Undocumented functions of NTDLL

2OO1, 15 April

typedef struct _MEMORY_BASIC_INFORMATION {

  PVOID                   BaseAddress;
  PVOID                   AllocationBase;
  ULONG                   AllocationProtect;
  ULONG                   RegionSize;
  ULONG                   State;
  ULONG                   Protect;
  ULONG                   Type;

} MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION;

BaseAddress

AllocationBase

AllocationProtect

• PAGE_NOACCESS
• PAGE_READONLY
• PAGE_READWRITE
• PAGE_WRITECOPY
• PAGE_EXECUTE
• PAGE_EXECUTE_READ
• PAGE_EXECUTE_READWRITE
• PAGE_EXECUTE_WRITECOPY
• PAGE_GUARD
• PAGE_NOCACHE
• PAGE_WRITECOMBINE

RegionSize

State

• MEM_RESERVE
• MEM_COMMIT
• MEM_FREE

Protect

Type

• MEM_PRIVATE - Queried block was allocated by call NtAllocateVirtualMemory,
• MEM_MAPPED - Queried block is memory mapped Section Object,
• SEC_IMAGE - Queried block is Section Object representing executable image file in memory.