Skip to content

Instantly share code, notes, and snippets.

@arbv
Last active July 10, 2024 09:20
Show Gist options
  • Save arbv/531040b8036050c5648fc55471d50352 to your computer and use it in GitHub Desktop.
Save arbv/531040b8036050c5648fc55471d50352 to your computer and use it in GitHub Desktop.
A safer replacement for the obsolete IsBadReadPtr() and IsBadWritePtr() WinAPI functions on top of VirtualQuery() which respects Windows guard pages and does not use SEH.
/*
Copyright (c) 2017,2020 Artem Boldariev <[email protected]>
Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files(the "Software"),
to deal in the Software without restriction, including without limitation
the rights to use, copy, modify, merge, publish, distribute, sublicense,
and/or sell copies of the Software, and to permit persons to whom the
Software is furnished to do so, subject to the following conditions :
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.IN NO EVENT SHALL
THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
DEALINGS IN THE SOFTWARE.
*/
#include <windows.h>
#include <stdlib.h>
#include <stdio.h>
/*
A safer replacement for the obsolete IsBadReadPtr() and IsBadWritePtr() WinAPI functions
on top of VirtualQuery() which respects Windows guard pages. It does not use SEH
and is designed to be compatible with the above-mentioned functions.
The calls to the IsBadReadPtr() and IsBadWritePtr() can be replaced with the calls to
the IsBadMemPtr() as follows:
- IsBadReadPtr(...) => IsBadMemPtr(FALSE, ...)
- IsBadWritePtr(...) => IsBadMemPtr(TRUE, ...)
*/
BOOL IsBadMemPtr(BOOL write, void *ptr, size_t size)
{
MEMORY_BASIC_INFORMATION mbi;
BOOL ok;
DWORD mask;
BYTE *p = (BYTE *)ptr;
BYTE *maxp = p + size;
BYTE *regend = NULL;
if (size == 0)
{
return FALSE;
}
if (p == NULL)
{
return TRUE;
}
if (write == FALSE)
{
mask = PAGE_READONLY | PAGE_READWRITE | PAGE_WRITECOPY | PAGE_EXECUTE_READ | PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY;
}
else
{
mask = PAGE_READWRITE | PAGE_WRITECOPY | PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY;
}
do
{
if (p == ptr || p == regend)
{
if (VirtualQuery((LPCVOID)p, &mbi, sizeof(mbi)) == 0)
{
return TRUE;
}
else
{
regend = ((BYTE *)mbi.BaseAddress + mbi.RegionSize);
}
}
ok = (mbi.Protect & mask) != 0;
if (mbi.Protect & (PAGE_GUARD | PAGE_NOACCESS))
{
ok = FALSE;
}
if (!ok)
{
return TRUE;
}
if (maxp <= regend) /* the whole address range is inside the current memory region */
{
return FALSE;
}
else if (maxp > regend) /* this region is a part of (or overlaps with) the address range we are checking */
{
p = regend; /* lets move to the next memory region */
}
} while (p < maxp);
return FALSE;
}
/* Poor man's unit testing framework. */
_ACRTIMP void __cdecl _wassert(wchar_t const* _Message, wchar_t const* _File, unsigned _Line);
#define _WSTR_(str) L ## str
#define _WSTR(str) _WSTR_(str)
#define IS_TRUE(expr) (void)((!!(expr)) || (_wassert(_WSTR(#expr), _WSTR(__FILE__), (unsigned int)(__LINE__)), 0))
