12 Nov
2006
12 Nov
'06
3:48 p.m.
"Andrey Turkin" pancha@mail.nnov.ru wrote:
if (map_file_into_view( view, fd, 0, header_size, 0,VPROT_COMMITTED | VPROT_READ,
removable ) != STATUS_SUCCESS) goto error;
TRUE ) != STATUS_SUCCESS) goto error;This chunk has nothin to do with the patch description and simply is wrong.
I've hardcoded removevable as TRUE here to force map_file_into_view to read data and not mmap it (because mmap will map whole 4k page). Why is it wrong? Some packers depend on this. As I said in patch description, an alternative would be memset of area beyond header (which would lead to mmap, then COW a page and then memset of almost 4k).
I reread your explanations and I see now that somehow I misinterpreted your reasoning. What is the file alignment of the problematic PE file? Is it 512 (0x200) by any chance?
--
Dmitry.