NtQueryVirtualMemory - NtDoc

Native API online documentation, based on the System Informer (formerly Process Hacker) phnt headers 
#ifndef _NTMMAPI_H
//
// Virtual memory
//
#if (PHNT_MODE != PHNT_MODE_KERNEL)

/**
 * The NtQueryVirtualMemory routine queries information about a region of virtual memory in a process.
 *
 * \param ProcessHandle A handle to the process whose memory information is to be queried.
 * \param BaseAddress A pointer to the base address of the region of pages to be queried.
 * \param MemoryInformationClass The type of information to be queried.
 * \param MemoryInformation A pointer to a buffer that receives the memory information.
 * \param MemoryInformationLength The size of the buffer pointed to by the MemoryInformation parameter.
 * \param ReturnLength A pointer to a variable that receives the number of bytes returned in the MemoryInformation buffer.
 * \return NTSTATUS Successful or errant status.
 */
NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryVirtualMemory(
    _In_ HANDLE ProcessHandle,
    _In_opt_ PVOID BaseAddress,
    _In_ MEMORY_INFORMATION_CLASS MemoryInformationClass,
    _Out_writes_bytes_(MemoryInformationLength) PVOID MemoryInformation,
    _In_ SIZE_T MemoryInformationLength,
    _Out_opt_ PSIZE_T ReturnLength
    );

#endif
#endif

View code on GitHub
#ifndef _NTZWAPI_H

NTSYSCALLAPI
NTSTATUS
NTAPI
ZwQueryVirtualMemory(
    _In_ HANDLE ProcessHandle,
    _In_opt_ PVOID BaseAddress,
    _In_ MEMORY_INFORMATION_CLASS MemoryInformationClass,
    _Out_writes_bytes_(MemoryInformationLength) PVOID MemoryInformation,
    _In_ SIZE_T MemoryInformationLength,
    _Out_opt_ PSIZE_T ReturnLength
    );

#endif

View code on GitHub
// ntifs.h

__kernel_entry NTSYSCALLAPI NTSTATUS NtQueryVirtualMemory(
  [in]            HANDLE                   ProcessHandle,
  [in, optional]  PVOID                    BaseAddress,
  [in]            MEMORY_INFORMATION_CLASS MemoryInformationClass,
  [out]           PVOID                    MemoryInformation,
  [in]            SIZE_T                   MemoryInformationLength,
  [out, optional] PSIZE_T                  ReturnLength
);
View the official Windows Driver Kit DDI reference
// ntifs.h

NTSYSAPI NTSTATUS ZwQueryVirtualMemory(
  [in]            HANDLE                   ProcessHandle,
  [in, optional]  PVOID                    BaseAddress,
  [in]            MEMORY_INFORMATION_CLASS MemoryInformationClass,
  [out]           PVOID                    MemoryInformation,
  [in]            SIZE_T                   MemoryInformationLength,
  [out, optional] PSIZE_T                  ReturnLength
);
View the official Windows Driver Kit DDI reference

NtDoc

No description available.

Edit description on GitHub

Windows Driver Kit DDI reference (nf-ntifs-ntqueryvirtualmemory)

NtQueryVirtualMemory function

Description

The NtQueryVirtualMemory routine determines the state, protection, and type of a region of pages within the virtual address space of the specified process.

Parameters

ProcessHandle [in]

Handle for the process in whose context the pages to be queried reside. Use the NtCurrentProcess macro to specify the current process.

BaseAddress [in, optional]

The base address of the region of pages to be queried. This value is rounded down to the next host-page-address boundary.

MemoryInformationClass [in]

The memory information class about which to retrieve information. Currently, the only supported MEMORY_INFORMATION_CLASS value is MemoryBasicInformation.

MemoryInformation [out]

Pointer to a buffer that receives the specified information. The format and content of the buffer depend on the information class specified in the MemoryInformationClass parameter. When the value MemoryBasicInformation is passed to MemoryInformationClass, the MemoryInformation parameter value is a MEMORY_BASIC_INFORMATION structure.

MemoryInformationLength [in]

Specifies the length, in bytes, of the buffer that MemoryInformation points to.

ReturnLength [out, optional]

An optional pointer which, if specified, receives the number of bytes placed in the MemoryInformation buffer.

Return value

Returns STATUS_SUCCESS if the call is successful. If the call fails, possible error codes include the following:

Return code Description
STATUS_ACCESS_DENIED The caller had insufficient access rights to perform the requested action.
STATUS_ACCESS_VIOLATION The specified base address is an invalid virtual address.
STATUS_INFO_LENGTH_MISMATCH The MemoryInformation buffer is larger than MemoryInformationLength.
STATUS_INVALID_INFO_CLASS The specified MemoryInformationClass parameter is invalid.
STATUS_INVALID_PARAMETER The specified base address is outside the range of accessible addresses.