#define IS_FALSE(expr) IS_TRUE(!(expr))
static const DWORD cdw = 0; /* read-only memory */
int main(int argc, char **argv)
{
DWORD dw = 0;
SYSTEM_INFO sysinfo;
GetSystemInfo(&sysinfo);
/*!!! Some Unit Tests to ensure correctness and compatibility with the IsBadXxxPtr() functions !!!*/
fprintf(stderr, "Testing IsBadMemPtr() ... ");
/* basic compatibility checks */
IS_TRUE(IsBadMemPtr(FALSE, NULL, 3));
IS_TRUE(IsBadReadPtr(NULL, 3));
IS_FALSE(IsBadMemPtr(FALSE, NULL, 0));
IS_FALSE(IsBadReadPtr(NULL, 0));
IS_FALSE(IsBadMemPtr(FALSE, &dw, 0));
IS_FALSE(IsBadReadPtr(&dw, 0));
IS_FALSE(IsBadMemPtr(FALSE, &dw, sizeof(dw)));
IS_FALSE(IsBadMemPtr(TRUE, &dw, sizeof(dw)));
IS_FALSE(IsBadMemPtr(TRUE, (void *)&cdw, 0));
IS_FALSE(IsBadWritePtr((void *)&cdw, 0));
IS_TRUE(IsBadMemPtr(TRUE, (void *)&cdw, sizeof(dw)));
IS_TRUE(IsBadWritePtr((void *)&cdw, sizeof(dw)));
/* two sequential readonly memory regions */
{
MEMORY_BASIC_INFORMATION mbi1;
MEMORY_BASIC_INFORMATION mbi2;
DWORD old_protect = 0;
BYTE *region1 = (BYTE *)VirtualAlloc(NULL, sysinfo.dwAllocationGranularity, MEM_RESERVE | MEM_COMMIT, PAGE_READONLY);
IS_TRUE(region1);
BYTE *region2 = region1 + (sysinfo.dwAllocationGranularity / 2);
IS_TRUE(VirtualProtect(region2, (sysinfo.dwAllocationGranularity / 2), PAGE_EXECUTE_READ, &old_protect));
VirtualQuery(region1, &mbi1, sizeof(mbi1));
VirtualQuery(region2, &mbi2, sizeof(mbi2));
IS_TRUE(mbi2.BaseAddress == (region1 + (sysinfo.dwAllocationGranularity / 2)));
IS_FALSE(IsBadMemPtr(FALSE, region2 - 2, 4));
IS_FALSE(IsBadReadPtr(region2 - 2, 4));
IS_FALSE(IsBadMemPtr(FALSE, region2 - 1, 4));
IS_FALSE(IsBadReadPtr(region2 - 1, 4));
/* create non accessible subregion */
BYTE *region3 = region1 + ((sysinfo.dwAllocationGranularity / 4) * 3);
IS_TRUE(VirtualProtect(region3, (sysinfo.dwAllocationGranularity / 4), PAGE_NOACCESS, &old_protect));
IS_FALSE(IsBadMemPtr(FALSE, region3 - 2, 1));
IS_FALSE(IsBadReadPtr(region3 - 2, 1));
IS_FALSE(IsBadMemPtr(FALSE, region3 - 1, 1));
IS_FALSE(IsBadReadPtr(region3 - 1, 1));
IS_TRUE(IsBadMemPtr(FALSE, region3, 1));
IS_TRUE(IsBadReadPtr(region3, 1));
IS_TRUE(IsBadMemPtr(FALSE, region3 + 1 , 1));
IS_TRUE(IsBadReadPtr(region3 + 1, 1));
IS_TRUE(IsBadMemPtr(FALSE, region3 - 2, 4));
IS_TRUE(IsBadReadPtr(region3 - 2, 4));
IS_FALSE(IsBadMemPtr(FALSE, region3 - 2, 2));
IS_FALSE(IsBadReadPtr(region3 - 2, 2));
IS_TRUE(IsBadMemPtr(FALSE, region3 - 2, 3));
IS_TRUE(IsBadReadPtr(region3 - 2, 3));
VirtualFree(region1, 0, MEM_RELEASE);
}
/* two sequential writeable memory regions */
{
MEMORY_BASIC_INFORMATION mbi1;
MEMORY_BASIC_INFORMATION mbi2;
DWORD old_protect = 0;
BYTE *region1 = (BYTE *)VirtualAlloc(NULL, sysinfo.dwAllocationGranularity, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
IS_TRUE(region1);
BYTE *region2 = region1 + (sysinfo.dwAllocationGranularity / 2);
IS_TRUE(VirtualProtect(region2, (sysinfo.dwAllocationGranularity / 2), PAGE_EXECUTE_READWRITE, &old_protect));
VirtualQuery(region1, &mbi1, sizeof(mbi1));
