapped block, in bytes. This value is rounded up to page size (0x1000 on x86).

InheritDisposition

How do child processes inherit mapped section. See description of enumeration type SECTION_INHERIT.

AllocationType

Can be one of:

Protect

Page protection. Can be one of:

Documented by

See also

Edit description on GitHub