NtMapViewOfSectionEx - NtDoc

Native API online documentation, based on the System Informer (formerly Process Hacker) phnt headers 
#ifndef _NTMMAPI_H
//
// Sections
//
#if (PHNT_MODE != PHNT_MODE_KERNEL)
#if (PHNT_VERSION >= PHNT_WINDOWS_10_RS5)

/**
 * The NtMapViewOfSectionEx routine maps a view of a section into the virtual address space of a subject process.
 *
 * \param SectionHandle A handle to an existing section object.
 * \param ProcessHandle A handle to the object that represents the process that the view should be mapped into. The handle must have been opened with PROCESS_VM_OPERATION access.
 * \param BaseAddress A pointer to a variable that receives the base address of the view. If the value is not NULL, the view is allocated starting at the specified virtual address rounded down to the next 64-kilobyte address boundary.
 * \param SectionOffset A pointer to a variable that receives the offset, in bytes, from the beginning of the section to the view.
 * \param ViewSize A pointer to a variable that specifies the size of the view in bytes. If the initial value is zero, NtMapViewOfSection maps a view of the section that starts at SectionOffset and continues to the end of the section.
 * \param AllocationType Specifies the type of allocation to be performed for the specified region of pages. The valid flags are MEM_RESERVE, MEM_TOP_DOWN, MEM_LARGE_PAGES, MEM_DIFFERENT_IMAGE_BASE_OK and MEM_REPLACE_PLACEHOLDER. Although MEM_COMMIT is not allowed, it is implied unless MEM_RESERVE is specified.
 * \param PageProtection Specifies the page protection to be applied to the mapped view. Not used with SEC_IMAGE, must be set to PAGE_READONLY for SEC_IMAGE_NO_EXECUTE. For non-image sections, the value must be compatible with the section's page protection from NtCreateSection.
 * \param ExtendedParameters An optional pointer to one or more extended parameters of type MEM_EXTENDED_PARAMETER.
 * \param ExtendedParameterCount Specifies the number of elements in the ExtendedParameters array.
 * \return NTSTATUS Successful or errant status.
 * \sa https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-zwmapviewofsectionex
 */
NTSYSCALLAPI
NTSTATUS
NTAPI
NtMapViewOfSectionEx(
    _In_ HANDLE SectionHandle,
    _In_ HANDLE ProcessHandle,
    _Inout_ _At_(*BaseAddress, _Readable_bytes_(*ViewSize) _Writable_bytes_(*ViewSize) _Post_readable_byte_size_(*ViewSize)) PVOID *BaseAddress,
    _Inout_opt_ PLARGE_INTEGER SectionOffset,
    _Inout_ PSIZE_T ViewSize,
    _In_ ULONG AllocationType,
    _In_ ULONG PageProtection,
    _Inout_updates_opt_(ExtendedParameterCount) PMEM_EXTENDED_PARAMETER ExtendedParameters,
    _In_ ULONG ExtendedParameterCount
    );

#endif
#endif
#endif

View code on GitHub
#ifndef _NTZWAPI_H

NTSYSCALLAPI
NTSTATUS
NTAPI
ZwMapViewOfSectionEx(
    _In_ HANDLE SectionHandle,
    _In_ HANDLE ProcessHandle,
    _Inout_ _At_(*BaseAddress, _Readable_bytes_(*ViewSize) _Writable_bytes_(*ViewSize) _Post_readable_byte_size_(*ViewSize)) PVOID *BaseAddress,
    _Inout_opt_ PLARGE_INTEGER SectionOffset,
    _Inout_ PSIZE_T ViewSize,
    _In_ ULONG AllocationType,
    _In_ ULONG PageProtection,
    _Inout_updates_opt_(ExtendedParameterCount) PMEM_EXTENDED_PARAMETER ExtendedParameters,
    _In_ ULONG ExtendedParameterCount
    );

#endif

View code on GitHub
// wdm.h

NTSYSAPI NTSTATUS ZwMapViewOfSectionEx(
  [in]                HANDLE                  SectionHandle,
  [in]                HANDLE                  ProcessHandle,
  [in, out]           PVOID                   *BaseAddress,
  [in, out, optional] PLARGE_INTEGER          SectionOffset,
  [in, out]           PSIZE_T                 ViewSize,
  [in]                ULONG                   AllocationType,
  [in]                ULONG                   PageProtection,
  [in, out, optional] PMEM_EXTENDED_PARAMETER ExtendedParameters,
  [in]                ULONG                   ExtendedParameterCount
);
View the official Windows Driver Kit DDI reference

NtDoc

No description available.

Edit description on GitHub

Windows Driver Kit DDI reference (nf-wdm-zwmapviewofsectionex)

Description

The ZwMapViewOfSectionEx routine maps a view of a section into the virtual address space of a subject process.

