Enabling "write watch" for a mapped region.
in [Win32 Kernel]
|
Prev: Serial communication and IO Completion Ports
Next: App startup time is slow using CreateProcess
From: Hugo gleaves on 30 Dec 2009 12:29 I've been exploring ways to enable write watch on a file mapping, so far with no success. Now this is looking like it is probably not possible, I tried a) Calling VirtualAlloc before doing the mapping call, but this approach fails. b) Passing MEM_WRITE_WATCH into MapViewOfFile, again no success. c) Calling NtMapViewOfSection (its second to last arg set to MEM_WRITE_WATCH). and that too fails (status = invalid parameter '9' (0xC00000F7 ). This could be a very useful feature if it were possible, but it looks like it may not be, does anyone have a view or a way to do this? Thax Hugo
From: Don Burn on 30 Dec 2009 12:42 It is not possible. I've been looking at how to track memory writes in Windows for the last 15 years, bottom line is that is not supported for any general case. -- Don Burn (MVP, Windows DKD) Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr Remove StopSpam to reply "Hugo gleaves(a)hotmail.com>" <hugh<underbar> wrote in message news:BD424BE9-457B-460B-9301-0E6E1016ECB2(a)microsoft.com... > I've been exploring ways to enable write watch on a file mapping, so far > with > no success. > > Now this is looking like it is probably not possible, I tried > > a) Calling VirtualAlloc before doing the mapping call, but this approach > fails. > b) Passing MEM_WRITE_WATCH into MapViewOfFile, again no success. > c) Calling NtMapViewOfSection (its second to last arg set to > MEM_WRITE_WATCH). > > and that too fails (status = invalid parameter '9' (0xC00000F7 ). > > This could be a very useful feature if it were possible, but it looks like > it may not be, does anyone have a view or a way to do this? > > Thax > Hugo > > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 4730 (20091230) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > > __________ Information from ESET NOD32 Antivirus, version of virus signature database 4730 (20091230) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
From: Hugo gleaves on 30 Dec 2009 13:39 Hi Don But surely it is possible (if the address space is allocated using VirtualAlloc) because that particular call will accept the MEM_WRITE_WATCH flag? I guess you are seeking something more general though as you said. Don, as a very experienced and highly regarded authority in this area, is there no hope of influencing MS in some way? If you were to sit down with a couple of their gurus, how would you suggest that this page fault/access/write trapping capability, be implemented without causing undue hassle, what (in other words) would you like this capability to "look like"? Kernel mode only or generally available to user mode coders (like little old me)? Thanks Hugh "Don Burn" wrote: > It is not possible. I've been looking at how to track memory writes in > Windows for the last 15 years, bottom line is that is not supported for any > general case. > > > -- > Don Burn (MVP, Windows DKD) > Windows Filesystem and Driver Consulting > Website: http://www.windrvr.com > Blog: http://msmvps.com/blogs/WinDrvr > Remove StopSpam to reply > > > > "Hugo gleaves(a)hotmail.com>" <hugh<underbar> wrote in message > news:BD424BE9-457B-460B-9301-0E6E1016ECB2(a)microsoft.com... > > I've been exploring ways to enable write watch on a file mapping, so far > > with > > no success. > > > > Now this is looking like it is probably not possible, I tried > > > > a) Calling VirtualAlloc before doing the mapping call, but this approach > > fails. > > b) Passing MEM_WRITE_WATCH into MapViewOfFile, again no success. > > c) Calling NtMapViewOfSection (its second to last arg set to > > MEM_WRITE_WATCH). > > > > and that too fails (status = invalid parameter '9' (0xC00000F7 ). > > > > This could be a very useful feature if it were possible, but it looks like > > it may not be, does anyone have a view or a way to do this? > > > > Thax > > Hugo > > > > > > > > __________ Information from ESET NOD32 Antivirus, version of virus > > signature database 4730 (20091230) __________ > > > > The message was checked by ESET NOD32 Antivirus. > > > > http://www.eset.com > > > > > > > > > > __________ Information from ESET NOD32 Antivirus, version of virus signature database 4730 (20091230) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > > > > . >
From: Don Burn on 30 Dec 2009 15:03 Hugo, I have sat down with their guru's and pointed out the value of this for many things, the general feeling is that it is not worth it. At the time I was suggesting a kernel only model (you can always build a user space model on top of that). The only good news is that hyper-v folks seem to be leaning this way, at least according to some of their papers. Whether it is enough for ones interest is hard to say. -- Don Burn (MVP, Windows DKD) Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr Remove StopSpam to reply "Hugo gleaves(a)hotmail.com>" <hugh<underbar> wrote in message news:DC0B6E0A-8274-499E-BF6F-17AAB28B08F9(a)microsoft.com... > Hi Don > > But surely it is possible (if the address space is allocated using > VirtualAlloc) because that particular call will accept the MEM_WRITE_WATCH > flag? I guess you are seeking something more general though as you said. > > Don, as a very experienced and highly regarded authority in this area, is > there no hope of influencing MS in some way? > > If you were to sit down with a couple of their gurus, how would you > suggest > that this page fault/access/write trapping capability, be implemented > without > causing undue hassle, what (in other words) would you like this capability > to > "look like"? > > Kernel mode only or generally available to user mode coders (like little > old > me)? > > Thanks > Hugh > > > "Don Burn" wrote: > >> It is not