Dmitry Timoshkov wrote:
"Andrey Turkin" pancha@mail.nnov.ru wrote:
if (map_file_into_view( view, fd, 0, header_size, 0,VPROT_COMMITTED | VPROT_READ,
removable ) != STATUS_SUCCESS) gotoerror;
TRUE ) != STATUS_SUCCESS) goto error;This chunk has nothin to do with the patch description and simply is wrong.
I've hardcoded removevable as TRUE here to force map_file_into_view to read data and not mmap it (because mmap will map whole 4k page). Why is it wrong? Some packers depend on this. As I said in patch description, an alternative would be memset of area beyond header (which would lead to mmap, then COW a page and then memset of almost 4k).
I reread your explanations and I see now that somehow I misinterpreted your reasoning. What is the file alignment of the problematic PE file? Is it 512 (0x200) by any chance?
Yep. However, I've made some quick tests (that is, I've used PE tools to rebuild some apps with larger file alignment and then tried to change physical offset) and it seems that align cutoff is hard-coded as 0x200.