Remarks

ZwQueryVirtualMemory determines the state of the first page within the region and then scans subsequent entries in the process address map from the base address upward until either the entire range of pages has been scanned or until a page with a non-matching set of attributes is encountered. The region attributes, the length of the region of pages with matching attributes, and an appropriate status value are returned.

If the entire region of pages does not have a matching set of attributes, then the sub-regions within one address reservation will be returned individually. They will have the same *MemoryInformation.AllocationBase value, their individual sizes will be in *MemoryInformation.RegionSize, and the total size of the address reservation can be obtained by summing all of the *MemoryInformation.RegionSize values associated with a particular *MemoryInformation.AllocationBase value.

NtQueryVirtualMemory and ZwQueryVirtualMemory are two versions of the same Windows Native System Services routine.

For calls from kernel-mode drivers, the Nt*Xxx* and Zw*Xxx* versions of a Windows Native System Services routine can behave differently in the way that they handle and interpret input parameters. For more information about the relationship between the Nt*Xxx* and Zw*Xxx* versions of a routine, see Using Nt and Zw Versions of the Native System Services Routines.

See also

MEMORY_BASIC_INFORMATION

MEMORY_INFORMATION_CLASS

POWER_PLATFORM_INFORMATION

ZwQueryVirtualMemory

View the official Windows Driver Kit DDI reference

Edit description on GitHub

Windows Driver Kit DDI reference (nf-ntifs-zwqueryvirtualmemory)

ZwQueryVirtualMemory function

Description

The ZwQueryVirtualMemory routine determines the state, protection, and type of a region of pages within the virtual address space of the subject process.

Parameters

ProcessHandle [in]

A handle for the process in whose context the pages to be queried reside. Use the ZwCurrentProcess macro to specify the current process.

BaseAddress [in, optional]

The base address of the region of pages to be queried. This value is rounded down to the next host-page address boundary.

MemoryInformationClass [in]

The memory information class about which to retrieve information. Currently, the only supported MEMORY_INFORMATION_CLASS value is MemoryBasicInformation.

MemoryInformation [out]

A pointer to a buffer that receives the specified information. The format and content of the buffer depend on the specified information class specified in the MemoryInformationClass parameter. When the value MemoryBasicInformation is passed to MemoryInformationClass, the MemoryInformation parameter value is a MEMORY_BASIC_INFORMATION structure.

MemoryInformationLength [in]

Specifies the length in bytes of the memory information buffer.

ReturnLength [out, optional]

An optional pointer which, if specified, receives the number of bytes placed in the memory information buffer.

Return value

Returns STATUS_SUCCESS if the call is successful. If the call fails, possible error codes include the following:

Return code Description
STATUS_INVALID_PARAMETER The specified base address is outside the range of accessible addresses.
STATUS_ACCESS_DENIED The caller had insufficient access rights to perform the requested action.
STATUS_INFO_LENGTH_MISMATCH The MemoryInformation buffer is larger than MemoryInformationLength.
STATUS_INVALID_INFO_CLASS A value other than MemoryBasicInformation was passed to the MemoryInformationClass parameter.

Remarks

ZwQueryVirtualMemory determines the state of the first page within the region and then scans subsequent entries in the process address map from the base address upward until either the entire range of pages has been scanned or until a page with a non-matching set of attributes is encountered. The region attributes, the length of the region of pages with matching attributes, and an appropriate status value are returned.

If the entire region of pages does not have a matching set of attributes, then the ReturnLength parameter value can be used to compute the address and length of the region of pages that was not scanned.

NtQueryVirtualMemory and ZwQueryVirtualMemory are two versions of the same Windows Native System Services routine.

For calls from kernel-mode drivers, the Nt*Xxx* and Zw*Xxx* versions of a Windows Native System Services routine can behave differently in the way that they handle and interpret input parameters. For more information about the relationship between the Nt*Xxx* and Zw*Xxx* versions of a routine, see Using Nt and Zw Versions of the Native System Services Routines.

See also

POWER_PLATFORM_INFORMATION

View the official Windows Driver Kit DDI reference

Edit description on GitHub

NTinternals.net (undocumented.ntinternals.net)

This function is documented in Windows Driver Kit here and here.

Function NtQueryVirtualMemory retrieves parameters of queried memory block.

ProcessHandle

HANDLE to process containing queried address in process'es address space.

BaseAddress

Virtual address to query.

MemoryInformationClass

Information class defined in MEMORY_INFORMATION_CLASS enumeration type. Currently only one class is supported.

Buffer

As long as only MemoryBasicInformation is supported, this value points to structure MEMORY_BASIC_INFORMATION, defined in <WINNT.h> and described in MS SDK.

Length

Length of Buffer, in bytes.

ResultLength

Optionally pointer to ULONG value receiving required size of Buffer, in bytes.

Documented by

See also

Edit description on GitHub