possible. I've been looking at how to track memory writes in >> Windows for the last 15 years, bottom line is that is not supported for >> any >> general case. >> >> >> -- >> Don Burn (MVP, Windows DKD) >> Windows Filesystem and Driver Consulting >> Website: http://www.windrvr.com >> Blog: http://msmvps.com/blogs/WinDrvr >> Remove StopSpam to reply >> >> >> >> "Hugo gleaves(a)hotmail.com>" <hugh<underbar> wrote in message >> news:BD424BE9-457B-460B-9301-0E6E1016ECB2(a)microsoft.com... >> > I've been exploring ways to enable write watch on a file mapping, so >> > far >> > with >> > no success. >> > >> > Now this is looking like it is probably not possible, I tried >> > >> > a) Calling VirtualAlloc before doing the mapping call, but this >> > approach >> > fails. >> > b) Passing MEM_WRITE_WATCH into MapViewOfFile, again no success. >> > c) Calling NtMapViewOfSection (its second to last arg set to >> > MEM_WRITE_WATCH). >> > >> > and that too fails (status = invalid parameter '9' (0xC00000F7 ). >> > >> > This could be a very useful feature if it were possible, but it looks >> > like >> > it may not be, does anyone have a view or a way to do this? >> > >> > Thax >> > Hugo >> > >> > >> > >> > __________ Information from ESET NOD32 Antivirus, version of virus >> > signature database 4730 (20091230) __________ >> > >> > The message was checked by ESET NOD32 Antivirus. >> > >> > http://www.eset.com >> > >> > >> > >> >> >> >> __________ Information from ESET NOD32 Antivirus, version of virus >> signature database 4730 (20091230) __________ >> >> The message was checked by ESET NOD32 Antivirus. >> >> http://www.eset.com >> >> >> >> >> . >> > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 4730 (20091230) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > > __________ Information from ESET NOD32 Antivirus, version of virus signature database 4730 (20091230) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
From: Alexander Grigoriev on 30 Dec 2009 15:14 Does VirtualProtect work on file-mapped pages? "Don Burn" <burn(a)stopspam.windrvr.com> wrote in message news:u0p%23qsYiKHA.4672(a)TK2MSFTNGP06.phx.gbl... > Hugo, > > I have sat down with their guru's and pointed out the value of this > for many things, the general feeling is that it is not worth it. At the > time I was suggesting a kernel only model (you can always build a user > space model on top of that). > > The only good news is that hyper-v folks seem to be leaning this way, > at least according to some of their papers. Whether it is enough for ones > interest is hard to say. > > > -- > Don Burn (MVP, Windows DKD) > Windows Filesystem and Driver Consulting > Website: http://www.windrvr.com > Blog: http://msmvps.com/blogs/WinDrvr > Remove StopSpam to reply > > > > "Hugo gleaves(a)hotmail.com>" <hugh<underbar> wrote in message > news:DC0B6E0A-8274-499E-BF6F-17AAB28B08F9(a)microsoft.com... >> Hi Don >> >> But surely it is possible (if the address space is allocated using >> VirtualAlloc) because that particular call will accept the >> MEM_WRITE_WATCH >> flag? I guess you are seeking something more general though as you said. >> >> Don, as a very experienced and highly regarded authority in this area, is >> there no hope of influencing MS in some way? >> >> If you were to sit down with a couple of their gurus, how would you >> suggest >> that this page fault/access/write trapping capability, be implemented >> without >> causing undue hassle, what (in other words) would you like this >> capability to >> "look like"? >> >> Kernel mode only or generally available to user mode coders (like little >> old >> me)? >> >> Thanks >> Hugh >> >> >> "Don Burn" wrote: >> >>> It is not possible. I've been looking at how to track memory writes in >>> Windows for the last 15 years, bottom line is that is not supported for >>> any >>> general case. >>> >>> >>> -- >>> Don Burn (MVP, Windows DKD) >>> Windows Filesystem and Driver Consulting >>> Website: http://www.windrvr.com >>> Blog: http://msmvps.com/blogs/WinDrvr >>> Remove StopSpam to reply >>> >>> >>> >>> "Hugo gleaves(a)hotmail.com>" <hugh<underbar> wrote in message >>> news:BD424BE9-457B-460B-9301-0E6E1016ECB2(a)microsoft.com... >>> > I've been exploring ways to enable write watch on a file mapping, so >>> > far >>> > with >>> > no success. >>> > >>> > Now this is looking like it is probably not possible, I tried >>> > >>> > a) Calling VirtualAlloc before doing the mapping call, but this >>> > approach >>> > fails. >>> > b) Passing MEM_WRITE_WATCH into MapViewOfFile, again no success. >>> > c) Calling NtMapViewOfSection (its second to last arg set to >>> > MEM_WRITE_WATCH). >>> > >>> > and that too fails (status = invalid parameter '9' (0xC00000F7 ). >>> > >>> > This could be a very useful feature if it were possible, but it looks >>> > like >>> > it may not be, does anyone have a view or a way to do this? >>> > >>> > Thax >>> > Hugo >>> > >>> > >>> > >>> > __________ Information from ESET NOD32 Antivirus, version of virus >>> > signature database 4730 (20091230) __________ >>> > >>> > The message was checked by ESET NOD32 Antivirus. >>> > >>> > http://www.eset.com >>> > >>> > >>> > >>> >>> >>> >>> __________ Information from ESET NOD32 Antivirus, version of virus >>> signature database 4730 (20091230) __________ >>> >>> The message was checked by ESET NOD32 Antivirus. >>> >>> http://www.eset.com >>> >>> >>> >>> >>> . >>> >> >> __________ Information from ESET NOD32 Antivirus, version of virus >> signature database 4730 (20091230) __________ >> >> The message was checked by ESET NOD32 Antivirus. >> >> http://www.eset.com >> >> >> > > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 4730 (20091230) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > > >
|
Next
|
Last
Pages: 1 2 Prev: Serial communication and IO Completion Ports Next: App startup time is slow using CreateProcess |