VirtualQuery(region2, &mbi2, sizeof(mbi2));
IS_TRUE(mbi2.BaseAddress == (region1 + (sysinfo.dwAllocationGranularity / 2)));
IS_FALSE(IsBadMemPtr(TRUE, region2 - 2, 4));
IS_FALSE(IsBadWritePtr(region2 - 2, 4));
IS_FALSE(IsBadMemPtr(TRUE, region2 - 1, 4));
IS_FALSE(IsBadWritePtr(region2 - 1, 4));
/* create non accessible subregion */
BYTE *region3 = region1 + ((sysinfo.dwAllocationGranularity / 4) * 3);
IS_TRUE(VirtualProtect(region3, (sysinfo.dwAllocationGranularity / 4), PAGE_NOACCESS, &old_protect));
IS_FALSE(IsBadMemPtr(TRUE, region3 - 2, 1));
IS_FALSE(IsBadWritePtr(region3 - 2, 1));
IS_FALSE(IsBadMemPtr(TRUE, region3 - 1, 1));
IS_FALSE(IsBadWritePtr(region3 - 1, 1));
IS_TRUE(IsBadMemPtr(TRUE, region3, 1));
IS_TRUE(IsBadWritePtr(region3, 1));
IS_TRUE(IsBadMemPtr(TRUE, region3 + 1, 1));
IS_TRUE(IsBadWritePtr(region3 + 1, 1));
IS_TRUE(IsBadMemPtr(TRUE, region3 - 2, 4));
IS_TRUE(IsBadWritePtr(region3 - 2, 4));
IS_FALSE(IsBadMemPtr(TRUE, region3 - 2, 2));
IS_FALSE(IsBadWritePtr(region3 - 2, 2));
IS_TRUE(IsBadMemPtr(TRUE, region3 - 2, 3));
IS_TRUE(IsBadWritePtr(region3 - 2, 3));
VirtualFree(region1, 0, MEM_RELEASE);
}
/* guard page */
{
void *guard_region = VirtualAlloc(NULL, sysinfo.dwPageSize, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE | PAGE_GUARD);
IS_TRUE(guard_region);
IS_TRUE(IsBadMemPtr(TRUE, guard_region, 1));
IS_TRUE(IsBadMemPtr(FALSE, guard_region, 1));
VirtualFree(guard_region, 0, MEM_RELEASE);
}
/* writeable memory region with a guard page at the end (kind of stack) */
{
DWORD old_protect = 0;
BYTE *region1 = (BYTE *)VirtualAlloc(NULL, sysinfo.dwAllocationGranularity, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
IS_TRUE(region1);
BYTE *guard_page = region1 + (sysinfo.dwAllocationGranularity - sysinfo.dwPageSize);
IS_TRUE(VirtualProtect(guard_page, (sysinfo.dwPageSize), PAGE_READWRITE | PAGE_GUARD, &old_protect));
IS_FALSE(IsBadMemPtr(TRUE, guard_page - 1, 1));
IS_FALSE(IsBadMemPtr(FALSE, guard_page - 1, 1));
IS_FALSE(IsBadMemPtr(TRUE, guard_page - 4, 4));
IS_FALSE(IsBadMemPtr(FALSE, guard_page - 4, 4));
IS_TRUE(IsBadMemPtr(TRUE, guard_page, 1));
IS_TRUE(IsBadMemPtr(FALSE, guard_page, 1));
IS_TRUE(IsBadMemPtr(TRUE, guard_page + 2, 3));
IS_TRUE(IsBadMemPtr(FALSE, guard_page + 2, 3));
IS_TRUE(IsBadMemPtr(TRUE, guard_page - 1, 2));
IS_TRUE(IsBadMemPtr(FALSE, guard_page - 1, 2));
IS_TRUE(IsBadMemPtr(TRUE, guard_page - 2, 4));
IS_TRUE(IsBadMemPtr(FALSE, guard_page - 2, 4));
IS_TRUE(IsBadMemPtr(TRUE, guard_page - 3, 4));
IS_TRUE(IsBadMemPtr(FALSE, guard_page - 3, 4));
VirtualFree(region1, 0, MEM_RELEASE);
}
fputs("done.", stderr);
return 0;
}
@arbv
Copy link
Author

arbv commented May 12, 2020

On line 69 regend is not initialized on first run

Sorry for the late reply.

That is a good catch, but the value in regend is not going to be used on the first run, because p equals ptr at this time. Initialising it won't hurt, though, so thanks anyway. Fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment