Last active
July 10, 2024 09:20
-
-
Save arbv/531040b8036050c5648fc55471d50352 to your computer and use it in GitHub Desktop.
A safer replacement for the obsolete IsBadReadPtr() and IsBadWritePtr() WinAPI functions on top of VirtualQuery() which respects Windows guard pages and does not use SEH.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
Copyright (c) 2017,2020 Artem Boldariev <[email protected]> | |
Permission is hereby granted, free of charge, to any person obtaining a | |
copy of this software and associated documentation files(the "Software"), | |
to deal in the Software without restriction, including without limitation | |
the rights to use, copy, modify, merge, publish, distribute, sublicense, | |
and/or sell copies of the Software, and to permit persons to whom the | |
Software is furnished to do so, subject to the following conditions : | |
The above copyright notice and this permission notice shall be included in | |
all copies or substantial portions of the Software. | |
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | |
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | |
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.IN NO EVENT SHALL | |
THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | |
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING | |
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER | |
DEALINGS IN THE SOFTWARE. | |
*/ | |
#include <windows.h> | |
#include <stdlib.h> | |
#include <stdio.h> | |
/* | |
A safer replacement for the obsolete IsBadReadPtr() and IsBadWritePtr() WinAPI functions | |
on top of VirtualQuery() which respects Windows guard pages. It does not use SEH | |
and is designed to be compatible with the above-mentioned functions. | |
The calls to the IsBadReadPtr() and IsBadWritePtr() can be replaced with the calls to | |
the IsBadMemPtr() as follows: | |
- IsBadReadPtr(...) => IsBadMemPtr(FALSE, ...) | |
- IsBadWritePtr(...) => IsBadMemPtr(TRUE, ...) | |
*/ | |
BOOL IsBadMemPtr(BOOL write, void *ptr, size_t size) | |
{ | |
MEMORY_BASIC_INFORMATION mbi; | |
BOOL ok; | |
DWORD mask; | |
BYTE *p = (BYTE *)ptr; | |
BYTE *maxp = p + size; | |
BYTE *regend = NULL; | |
if (size == 0) | |
{ | |
return FALSE; | |
} | |
if (p == NULL) | |
{ | |
return TRUE; | |
} | |
if (write == FALSE) | |
{ | |
mask = PAGE_READONLY | PAGE_READWRITE | PAGE_WRITECOPY | PAGE_EXECUTE_READ | PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY; | |
} | |
else | |
{ | |
mask = PAGE_READWRITE | PAGE_WRITECOPY | PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY; | |
} | |
do | |
{ | |
if (p == ptr || p == regend) | |
{ | |
if (VirtualQuery((LPCVOID)p, &mbi, sizeof(mbi)) == 0) | |
{ | |
return TRUE; | |
} | |
else | |
{ | |
regend = ((BYTE *)mbi.BaseAddress + mbi.RegionSize); | |
} | |
} | |
ok = (mbi.Protect & mask) != 0; | |
if (mbi.Protect & (PAGE_GUARD | PAGE_NOACCESS)) | |
{ | |
ok = FALSE; | |
} | |
if (!ok) | |
{ | |
return TRUE; | |
} | |
if (maxp <= regend) /* the whole address range is inside the current memory region */ | |
{ | |
return FALSE; | |
} | |
else if (maxp > regend) /* this region is a part of (or overlaps with) the address range we are checking */ | |
{ | |
p = regend; /* lets move to the next memory region */ | |
} | |
} while (p < maxp); | |
return FALSE; | |
} | |
/* Poor man's unit testing framework. */ | |
_ACRTIMP void __cdecl _wassert(wchar_t const* _Message, wchar_t const* _File, unsigned _Line); | |
#define _WSTR_(str) L ## str | |
#define _WSTR(str) _WSTR_(str) | |
#define IS_TRUE(expr) (void)((!!(expr)) || (_wassert(_WSTR(#expr), _WSTR(__FILE__), (unsigned int)(__LINE__)), 0)) | |
#define IS_FALSE(expr) IS_TRUE(!(expr)) | |
static const DWORD cdw = 0; /* read-only memory */ | |
int main(int argc, char **argv) | |
{ | |
DWORD dw = 0; | |
SYSTEM_INFO sysinfo; | |
GetSystemInfo(&sysinfo); | |
/*!!! Some Unit Tests to ensure correctness and compatibility with the IsBadXxxPtr() functions !!!*/ | |
fprintf(stderr, "Testing IsBadMemPtr() ... "); | |
/* basic compatibility checks */ | |
IS_TRUE(IsBadMemPtr(FALSE, NULL, 3)); | |
IS_TRUE(IsBadReadPtr(NULL, 3)); | |
IS_FALSE(IsBadMemPtr(FALSE, NULL, 0)); | |
IS_FALSE(IsBadReadPtr(NULL, 0)); | |
IS_FALSE(IsBadMemPtr(FALSE, &dw, 0)); | |
IS_FALSE(IsBadReadPtr(&dw, 0)); | |
IS_FALSE(IsBadMemPtr(FALSE, &dw, sizeof(dw))); | |
IS_FALSE(IsBadMemPtr(TRUE, &dw, sizeof(dw))); | |
IS_FALSE(IsBadMemPtr(TRUE, (void *)&cdw, 0)); | |
IS_FALSE(IsBadWritePtr((void *)&cdw, 0)); | |
IS_TRUE(IsBadMemPtr(TRUE, (void *)&cdw, sizeof(dw))); | |
IS_TRUE(IsBadWritePtr((void *)&cdw, sizeof(dw))); | |
/* two sequential readonly memory regions */ | |
{ | |
MEMORY_BASIC_INFORMATION mbi1; | |
MEMORY_BASIC_INFORMATION mbi2; | |
DWORD old_protect = 0; | |
BYTE *region1 = (BYTE *)VirtualAlloc(NULL, sysinfo.dwAllocationGranularity, MEM_RESERVE | MEM_COMMIT, PAGE_READONLY); | |
IS_TRUE(region1); | |
BYTE *region2 = region1 + (sysinfo.dwAllocationGranularity / 2); | |
IS_TRUE(VirtualProtect(region2, (sysinfo.dwAllocationGranularity / 2), PAGE_EXECUTE_READ, &old_protect)); | |
VirtualQuery(region1, &mbi1, sizeof(mbi1)); | |
VirtualQuery(region2, &mbi2, sizeof(mbi2)); | |
IS_TRUE(mbi2.BaseAddress == (region1 + (sysinfo.dwAllocationGranularity / 2))); | |
IS_FALSE(IsBadMemPtr(FALSE, region2 - 2, 4)); | |
IS_FALSE(IsBadReadPtr(region2 - 2, 4)); | |
IS_FALSE(IsBadMemPtr(FALSE, region2 - 1, 4)); | |
IS_FALSE(IsBadReadPtr(region2 - 1, 4)); | |
/* create non accessible subregion */ | |
BYTE *region3 = region1 + ((sysinfo.dwAllocationGranularity / 4) * 3); | |
IS_TRUE(VirtualProtect(region3, (sysinfo.dwAllocationGranularity / 4), PAGE_NOACCESS, &old_protect)); | |
IS_FALSE(IsBadMemPtr(FALSE, region3 - 2, 1)); | |
IS_FALSE(IsBadReadPtr(region3 - 2, 1)); | |
IS_FALSE(IsBadMemPtr(FALSE, region3 - 1, 1)); | |
IS_FALSE(IsBadReadPtr(region3 - 1, 1)); | |
IS_TRUE(IsBadMemPtr(FALSE, region3, 1)); | |
IS_TRUE(IsBadReadPtr(region3, 1)); | |
IS_TRUE(IsBadMemPtr(FALSE, region3 + 1 , 1)); | |
IS_TRUE(IsBadReadPtr(region3 + 1, 1)); | |
IS_TRUE(IsBadMemPtr(FALSE, region3 - 2, 4)); | |
IS_TRUE(IsBadReadPtr(region3 - 2, 4)); | |
IS_FALSE(IsBadMemPtr(FALSE, region3 - 2, 2)); | |
IS_FALSE(IsBadReadPtr(region3 - 2, 2)); | |
IS_TRUE(IsBadMemPtr(FALSE, region3 - 2, 3)); | |
IS_TRUE(IsBadReadPtr(region3 - 2, 3)); | |
VirtualFree(region1, 0, MEM_RELEASE); | |
} | |
/* two sequential writeable memory regions */ | |
{ | |
MEMORY_BASIC_INFORMATION mbi1; | |
MEMORY_BASIC_INFORMATION mbi2; | |
DWORD old_protect = 0; | |
BYTE *region1 = (BYTE *)VirtualAlloc(NULL, sysinfo.dwAllocationGranularity, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); | |
IS_TRUE(region1); | |
BYTE *region2 = region1 + (sysinfo.dwAllocationGranularity / 2); | |
IS_TRUE(VirtualProtect(region2, (sysinfo.dwAllocationGranularity / 2), PAGE_EXECUTE_READWRITE, &old_protect)); | |
VirtualQuery(region1, &mbi1, sizeof(mbi1)); | |
VirtualQuery(region2, &mbi2, sizeof(mbi2)); | |
IS_TRUE(mbi2.BaseAddress == (region1 + (sysinfo.dwAllocationGranularity / 2))); | |
IS_FALSE(IsBadMemPtr(TRUE, region2 - 2, 4)); | |
IS_FALSE(IsBadWritePtr(region2 - 2, 4)); | |
IS_FALSE(IsBadMemPtr(TRUE, region2 - 1, 4)); | |
IS_FALSE(IsBadWritePtr(region2 - 1, 4)); | |
/* create non accessible subregion */ | |
BYTE *region3 = region1 + ((sysinfo.dwAllocationGranularity / 4) * 3); | |
IS_TRUE(VirtualProtect(region3, (sysinfo.dwAllocationGranularity / 4), PAGE_NOACCESS, &old_protect)); | |
IS_FALSE(IsBadMemPtr(TRUE, region3 - 2, 1)); | |
IS_FALSE(IsBadWritePtr(region3 - 2, 1)); | |
IS_FALSE(IsBadMemPtr(TRUE, region3 - 1, 1)); | |
IS_FALSE(IsBadWritePtr(region3 - 1, 1)); | |
IS_TRUE(IsBadMemPtr(TRUE, region3, 1)); | |
IS_TRUE(IsBadWritePtr(region3, 1)); | |
IS_TRUE(IsBadMemPtr(TRUE, region3 + 1, 1)); | |
IS_TRUE(IsBadWritePtr(region3 + 1, 1)); | |
IS_TRUE(IsBadMemPtr(TRUE, region3 - 2, 4)); | |
IS_TRUE(IsBadWritePtr(region3 - 2, 4)); | |
IS_FALSE(IsBadMemPtr(TRUE, region3 - 2, 2)); | |
IS_FALSE(IsBadWritePtr(region3 - 2, 2)); | |
IS_TRUE(IsBadMemPtr(TRUE, region3 - 2, 3)); | |
IS_TRUE(IsBadWritePtr(region3 - 2, 3)); | |
VirtualFree(region1, 0, MEM_RELEASE); | |
} | |
/* guard page */ | |
{ | |
void *guard_region = VirtualAlloc(NULL, sysinfo.dwPageSize, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE | PAGE_GUARD); | |
IS_TRUE(guard_region); | |
IS_TRUE(IsBadMemPtr(TRUE, guard_region, 1)); | |
IS_TRUE(IsBadMemPtr(FALSE, guard_region, 1)); | |
VirtualFree(guard_region, 0, MEM_RELEASE); | |
} | |
/* writeable memory region with a guard page at the end (kind of stack) */ | |
{ | |
DWORD old_protect = 0; | |
BYTE *region1 = (BYTE *)VirtualAlloc(NULL, sysinfo.dwAllocationGranularity, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); | |
IS_TRUE(region1); | |
BYTE *guard_page = region1 + (sysinfo.dwAllocationGranularity - sysinfo.dwPageSize); | |
IS_TRUE(VirtualProtect(guard_page, (sysinfo.dwPageSize), PAGE_READWRITE | PAGE_GUARD, &old_protect)); | |
IS_FALSE(IsBadMemPtr(TRUE, guard_page - 1, 1)); | |
IS_FALSE(IsBadMemPtr(FALSE, guard_page - 1, 1)); | |
IS_FALSE(IsBadMemPtr(TRUE, guard_page - 4, 4)); | |
IS_FALSE(IsBadMemPtr(FALSE, guard_page - 4, 4)); | |
IS_TRUE(IsBadMemPtr(TRUE, guard_page, 1)); | |
IS_TRUE(IsBadMemPtr(FALSE, guard_page, 1)); | |
IS_TRUE(IsBadMemPtr(TRUE, guard_page + 2, 3)); | |
IS_TRUE(IsBadMemPtr(FALSE, guard_page + 2, 3)); | |
IS_TRUE(IsBadMemPtr(TRUE, guard_page - 1, 2)); | |
IS_TRUE(IsBadMemPtr(FALSE, guard_page - 1, 2)); | |
IS_TRUE(IsBadMemPtr(TRUE, guard_page - 2, 4)); | |
IS_TRUE(IsBadMemPtr(FALSE, guard_page - 2, 4)); | |
IS_TRUE(IsBadMemPtr(TRUE, guard_page - 3, 4)); | |
IS_TRUE(IsBadMemPtr(FALSE, guard_page - 3, 4)); | |
VirtualFree(region1, 0, MEM_RELEASE); | |
} | |
fputs("done.", stderr); | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Sorry for the late reply.
That is a good catch, but the value in
regend
is not going to be used on the first run, becausep
equalsptr
at this time. Initialising it won't hurt, though, so thanks anyway. Fixed.