NtQuerySection - NtDoc
Native API online documentation, based on the System Informer
(formerly Process Hacker) phnt
headers
#ifndef _NTMMAPI_H
//
// Sections
//
#if (PHNT_MODE != PHNT_MODE_KERNEL)
/**
* The NtQuerySection routine provides the capability to determine the base address, size, granted access, and allocation of an opened section object.
*
* \param SectionHandle An open handle to a section object.
* \param SectionInformationClass The section information class about which to retrieve information.
* \param SectionInformation A pointer to a buffer that receives the specified information. The format and content of the buffer depend on the specified section class.
* \param SectionInformationLength Specifies the length in bytes of the section information buffer.
* \param ReturnLength An optional pointer which, if specified, receives the number of bytes placed in the section information buffer.
* \return NTSTATUS Successful or errant status.
* \sa https://learn.microsoft.com/en-us/windows/win32/devnotes/ntquerysection
*/
NTSYSCALLAPI
NTSTATUS
NTAPI
NtQuerySection(
_In_ HANDLE SectionHandle,
_In_ SECTION_INFORMATION_CLASS SectionInformationClass,
_Out_writes_bytes_(SectionInformationLength) PVOID SectionInformation,
_In_ SIZE_T SectionInformationLength,
_Out_opt_ PSIZE_T ReturnLength
);
View code on GitHub#ifndef _NTZWAPI_H
NTSYSCALLAPI
NTSTATUS
NTAPI
ZwQuerySection(
_In_ HANDLE SectionHandle,
_In_ SECTION_INFORMATION_CLASS SectionInformationClass,
_Out_writes_bytes_(SectionInformationLength) PVOID SectionInformation,
_In_ SIZE_T SectionInformationLength,
_Out_opt_ PSIZE_T ReturnLength
);
View code on GitHubNTSTATUS NTAPI NtQuerySection (
_In_ HANDLE SectionHandle,
_In_ SECTION_INFORMATION_CLASS SectionInformationClass,
_Out_writes_bytes_(SectionInformationLength) PVOID SectionInformation,
_In_ SIZE_T SectionInformationLength,
_Out_opt_ PSIZE_T ReturnLength
)
View the official Win32 development documentationNo description available.
Provides the capability to determine the base address, size, granted access, and allocation of an opened section object.
An open handle to a section object.
The section information class about which to retrieve information.
A pointer to a buffer that receives the specified information. The format and content of the buffer depend on the specified section class.
Specifies the length in bytes of the section information buffer.
An optional pointer which, if specified, receives the number of bytes placed in the section information buffer.
An NTSTATUS code. For more information, see Using NTSTATUS values.
This function has no associated import library or header file; you must call it using the LoadLibrary and GetProcAddress functions. The API is exported from ntdll.dll.
The type of the SectionInformation parameter is PSECTION_BASIC_INFORMATION
typedef struct _SECTIONBASICINFO {
PVOID BaseAddress;
ULONG AllocationAttributes;
LARGE_INTEGER MaximumSize;
} SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION;
The base virtual address of the section if the section is based.
The allocation attributes flags.
| Flag | Value | Description |
|---|---|---|
| SEC_BASED | 0x200000 | The section is a based section. |
| SEC_FILE | 0x800000 | The section is backed by a data file. |
| SEC_RESERVE | 0x4000000 | All pages of the section were initially set to the reserved state. |
| SEC_COMMIT | 0x8000000 | All pages of the section were initially set to the committed state. |
| SEC_IMAGE | 0x1000000 | The section was mapped as an executable image file. |
The maximum size of the section in bytes.
| Requirement | Value |
|---|---|
| DLL | ntdll.dll |
This function is documented in Windows SDK.
Use one of following:
SectionBasicInformation // Result is SECTION_BASIC_INFORMATION structureSectionImageInformation // Result is SECTION_IMAGE_INFORMATION structureSectionImageInformation Are available only for file-based sections.