Parameters

SectionHandle [in]

Handle to a section object. This handle is created by a successful call to ZwCreateSection or ZwOpenSection.

ProcessHandle [in]

Handle to the object that represents the process that the view should be mapped into. Use the ZwCurrentProcess macro to specify the current process. The handle must have been opened with PROCESS_VM_OPERATION access.

BaseAddress [in, out]

Pointer to a variable that receives the base address of the view. If the value of this parameter is not NULL, the view is allocated starting at the specified virtual address rounded down to the next 64-kilobyte address boundary.

SectionOffset [in, out, optional]

A pointer to a variable that receives the offset, in bytes, from the beginning of the section to the view. If this pointer is not NULL, the offset is rounded down to the next allocation-granularity size boundary.

ViewSize [in, out]

A pointer to a SIZE_T variable. If the initial value of this variable is zero, ZwMapViewOfSectionEx maps a view of the section that starts at SectionOffset and continues to the end of the section. Otherwise, the initial value specifies the view's size, in bytes. ZwMapViewOfSectionEx always rounds this value up to the nearest multiple of PAGE_SIZE before mapping the view.

On return, the value receives the actual size, in bytes, of the view.

AllocationType [in]

Specifies a set of flags that describes the type of allocation to be performed for the specified region of pages. The valid flags are MEM_RESERVE, MEM_TOP_DOWN, MEM_LARGE_PAGES, MEM_DIFFERENT_IMAGE_BASE_OK and MEM_REPLACE_PLACEHOLDER. Although MEM_COMMIT is not allowed, it is implied unless MEM_RESERVE is specified. For more information about the MEM_XXX flags, see the description of the VirtualAlloc and MapViewOfFile3 routines.

PageProtection [in]

Specifies the page protection to be applied to the mapped view.

For section objects created with the SEC_IMAGE attribute, the PageProtection parameter has no effect, and can be set to any valid value such as PAGE_READONLY.

For section objects created with the SEC_IMAGE_NO_EXECUTE attribute, the PageProtection value must be set to PAGE_READONLY.

For non-image sections, the value of the PageProtection parameter must be compatible with the section's page protection that was specified when ZwCreateSection was called.

ZwMapViewOfSectionEx always sets the cache type of the mapped pages to match the cache type supplied when the section object was created. For example, if ZwCreateSection was called with the SEC_NOCACHE flag, ZwMapViewOfSectionEx will map the pages uncached, regardless of whether the PageProtection parameter includes the PAGE_NOCACHE flag or not.

ExtendedParameters [in, out, optional]

An optional pointer to one or more extended parameters of type MEM_EXTENDED_PARAMETER. For more information about extended parameters, see the description of the MapViewOfFile3 routine.

ExtendedParameterCount [in]

Specifies the number of elements in the ExtendedParameters array.

Return value

ZwMapViewOfSectionEx returns an NTSTATUS value. Possible return values include the following:

Return code Description
STATUS_SUCCESS The routine successfully performed the requested operation.
STATUS_CONFLICTING_ADDRESSES The specified address range conflicts with a range that is already reserved.
STATUS_INVALID_PAGE_PROTECTION The value specified for the PageProtection parameter is invalid.
STATUS_SECTION_PROTECTION The value specified for the PageProtection parameter is incompatible with the page protection specified when the section was created.

Remarks

Several different views of a section can be concurrently mapped into the virtual address space of one or more processes.

Do not use ZwMapViewOfSectionEx to map a memory range from \Device\PhysicalMemory into user mode, unless your driver has directly allocated the memory range through MmAllocatePagesForMdlEx or another method guaranteeing that no other system component has mapped the same memory range with a different MEMORY_CACHING_TYPE value.

User applications cannot access \Device\PhysicalMemory directly starting with Windows Server 2003 with Service Pack 1 (SP1) and can access it only if the driver passes a handle to the application.

For more information about section objects, see Section Objects and Views.

If the call to this function occurs in user mode, you should use the name "NtMapViewOfSectionEx" instead of "ZwMapViewOfSectionEx".

For calls from kernel-mode drivers, the Nt*Xxx* and Zw*Xxx* versions of a Windows Native System Services routine can behave differently in the way that they handle and interpret input parameters. For more information about the relationship between the Nt*Xxx* and Zw*Xxx* versions of a routine, see Using Nt and Zw Versions of the Native System Services Routines.

See also

Using Nt and Zw Versions of the Native System Services Routines

ZwCreateSection

ZwOpenSection

ZwMapViewOfSection

ZwUnmapViewOfSection

MapViewOfFile3

View the official Windows Driver Kit DDI reference

Edit description on GitHub