Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Incorrect page protection attributes

Found a bug in OllyDbg? Post a report here.
Locked
focht

Incorrect page protection attributes

Post by focht »

Greetings,

while dumping some arma stuff i noticed that process dumping sometimes fails due to "problematic" page protection attributes.
In this case OllyDump plugins or other tools like LordPE will bring up some error msg "unable to read process memory" or something similar.

The reason is clear for me: the "page guard" attribute has been set on some region which gets triggered on read -> exception handler.
Using LordPE's "dump region" and you will see under protect column the correct page protection attributes: "XR GUARD"
Ollydbg itself displays it as "RW" is plain wrong.
Closing and re-opening memory window doesnt help.

If i adjust page protection manually using "set access" in memory window to "Execute/Read" i can remove the page guard and the process memory can be read by plugins and tools again.

Regards
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Incorrect page protection attributes

Post by blabberer »

Dear Focht,
Greetings

yes the rw display doesnt get actualized as far as i know
also setting access on some section doesnt work many times
but if you set access to pe header it is inherited by all other sections
i find it somewhat awkward but didnt have many chances to play with it

just an example this is the way it looks when i just started and olly has broken on ep

Memory map, item 14
Address=00403000
Size=00001000 (4096.)
Owner=Research 00400000
Section=.rdata
Contains=imports
Type=Imag 01001002
Access=R
Initial access=RWE

now i right click this and try to set all kind of access but it some how doesnt actualize so i change from imports to peheader

Memory map, item 12
Address=00400000
Size=00001000 (4096.)
Owner=Research 00400000 (itself)
Section=
Contains=PE header
Type=Imag 01001002
Access=R
Initial access=RWE

and set full access
:)
Memory map, item 12
Address=00400000
Size=00001000 (4096.)
Owner=Research 00400000 (itself)
Section=
Contains=PE header
Type=Imag 01001080
Access=RWE CopyOnWr
Initial access=RWE

and the imports also get the properties
Memory map, item 14
Address=00403000
Size=00001000 (4096.)
Owner=Research 00400000
Section=.rdata
Contains=imports
Type=Imag 01001080
Access=RWE CopyOnWr
Initial access=RWE

also some times i try code inline writable modifications which obviously fail due to not having executable flag so i am forced to set access to peheader and not this only one section where i need write access

i dunno and i did not wade into the problem a little deeper
if you have some further clarifications or tips
please do post

thanks and regards
Locked